Researchers have identified a major security flaw in the ‘Claude in Chrome’ extension, highlighting serious risks to user privacy. This vulnerability allows malicious actors to exploit the extension, potentially accessing private Gmail, Google Drive, and GitHub data. The vulnerability underscores the dangers inherent in the rapid deployment of AI technologies without adequate security checks.
Vulnerability in Claude Chrome Extension
The core issue lies in a breach of trust boundaries within the extension’s manifest file. The extension’s use of the externally_connectable setting allows communication with the claude.ai Large Language Model (LLM), but it insufficiently verifies the execution context of requests. This oversight enables malicious scripts to gain the same privileges as legitimate operations within the trusted domain.
Researchers demonstrated this flaw by creating a proof-of-concept extension. By exploiting the extension’s design, they bypassed security features using two main techniques: approval looping and perception manipulation. These methods trick the AI into executing unauthorized actions, posing significant risks to users’ sensitive information.
Methods of Exploitation
Approval looping involves simulating user consent for sensitive actions, effectively bypassing the need for genuine user confirmations. By repeatedly sending false confirmations, attackers can manipulate the AI into believing that all actions are approved.
Perception manipulation leverages changes in UI semantics to deceive the AI’s decision-making process. By altering the appearance of interface elements, such as renaming buttons, attackers can manipulate the AI to perform unauthorized tasks.
Response and Recommendations
LayerX reported the vulnerability to Anthropic on April 27, 2026. In response, Anthropic released a new version of the extension on May 6, 2026, which added explicit approval workflows for standard browser actions. However, the patch is considered incomplete as it addresses symptoms rather than the root cause of the vulnerability.
LayerX suggests that effective remediation requires strict validation of external message senders. This includes using authentication tokens for extension-to-page communication and restricting externally_connectable settings to trusted extension IDs. These measures aim to ensure secure communication and prevent unauthorized access to sensitive data.
Follow us on Google News, LinkedIn, and X for more updates on cybersecurity and technology advancements.
