Significant security vulnerabilities remain unaddressed in Claude for Chrome, as reported by AI security firm Manifold. These issues, identified in May, continue to pose risks in the latest release of the agentic browser extension by Anthropic.
Uncovering the Vulnerabilities
Manifold has revealed that the flaws allow malicious browser extensions to manipulate Claude into executing commands without user consent. Through these vulnerabilities, attackers may gain unauthorized access to Gmail, Google Docs, and calendar entries, exploiting the lack of user verification in the extension’s interaction process.
The vulnerabilities trace back to a previous fix aimed at a similar issue known as ClaudeBleed. This earlier update was intended to limit external webpage inputs to Claude, restricting its functions to a set of pre-approved tasks. However, the current mechanism fails to authenticate real user clicks, enabling other extensions to initiate actions deceitfully.
Potential Exploits and Risks
In its default configuration, Claude presents a confirmation prompt before any sensitive action. Nevertheless, if the extension is set to ‘Act without asking,’ attackers can bypass this prompt, proceeding without alerting the user. Additionally, Manifold identified a design flaw allowing direct activation of no-confirmation mode via a URL parameter, which poses a structural risk if future bugs emerge.
Although this aspect isn’t currently exploitable, as only the extension can construct the URL, Manifold warns that any bug permitting external script influence might give attackers unobstructed access to user accounts. Such risks underscore the importance of a comprehensive fix rather than temporary mitigations.
Response from Anthropic and Future Outlook
Manifold communicated its findings to Anthropic on May 21, following the public revelation of the ClaudeBleed issue. Anthropic acknowledged the list of pre-approved tasks as a preliminary measure until a full resolution is achieved. However, Manifold points out that none of the eight subsequent versions, including 1.0.80, have effectively addressed these vulnerabilities.
SecurityWeek has reached out to Anthropic for further comments on the situation. As the industry continues to grapple with AI-related security challenges, the need for robust and proactive measures remains critical to safeguard user data and maintain trust in AI-powered solutions.
