Security researchers have discovered a vulnerability in the Claude for Chrome browser extension that allows rogue extensions to access Gmail, Google Docs, and Calendar without user consent. This flaw affects users who have enabled certain settings, potentially exposing sensitive information.
Extension Vulnerability Details
The core issue arises from the ability of other browser extensions to execute scripts on claude.ai, triggering tasks within Claude for Chrome. Despite measures taken by Anthropic to address the ClaudeBleed flaw, which restricted external prompts, the problem persists in the latest version, v1.0.80. This means that any extension capable of interacting with claude.ai can exploit this vulnerability.
In ‘ask before acting’ mode, users must approve tasks, but if ‘Act without asking’ is enabled, actions proceed without any prompts, heightening the risk of unauthorized access. Users are advised to disable ‘Act without asking’ and review permissions of extensions that can alter data on claude.ai to mitigate risks.
Mechanism of the Security Flaw
The vulnerability lies in how Claude for Chrome handles task triggers. A content script listens for clicks on specific elements and, if the task is one of the nine pre-approved ones, it sends a message to open a side panel with the task loaded. However, the script fails to verify if the click is genuine or script-generated, allowing synthetic clicks to be treated as legitimate.
Manifold Security demonstrated this exploit by crafting a code snippet that simulates a user click, which the extension erroneously accepts. This oversight can lead to unauthorized execution of tasks such as reading emails or accessing documents.
Implications and Recommendations
Anthropic has yet to release a patch to address this flaw, leaving users vulnerable to potential exploits. The company acknowledged the issue but has not indicated when a fix might be available. As of July 14, no CVE has been issued, and no formal advisory has been published by Anthropic.
For users concerned about the security of their data, disabling the ‘Act without asking’ feature and scrutinizing browser extensions with access to claude.ai is critical. Awareness and proactive management of permissions can help mitigate the risk until a permanent solution is implemented.
The ongoing vulnerability highlights the challenges in maintaining secure browser extensions, particularly when integrating with widely used services like Gmail and Google Docs. Users are encouraged to stay informed about updates and potential security advisories from credible sources.
