Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Security Flaw in Claude for Chrome Allows Unauthorized Access

Security Flaw in Claude for Chrome Allows Unauthorized Access

Posted on July 14, 2026 By CWS

Security researchers have discovered a vulnerability in the Claude for Chrome browser extension that allows rogue extensions to access Gmail, Google Docs, and Calendar without user consent. This flaw affects users who have enabled certain settings, potentially exposing sensitive information.

Extension Vulnerability Details

The core issue arises from the ability of other browser extensions to execute scripts on claude.ai, triggering tasks within Claude for Chrome. Despite measures taken by Anthropic to address the ClaudeBleed flaw, which restricted external prompts, the problem persists in the latest version, v1.0.80. This means that any extension capable of interacting with claude.ai can exploit this vulnerability.

In ‘ask before acting’ mode, users must approve tasks, but if ‘Act without asking’ is enabled, actions proceed without any prompts, heightening the risk of unauthorized access. Users are advised to disable ‘Act without asking’ and review permissions of extensions that can alter data on claude.ai to mitigate risks.

Mechanism of the Security Flaw

The vulnerability lies in how Claude for Chrome handles task triggers. A content script listens for clicks on specific elements and, if the task is one of the nine pre-approved ones, it sends a message to open a side panel with the task loaded. However, the script fails to verify if the click is genuine or script-generated, allowing synthetic clicks to be treated as legitimate.

Manifold Security demonstrated this exploit by crafting a code snippet that simulates a user click, which the extension erroneously accepts. This oversight can lead to unauthorized execution of tasks such as reading emails or accessing documents.

Implications and Recommendations

Anthropic has yet to release a patch to address this flaw, leaving users vulnerable to potential exploits. The company acknowledged the issue but has not indicated when a fix might be available. As of July 14, no CVE has been issued, and no formal advisory has been published by Anthropic.

For users concerned about the security of their data, disabling the ‘Act without asking’ feature and scrutinizing browser extensions with access to claude.ai is critical. Awareness and proactive management of permissions can help mitigate the risk until a permanent solution is implemented.

The ongoing vulnerability highlights the challenges in maintaining secure browser extensions, particularly when integrating with widely used services like Gmail and Google Docs. Users are encouraged to stay informed about updates and potential security advisories from credible sources.

The Hacker News Tags:Anthropic, browser extension, Chrome vulnerability, Claude for Chrome, ClaudeBleed, data protection, Gmail security, hacker news, Manifold Security, security flaw

Post navigation

Previous Post: Fortinet Addresses Vulnerabilities in Key Security Software
Next Post: Tego AI Exposes Potential Risks in Claude Tag Integration

Related Posts

Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages The Hacker News
Vercel Data Breach, DDoS Takedown, New Android Threats Vercel Data Breach, DDoS Takedown, New Android Threats The Hacker News
Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers The Hacker News
Unveiling Eight Attack Vectors in AWS Bedrock Unveiling Eight Attack Vectors in AWS Bedrock The Hacker News
CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing The Hacker News
PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Tego AI Exposes Potential Risks in Claude Tag Integration
  • Security Flaw in Claude for Chrome Allows Unauthorized Access
  • Fortinet Addresses Vulnerabilities in Key Security Software
  • Microsoft Addresses 622 Vulnerabilities, Highlights Two Zero-Days
  • Critical SAP NetWeaver Vulnerability Addressed in July Updates

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Tego AI Exposes Potential Risks in Claude Tag Integration
  • Security Flaw in Claude for Chrome Allows Unauthorized Access
  • Fortinet Addresses Vulnerabilities in Key Security Software
  • Microsoft Addresses 622 Vulnerabilities, Highlights Two Zero-Days
  • Critical SAP NetWeaver Vulnerability Addressed in July Updates

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark