ClaudeBleed Vulnerability Lets Hackers Hijack Claude Chrome Extension to Steal Data

Summary

Security researchers at LayerX discovered ClaudeBleed, a critical vulnerability in Anthropic's Claude for Chrome extension that allows attackers to hijack the AI assistant and steal private Google Drive and Gmail data. The flaw stems from improper message source validation and trust boundary violations, enabling even unprivileged extensions to execute malicious commands. Anthropic's May 6 patch remains incomplete, as researchers demonstrated additional bypass techniques including forcing privileged mode activation without user consent.

Full text

Security Artificial IntelligenceClaudeBleed Vulnerability Lets Hackers Hijack Claude Chrome Extension to Steal Data The ClaudeBleed vulnerability allows hackers to bypass Claude for Chrome guardrails to exfiltrate private Google Drive and Gmail data. byDeeba AhmedMay 8, 20263 minute read Cybersecurity researchers from LayerX have found a major security flaw in the Claude for Chrome browser extension that could allow hackers to take full control of the AI assistant. They have named this vulnerability ClaudeBleed, and their research shows that even a basic extension with no special permissions can hijack Claude to steal private files and send emails without the user’s knowledge or consent. The Root Cause of the ClaudeBleed Vulnerability The problem started with a mistake in how the extension identifies the source of incoming messages, leading to a critical trust boundary violation. As noted by LayerX’s senior researcher Aviad Gispan, the Claude Chrome extension was set up with a setting called externally_connectable, which allowed any script running on the claude.ai website to send commands to the extension. Since the extension trusts the website and doesn’t check who is actually running the script, hackers could use a content script to feed instructions to Claude LLM. This can turn the extension into “a confused deputy,” researchers noted, which means it performs malicious tasks, thinking the orders are coming from a trusted source. “In its update to the extension, Anthropic left external access open but added another layer of internal security checks to prevent extensions running in “standard” mode from executing remote commands. However, switching the extension to “privileged” mode (without even having to notify the user or ask their permission) bypassed these checks and allowed the same remote commands to execute as before,” researchers explained. How Hackers Bypass Security Guardrails During the investigation, the team at LayerX showed how this could be weaponized. In one example, they created a fake extension that forced Claude to go into a user’s Google Drive, find a file named Top Secret, and share it with an external email address. They also forced the tool to summarize private messages in a Gmail inbox and delete the evidence afterward. Then they bypassed the built-in guardrails of Claude’s LLM through approval looping- a method where they programmed the script to keep saying “Yes” until the AI accepted the command. Another trick researchers used was DOM manipulation, in which they changed the names of buttons on the screen so that the extension was tricked into clicking a Share button renamed as Request Feedback. By attacking how the extension perceives the page, they could bypass the policy enforcement that usually prevents data exfiltration. An Incomplete Fix Leaves Users Exposed After being notified by LayerX, Anthropic released a patch on 6 May in version 1.0.70. This update added new pop-up windows to ask for user permission. However, the LayerX team quickly found a way around them, discovering that by forcing the extension into a privileged mode, aka Act without asking mode, they could skip the permission screens entirely. “In the current AI race, vendors are moving too fast and granting powerful capabilities to improve user experience, while neglecting basic security foundations and opening new opportunities for attackers. As AI agents become the norm, these structural flaws are a ticking time bomb,” Gispan noted. The research, shared with Hackread.com, concludes that the underlying problem of origin-based trust is still there. According to researchers, hackers can still abuse the side panel initialization flow to bypass the patch and exploit the Claude for Chrome extension. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience… View Posts BrowserCalude AIChromeClaudeClaudeBleedCybersecurityExtensionPrivacyVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security How Major SOCs Achieve Early Threat Detection in 3 Steps Every SOC leader understands that faster threat detection is better. But the difference between knowing it and building… byOwais Sultan Security Netgear vulnerability exposed TLS certificates to public TLS certificates can be used to intercept and tamper with secure connections... bySudais Asif Security Cyber Attacks How much does a data breach cost? + How to prevent it (Best practices) By some estimates, close to 30 percent of businesses in the United States will experience a data breach. byWaqas Security Leaks Privacy Keyboard app caught collecting users data after 31M records leaked online It’s just another day with just another breach exposing personal details of unsuspecting users. This time, it’s an… byWaqas

Indicators of Compromise

• malware — ClaudeBleed

Entities