Unpatched Claude for Chrome Flaw Lets Extensions Read Gmail, Calendar
Unpatched Claude for Chrome flaw allows extensions to read Gmail, Calendar data.
Summary
AI security firm Manifold reports that two vulnerabilities in Anthropic's Claude for Chrome extension, initially reported in May, remain unpatched. These flaws allow malicious browser extensions to trigger Claude into performing actions on behalf of the user without explicit consent, potentially exposing sensitive data like Gmail messages and calendar entries. The issue stems from a fix that restricted prompts but didn't properly verify user interaction, allowing other extensions to fake clicks and initiate actions, especially in the extension's 'Act without asking' mode.
Full text
AI security firm Manifold says two vulnerabilities it reported to Anthropic in May remain exploitable in the latest version of Claude for Chrome, the company’s agentic browser extension. According to Manifold, the flaws let a malicious browser extension trigger Claude into taking actions on a user’s behalf without any genuine click or approval from the victim. An attacker could exploit them to read Gmail messages, Google Docs documents, and calendar entries. The core issue is related to a fix Anthropic shipped earlier this year in response to a similar vulnerability dubbed ClaudeBleed. That update restricted which prompts an outside webpage could feed into Claude, narrowing the extension’s exposure to a fixed set of pre-approved tasks. Manifold found that the mechanism used to activate those tasks doesn’t verify whether a click actually came from a real user, meaning another extension can fake the interaction and set the process in motion. In the extension’s default setting, the attack triggers a confirmation prompt before anything sensitive happens. However, if a user has enabled the extension’s more autonomous mode (‘Act without asking’), the attacker’s action can proceed without any visible warning. Manifold also flagged a second, related design gap: a way for Claude’s side panel to launch directly into that no-confirmation mode based on a parameter in its own URL, with no user action required to unlock it. Advertisement. Scroll to continue reading. The researchers noted that this is not something an attacker can currently exploit, since only the extension itself is meant to construct that URL. But they argue it’s a structural risk, and any future bug that lets an outside script influence how that URL gets built could hand an attacker silent control over a user’s connected accounts. Manifold reported its findings to Anthropic on May 21, shortly after the public disclosure of the ClaudeBleed research. The AI giant described the list of pre-approved tasks as an initial mitigation for ClaudeBleed until a complete fix is rolled out. However, Manifold says none of the eight versions released since appear to patch the vulnerabilities, including the latest 1.0.80. SecurityWeek has reached out to Anthropic for comment. Related: ‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery Mechanism Related: UK Government Rolls Out Agentic AI Defense Plan Alongside Industry Pledge Related: AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Centers Laboratory Data Breach Affects 540,000 IndividualsThird US Security Expert Sentenced to Prison for Helping Ransomware GangChina, India-Linked Hackers Both Targeted Same Pakistani Police Force‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery MechanismPalo Alto Networks Patches 13 VulnerabilitiesMicrosoft Patches Defender ‘RoguePlanet’ VulnerabilityAI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old TechniqueGoogle Patches 382 Chrome Vulnerabilities Latest News 7 Severe Vulnerabilities Patched in VMware Avi Load BalancerSAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce CloudUS, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure RoutersValarian Raises $50 Million for Sovereign Infrastructure Control LayerMultiple Jscrambler Packages Impacted by Supply Chain AttackPentagon Suspends CMMC Phase 2 as It Rethinks Contractor Cybersecurity RulesHacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker to RedemptionCybersecurity M&A Roundup: 37 Deals Announced in June 2026 Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveSean Murphy has joined F5 as a Field Chief Information Security Officer - North America.CodeHunter has appointed Stephen McCarney as Chief Strategy Officer.BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email