Anthropic’s Claude in Chrome extension, version 1.0.80, can still be tricked by another browser extension into launching pre-approved tasks that read Gmail, retrieve a recent Google Doc and its comments, or access Google Calendar. The practical danger is greatest for users who have enabled “Act without asking,” the setting that lets Claude carry out browser actions without prompting for every step.
The issue is not a flaw in Chrome itself, nor does it mean a random website can immediately raid a user’s inbox. According to research from Manifold Security, an attacker needs a separate extension that is already able to run a content script on claude.ai. But that condition is exactly why the finding matters to Windows users and enterprise administrators: browser extension inventories often contain dozens of tools with broad page access, and an AI agent can amplify the consequences of a single bad add-on.
TechRepublic first highlighted the report this week, while Manifold Security says it disclosed the findings to Anthropic in May. The researchers verified on July 7 that the weaknesses remained reproducible in Claude in Chrome 1.0.80, the version currently listed in the Chrome Web Store.
The core bug is a trust-boundary failure in how Claude in Chrome determines that a user has selected a task. Manifold Security found that a content script running on claude.ai listens for clicks on a particular page element and checks whether the requested task is on an allowlist. It does not, however, reliably establish that the event came from a real person using the mouse or keyboard rather than from JavaScript injected into the page.
That distinction is fundamental in browser security. A malicious extension with permission to execute code on claude.ai can construct the expected page element, assign one of the allowed task identifiers, and dispatch a synthetic click. Claude then treats the event as though its user had made the request.
The Hacker News independently examined version 1.0.80 and reported that the relevant handler lacks the browser’s usual
But a narrow menu does not make the trigger harmless when the menu includes actions involving an authenticated inbox, documents, and calendar. The central security question is not merely which actions Claude can perform; it is who is permitted to invoke them.
Manifold rated the synthetic-click issue CVSS 7.7, a high-severity score, in the default configuration. Under that mode, a forged request should still produce an approval dialog that the user must accept. That adds a meaningful obstacle, although it also creates a social-engineering opportunity: users who see frequent approval requests may approve one without recognizing that another extension initiated it.
That convenience setting is the line between a troubling bug and a potentially critical one.
With “Act without asking” enabled, Manifold says the malicious extension can cause one of the permitted tasks to run without an additional confirmation prompt. The researchers assigned the scenario a CVSS 9.6 rating. In plain terms, an attacker who has already managed to get a compatible rogue extension installed may be able to make Claude exercise access that the user deliberately granted to Claude — but never meant to grant to the attacker.
That is a different threat model from conventional malicious extensions. A rogue add-on normally needs its own permissions to inspect mail, manipulate a cloud document, or interact with a business web app. Here, the add-on can potentially borrow the authority already accumulated by an AI browser agent.
For corporate security teams, that makes standalone extension-permission reviews incomplete. A low-profile extension with access to a single site can become a launch point against a more powerful agent that has access to several services and an active login session.
The researchers did not identify a direct external path that lets a hostile extension set the parameter. Anthropic reportedly treated the report as informational on the grounds that the URL is internally constructed for tasks the user previously authorized to run unattended. That response is understandable as a description of the current reachable path, but it does not erase the architectural concern.
Encoding a privileged state in a URL creates a latent escalation route. A separate URL-construction mistake, a messaging vulnerability, or an internal component compromise could turn that design choice into an easier silent-execution chain. The Hacker News reported that the extension reads the parameter and switches into a mode described in its code as skipping all permission checks.
Security engineering is often about preventing combinations, not merely blocking the one exploit available today. The synthetic-click finding demonstrates that internal extension boundaries deserve the same rigor as network-facing APIs, especially when the component on the far side can act in logged-in cloud applications.
Organizations using Claude in Chrome on Windows endpoints should take immediate, concrete steps:
Anthropic has marketed Claude in Chrome around precisely the capabilities at issue: working across authenticated sites, handling repetitive tasks, and continuing work in the background. Until the extension can prove that a sensitive action originated with its user rather than another extension’s script, the safer operational assumption is that unattended browser agents carry the privileges of every extension around them.
The issue is not a flaw in Chrome itself, nor does it mean a random website can immediately raid a user’s inbox. According to research from Manifold Security, an attacker needs a separate extension that is already able to run a content script on claude.ai. But that condition is exactly why the finding matters to Windows users and enterprise administrators: browser extension inventories often contain dozens of tools with broad page access, and an AI agent can amplify the consequences of a single bad add-on.
TechRepublic first highlighted the report this week, while Manifold Security says it disclosed the findings to Anthropic in May. The researchers verified on July 7 that the weaknesses remained reproducible in Claude in Chrome 1.0.80, the version currently listed in the Chrome Web Store.
A scripted click can be mistaken for a human decision
The core bug is a trust-boundary failure in how Claude in Chrome determines that a user has selected a task. Manifold Security found that a content script running on claude.ai listens for clicks on a particular page element and checks whether the requested task is on an allowlist. It does not, however, reliably establish that the event came from a real person using the mouse or keyboard rather than from JavaScript injected into the page.That distinction is fundamental in browser security. A malicious extension with permission to execute code on claude.ai can construct the expected page element, assign one of the allowed task identifiers, and dispatch a synthetic click. Claude then treats the event as though its user had made the request.
The Hacker News independently examined version 1.0.80 and reported that the relevant handler lacks the browser’s usual
event.isTrusted check, a basic signal used to distinguish user-generated events from scripted ones. The exploit does not restore the broad arbitrary-command capability associated with the earlier ClaudeBleed disclosure. Anthropic’s earlier mitigation restricted external callers to nine predefined tasks.But a narrow menu does not make the trigger harmless when the menu includes actions involving an authenticated inbox, documents, and calendar. The central security question is not merely which actions Claude can perform; it is who is permitted to invoke them.
Manifold rated the synthetic-click issue CVSS 7.7, a high-severity score, in the default configuration. Under that mode, a forged request should still produce an approval dialog that the user must accept. That adds a meaningful obstacle, although it also creates a social-engineering opportunity: users who see frequent approval requests may approve one without recognizing that another extension initiated it.
“Act without asking” turns a coercion problem into silent execution
Anthropic presents Claude in Chrome as a tool that can navigate sites, click controls, fill forms, and execute multistep workflows in an authenticated browser session. Its permissions guide offers two modes: “Ask before acting,” which pauses for approval, and “Act without asking,” which allows longer-running work while reserving pauses for actions Claude decides look unsafe.That convenience setting is the line between a troubling bug and a potentially critical one.
With “Act without asking” enabled, Manifold says the malicious extension can cause one of the permitted tasks to run without an additional confirmation prompt. The researchers assigned the scenario a CVSS 9.6 rating. In plain terms, an attacker who has already managed to get a compatible rogue extension installed may be able to make Claude exercise access that the user deliberately granted to Claude — but never meant to grant to the attacker.
That is a different threat model from conventional malicious extensions. A rogue add-on normally needs its own permissions to inspect mail, manipulate a cloud document, or interact with a business web app. Here, the add-on can potentially borrow the authority already accumulated by an AI browser agent.
For corporate security teams, that makes standalone extension-permission reviews incomplete. A low-profile extension with access to a single site can become a launch point against a more powerful agent that has access to several services and an active login session.
The URL permission bypass is not the immediate exploit, but it is a warning sign
Manifold also identified a second issue involving the Claude side panel’sskipPermissions URL parameter. According to the researchers, loading the panel with that value enabled puts it into a privileged mode that skips repeated permission checks.The researchers did not identify a direct external path that lets a hostile extension set the parameter. Anthropic reportedly treated the report as informational on the grounds that the URL is internally constructed for tasks the user previously authorized to run unattended. That response is understandable as a description of the current reachable path, but it does not erase the architectural concern.
Encoding a privileged state in a URL creates a latent escalation route. A separate URL-construction mistake, a messaging vulnerability, or an internal component compromise could turn that design choice into an easier silent-execution chain. The Hacker News reported that the extension reads the parameter and switches into a mode described in its code as skipping all permission checks.
Security engineering is often about preventing combinations, not merely blocking the one exploit available today. The synthetic-click finding demonstrates that internal extension boundaries deserve the same rigor as network-facing APIs, especially when the component on the far side can act in logged-in cloud applications.
Windows administrators should treat the extension as a high-trust browser component
Claude in Chrome is available to paid Claude subscribers and remains a beta feature in Chrome. Anthropic’s own product material warns that browser automation carries unique risks and advises users to review sensitive actions. That caution is appropriate, but this incident shows why user vigilance alone cannot compensate for flawed origin and gesture validation.Organizations using Claude in Chrome on Windows endpoints should take immediate, concrete steps:
- Disable “Act without asking” or its renamed equivalent, “Skip all approvals,” for users who do not have a tightly controlled automation requirement.
- Audit every extension permitted to read or change data on claude.ai, including internally distributed productivity tools and developer extensions.
- Remove unneeded extensions from browsers used for Google Workspace administration, finance, legal work, executive communications, and other sensitive activity.
- Separate AI-assisted browser work from privileged daily browsing by using a dedicated Chrome profile and a minimally privileged account where practical.
- Watch for an Anthropic extension update that specifically addresses synthetic-event validation and the side-panel permission-state design before re-enabling unattended automation.
Anthropic has marketed Claude in Chrome around precisely the capabilities at issue: working across authenticated sites, handling repetitive tasks, and continuing work in the background. Until the extension can prove that a sensitive action originated with its user rather than another extension’s script, the safer operational assumption is that unattended browser agents carry the privileges of every extension around them.
References
- Primary source: TechRepublic
Published: 2026-07-16T16:23:01+00:00
Claude for Chrome Flaw Puts Gmail at Risk From Rogue Extensions
Researchers say a Claude for Chrome flaw lets rogue extensions trigger Gmail, Docs, and Calendar tasks, with greater risk in unattended mode.www.techrepublic.com
- Related coverage: manifold.security
ClaudeBleed Reopened: Browser Extensions Can Still Push Claude for Chrome to Read Your Gmail - Manifold Security
Two flaws in Claude for Chrome let any browser extension read a victim's Gmail, Docs, and Calendar. Reported to Anthropic in May, still live in v1.0.80. Vertical
www.manifold.security
- Official source: claude.com
Claude for Chrome | Claude by Anthropic
Bring Claude's AI assistance to your browser. Ask questions, analyze data, automate tasks, and navigate sites in Chrome. Works with Claude Code and Desktop.claude.com - Related coverage: thehackernews.com
Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads
Claude for Chrome v1.0.80 still accepts forged clicks from other extensions, triggering Gmail, Docs, and Calendar tasks silently in hands-off mode.thehackernews.com
- Official source: support.claude.com
Claude in Chrome permissions guide | Claude Help Center
support.claude.com
- Related coverage: piunikaweb.com
Claude Chrome extension reportedly still leaves Gmail and other data exposed
A report says the Claude for Chrome extension can still be triggered by other extensions to read Gmail and access sensitive user data.
piunikaweb.com