Skip to main content
CybersecurityHacking

Claude for Chrome Flaw Exposes Gmail, Google Docs to Rogue Extensions

Laptop on cluttered desk with Google Docs open, surrounded by papers and notes in a home office setting.

Manifold Security rated the immediate attack path “High” (CVSS 7.7) and the silent mode “Critical” (CVSS 9.6), and showed how six lines typed into claude.ai’s console can make the extension treat a script-made click as if a human had tapped it.

How a forged click lets another extension read your Gmail, Docs and Calendar

Anthropic’s Claude for Chrome limits external callers to nine fixed task IDs that the extension ships with. That restriction was added in May as part of a response to the earlier ClaudeBleed problem, and it means a page can no longer supply arbitrary text to Claude. But Manifold Security and a follow-up unpack by The Hacker News found the extension still accepts a script-generated click on a particular page element and treats it as a genuine user action.

The content script listens on claude.ai for a click on the #claude-onboarding-button element, reads its data-task-id attribute, and if the ID matches one of the nine allowlisted tasks sends an open_side_panel message to the extension. Three of the nine IDs are onboarding practice prompts; three drive DoorDash, Salesforce, and Zillow; the last three — usecase-gmail, usecase-gdocs, and usecase-calendar — are the ones that load tasks that read mail, the latest Google Doc and its comments, and the user’s calendar.

What the handler never checks is event.isTrusted, the browser flag that differentiates a real user click from a script-dispatched one. Manifold demonstrated the trigger by pasting six lines into the claude.ai console; logs showing isTrusted: false confirmed the click was synthetic yet honored. With that forged click, the usecase-gmail task is loaded into the side panel and — depending on the extension’s approval setting — can read account data.

The permission toggle, the silent path, and the one-line fix Manifold proposes

Claude for Chrome ships with a default “ask before acting” mode that requires an approval box between the loaded task and any actual reads. Manifold rates this configuration CVSS 7.7 High because the forged click still reaches the approval step. If a user enabled “Act without asking,” the extension runs tasks with no prompt at all; Manifold scores that mode CVSS 9.6 Critical because the same forged click runs silently.

Manifold says a one-line fix — rejecting synthetic clicks at the top of the handler — would close the immediate forged-click vector. That change, the researchers add, has not been shipped as of July 14.

The deeper URL-based flaw that removes consent after the fact

Underneath the click handler is a quieter, structurally different risk: the extension will boot the side panel into a mode that skips permission checks when the panel is loaded with ?skipPermissions=true in its URL. When that parameter is present, the panel activates skip_all_permission_checks and begins acting without asking; a red banner appears only after the privileged session is already running. In other words, the banner reports that permission checks were disabled — it does not prevent the session from starting.

At the moment, Manifold notes, that URL can only be built by the extension itself, so there is no direct remote path today. But the researchers map a plausible future regression paths — a URL-accepting message handler, a panel-building regression, or an XSS flaw in the options page — that would let a lower-privileged context set the parameter and remove the approval gate entirely. Manifold’s suggested remediation is to stop reading permission mode from the URL and always boot the panel in ask mode.

Timeline: reporting, acknowledgments and eight releases that didn’t change the vulnerable code

  • Manifold reported both issues on May 21 against v1.0.72; Anthropic acknowledged them on May 22 and then closed both reports.
  • Anthropic closed the forged-click report on the grounds that the underlying trust-boundary problem was already tracked under the earlier ClaudeBleed report, which Anthropic said “remains open pending a complete fix.”
  • Anthropic closed the URL report as “informative,” asserting the parameter is only ever set by the extension for tasks the user already told it to run unattended.
  • Manifold found the internal report marked resolved before June 9, but when they checked v1.0.80 on July 7 they found the click handler and the side-panel initialization unchanged, byte-for-byte, from v1.0.72.
  • The Hacker News pulled v1.0.80 from the Chrome Web Store (published July 7), unpacked all 90 JavaScript bundles, and confirmed the onboarding click handler fires on any matching click with no event.isTrusted guard and that the side panel reads skipPermissions from its own URL and switches into skip_all_permission_checks when set.
  • As of July 14 there was no CVE and no public advisory from Anthropic.

What this means for technologists, paid subscribers, and adversaries

  • Technologists and security teams: Manifold’s immediate mitigations are explicit and narrow — turn “Act without asking” off and review any extension with permission to read or change data on claude.ai — and the researchers propose a one-line handler change plus not reading permission mode from the URL. Those are concrete code-level fixes the extension can apply.
  • Paid Claude subscribers and end users: the extension is open to every paid Claude subscriber and Anthropic calls it a beta; users who run Claude for Chrome alongside any other extension that can run scripts on claude.ai are in scope. In default mode the forged task hits an approval box; in “Act without asking” it runs without prompting.
  • Adversaries and hostile repositories: the report underscores previously observed confused-deputy failures — LayerX’s April ClaudeBleed finding and earlier bugs that let websites inject prompts — and reminds that a hostile repository could exfiltrate developer Anthropic API keys or use another extension that can reach claude.ai to drive the assistant within its allowlisted task set and current approval mode.

Eight releases after the initial report, the boundary Manifold described — Claude accepting script-generated clicks as intent and reading permission mode from a URL — remains where it was in May. Anthropic had not published a public response as of July 14, and whether the company’s “resolved” status means a patch is coming or the residual risk is accepted “is not something anyone outside the company can tell.”

Source: The Hacker News — Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads