A critical vulnerability in Anthropic's Claude browser extension could allow malicious software to trigger AI actions, potentially compromising sensitive data in Gmail, Google Docs, and Salesforce.

Key Takeaways

  • A flaw in the Claude Chrome extension allows synthetic clicks to trigger AI workflows.
  • Attackers can exploit connected services like Gmail, Google Calendar, and Salesforce.
  • The vulnerability stems from a failure to verify the 'Event.isTrusted' browser property.
  • The issue persists even in the latest version 1.0.80 of the extension.

In a significant blow to AI-driven productivity tools, a major security flaw has been identified in Anthropic's Claude Chrome browser extension. Discovered by Ax Sharma of Manifold Security, the vulnerability allows malicious browser extensions to simulate user interactions, effectively hijacking Claude's ability to perform automated tasks across various integrated platforms.

The Mechanics of the Exploit

The core of the issue lies in how the Claude extension validates user intent. In web development, browsers use a property called 'Event.isTrusted' to distinguish between a physical interaction (like a real mouse click) and a programmatic interaction (generated by JavaScript). While a human click sets this property to 'true', a script-generated click sets it to 'false'. The Claude extension, however, fails to check this property, treating synthetic, malicious clicks as legitimate user commands.

High-Stakes Implications

This is not merely a theoretical risk; the potential impact on a user's digital life is profound. If a user has granted Claude access to their workspace and enabled the 'Act without asking' setting, a malicious extension could silently execute high-level tasks. The vulnerable workflows include:

  • Gmail Integration: Reading recent emails and identifying promotional content.
  • Google Docs: Accessing and reading the latest documents and feedback.
  • Google Calendar: Reading schedules and creating unauthorized meetings.
  • Salesforce: Modifying critical business leads and converting them into opportunities.

Current Status and Mitigation

Security researchers noted that the attack requires a two-step process: a user must first be tricked into installing a malicious extension. Once installed, that extension can manipulate the 'claude.ai' domain to trigger the flaw. Despite Anthropic acknowledging the report, Manifold Security confirmed that the vulnerability remains reproducible in the latest version, 1.0.80, released in early July. Users are advised to be extremely cautious about which browser extensions they grant permission to run on sensitive domains.