Claude for Chrome Flaw Puts Gmail at Risk From Rogue Extensions

Claude for Chrome Flaw Puts Gmail at Risk From Rogue Extensions

Claude for Chrome Flaw Puts Gmail at Risk From Rogue Extensions

Image generated via ChatGPT

Researchers say a Claude for Chrome flaw lets rogue extensions trigger Gmail, Docs, and Calendar tasks, with greater risk in unattended mode.

Écrit par
Kezia Jungco
Kezia Jungco
Jul 16, 2026

A security flaw in Anthropic’s Claude for Chrome could allow a malicious browser extension to trigger Gmail, Google Docs, and Google Calendar tasks under certain conditions.

Researchers at Manifold Security found that another extension could exploit weaknesses in how Claude for Chrome validates user interactions. Users who rely on the default approval prompts remain partially protected, but those who enabled “Act without asking” face a significantly higher risk of unauthorized account access.

The findings highlight a broader challenge for businesses adopting AI browser agents: the permissions users grant are only part of the security equation. Organizations must also consider whether other extensions can trigger those permissions without meaningful user consent.

Synthetic clicks can trigger trusted Claude tasks

The first flaw involves how Claude for Chrome determines whether a user clicked a button before launching a task.

The Hacker News said that a content script running on claude.ai listens for clicks on a specific page element. The handler checks whether the selected task appears on an approved list, but it does not verify whether the click came from a person or was generated by a script.

A malicious extension with permission to run scripts on claude.ai could create the required element and dispatch a synthetic click. Claude for Chrome would then treat the action as a genuine user request.

Anthropic had previously limited external callers to nine predefined tasks after the earlier ClaudeBleed disclosure. Three of those tasks can read Gmail, retrieve a user’s latest Google Doc and its comments, or access Google Calendar.

The restriction reduces the number of commands an attacker can trigger, but it does not answer the more important question of who initiated them.

According to Malwarebytes, Manifold Security said the flaw remained reproducible in version 1.0.80, which was released on July 7. “Eight Claude for Chrome releases later, the bypass is still six lines of JavaScript,” the researchers wrote.

Unattended mode raises the stakes

Claude for Chrome normally asks the user to approve a task before reading account data or taking action. Enabling “Act without asking” removes that checkpoint.

Manifold rated the synthetic-click flaw CVSS 7.7, or high severity, under the default configuration. The score rose to 9.6, or critical severity, when unattended mode was enabled because an approved task could run without another prompt.

CSO noted that the second finding concerns the ?skipPermissions=true URL parameter used when Claude’s side panel starts. Setting the parameter places the extension into a mode that bypasses repeated approval checks.

Researchers did not find a direct external method for controlling the parameter. However, they warned that storing a privileged state in a URL could become dangerous if another vulnerability later gave an attacker influence over that value.

Manifold recommended rejecting synthetic clicks, avoiding URL-controlled privilege changes, and strengthening authentication between the extension’s internal components. CSO reported that Anthropic did not immediately respond to its request for comment.

Advertisement

Browser agents complicate extension security

The flaws do not exploit Chrome itself. They take advantage of the authority users have already given Claude for Chrome and the extension’s inability to reliably confirm where a request originated.

For businesses, the distinction matters.

Traditional extension reviews usually focus on the permissions assigned to each tool. AI browser agents create a second path because another extension may be able to trigger an agent that already has broader access to email, documents, calendars, or logged-in business applications.

IT teams testing Claude for Chrome should disable “Act without asking,” review extensions that can read or change data on claude.ai, and limit the accounts available to browser-based AI tools. Organizations handling sensitive communications or regulated data may want to disable the beta extension until Anthropic provides a more complete fix.

Approval prompts reduce the immediate risk, but they do not fully address the underlying trust model. As AI browser agents gain access to email, documents, and business applications, organizations will increasingly need controls that verify not only what an assistant is permitted to do, but also whether a request genuinely originated from the user.

More News: Learn how hackers are exploiting Claude Code and why Anthropic’s findings could expose Australian enterprises to new security risks.

Kezia Jungco

Kezia Jungco is a technology writer and researcher specializing in artificial intelligence, data analytics, CRM software, cloud infrastructure, cybersecurity, and emerging business technologies. With more than five years of experience evaluating software platforms and technology solutions, she helps business leaders understand the tools and trends shaping the future of work. Kezia has extensive hands-on experience testing and analyzing generative AI platforms, chatbots, natural language processing (NLP) tools, CRM systems, and business software. Her work focuses on translating complex technologies into practical insights that help organizations make informed decisions about technology adoption, operational efficiency, and digital transformation. As a staff writer for TechnologyAdvice, Kezia covers AI innovation, business applications of machine learning, data-driven technologies, cloud computing, cybersecurity, and sales technology. Her background in journalism, research, and education enables her to combine rigorous analysis with clear, accessible reporting for both enterprise and consumer audiences. Kezia holds a bachelor's degree in Development Communication with a major in Development Journalism from the University of the Philippines Los Baños. She has also completed professional training in artificial intelligence, data privacy, and information security. Her work has been featured in TechnologyAdvice, TechRepublic, eWeek, Datamation, and Selling Signals, where she helps readers navigate a rapidly evolving technology landscape with practical, research-driven guidance.