A security flaw in Anthropic’s Claude for Chrome could allow a malicious browser extension to trigger Gmail, Google Docs, and Google Calendar tasks under certain conditions.
Researchers at Manifold Security found that another extension could exploit weaknesses in how Claude for Chrome validates user interactions. Users who rely on the default approval prompts remain partially protected, but those who enabled “Act without asking” face a significantly higher risk of unauthorized account access.
The findings highlight a broader challenge for businesses adopting AI browser agents: the permissions users grant are only part of the security equation. Organizations must also consider whether other extensions can trigger those permissions without meaningful user consent.
Synthetic clicks can trigger trusted Claude tasks
The first flaw involves how Claude for Chrome determines whether a user clicked a button before launching a task.
The Hacker News said that a content script running on claude.ai listens for clicks on a specific page element. The handler checks whether the selected task appears on an approved list, but it does not verify whether the click came from a person or was generated by a script.
A malicious extension with permission to run scripts on claude.ai could create the required element and dispatch a synthetic click. Claude for Chrome would then treat the action as a genuine user request.
Anthropic had previously limited external callers to nine predefined tasks after the earlier ClaudeBleed disclosure. Three of those tasks can read Gmail, retrieve a user’s latest Google Doc and its comments, or access Google Calendar.
The restriction reduces the number of commands an attacker can trigger, but it does not answer the more important question of who initiated them.
According to Malwarebytes, Manifold Security said the flaw remained reproducible in version 1.0.80, which was released on July 7. “Eight Claude for Chrome releases later, the bypass is still six lines of JavaScript,” the researchers wrote.
Unattended mode raises the stakes
Claude for Chrome normally asks the user to approve a task before reading account data or taking action. Enabling “Act without asking” removes that checkpoint.
Manifold rated the synthetic-click flaw CVSS 7.7, or high severity, under the default configuration. The score rose to 9.6, or critical severity, when unattended mode was enabled because an approved task could run without another prompt.
CSO noted that the second finding concerns the ?skipPermissions=true URL parameter used when Claude’s side panel starts. Setting the parameter places the extension into a mode that bypasses repeated approval checks.
Researchers did not find a direct external method for controlling the parameter. However, they warned that storing a privileged state in a URL could become dangerous if another vulnerability later gave an attacker influence over that value.
Manifold recommended rejecting synthetic clicks, avoiding URL-controlled privilege changes, and strengthening authentication between the extension’s internal components. CSO reported that Anthropic did not immediately respond to its request for comment.
Browser agents complicate extension security
The flaws do not exploit Chrome itself. They take advantage of the authority users have already given Claude for Chrome and the extension’s inability to reliably confirm where a request originated.
For businesses, the distinction matters.
Traditional extension reviews usually focus on the permissions assigned to each tool. AI browser agents create a second path because another extension may be able to trigger an agent that already has broader access to email, documents, calendars, or logged-in business applications.
IT teams testing Claude for Chrome should disable “Act without asking,” review extensions that can read or change data on claude.ai, and limit the accounts available to browser-based AI tools. Organizations handling sensitive communications or regulated data may want to disable the beta extension until Anthropic provides a more complete fix.
Approval prompts reduce the immediate risk, but they do not fully address the underlying trust model. As AI browser agents gain access to email, documents, and business applications, organizations will increasingly need controls that verify not only what an assistant is permitted to do, but also whether a request genuinely originated from the user.
More News: Learn how hackers are exploiting Claude Code and why Anthropic’s findings could expose Australian enterprises to new security risks.