DEV Community

NetSecOpsIO
NetSecOpsIO

Posted on • Originally published at cyber.netsecops.io

Unpatched Claude for Chrome Flaws Expose Gmail, Google Docs Data

Originally published on CyberNetSec.

Executive Summary

Security researchers have disclosed two unpatched vulnerabilities in the popular Claude for Chrome browser extension developed by Anthropic. The flaws can be exploited by another malicious browser extension installed by the user to gain unauthorized access to their sensitive Google Workspace data. A malicious extension could programmatically instruct the Claude extension to read Gmail messages, access Google Docs, and view Google Calendar entries without the user's direct interaction. The vulnerabilities, first reported to Anthropic in May 2026, remain present in the latest version (1.0.801.0). The issue stems from a failure to validate the origin of user actions, creating a significant data privacy risk for users of the extension.


Vulnerability Details

The core of the vulnerability lies in a broken trust boundary within the extension's design. The Claude for Chrome extension has pre-approved prompts that allow it to perform actions on behalf of the user, such as summarizing recent emails or checking calendar availability. The flaw, discovered by Manifold Security, is that the extension's click handler does not properly verify whether a command was triggered by a legitimate user click or a synthetic click generated by a script from another extension.

This creates an exploit path where:

  1. A user installs the legitimate Claude for Chrome extension.
  2. The user also installs a separate, malicious extension (e.g., a seemingly harmless theme or utility).
  3. The malicious extension, running on the claude.ai domain, can inject a script that programmatically 'clicks' one of Claude's action buttons.
  4. The Claude extension, failing to validate the click's origin, executes the corresponding privileged action, such as reading the user's Gmail inbox.

Affected Systems

  • Product: Anthropic's Claude for Chrome browser extension (version 1.0.801.0 and potentially earlier).
  • Affected Platforms: Any user of Google Chrome with this extension installed.
  • Exposed Data: Google Workspace data, including Gmail, Google Docs, and Google Calendar.

Exploitation Status

These are unpatched vulnerabilities. While there is no public evidence of active exploitation in the wild, the public disclosure of the flaw details increases the risk that threat actors may develop and deploy malicious extensions to exploit it. The risk is significantly amplified for users who have configured the Claude extension with the "Act without asking" setting, as this would allow the malicious actions to be performed silently in the background without any user-facing confirmation prompt.

Impact Assessment

A successful exploit could lead to a serious breach of personal and corporate data. An attacker could silently exfiltrate the content of sensitive emails, confidential documents, and private calendar appointments. This information could be used for corporate espionage, blackmail, or to gather intelligence for more sophisticated follow-on attacks. The vulnerability undermines the trust model of browser extensions and the AI assistant itself, turning a productivity tool into a potential surveillance vector.


Cyber Observables — Hunting Hints

Detecting this specific attack is difficult for end-users. Enterprise security teams could hunt for related activity:

Type Value Description Context
other Suspicious Chrome Extension IDs Maintain a list of known malicious or risky Chrome extensions and hunt for their presence in your environment. EDR, Browser Management Tools
network_traffic_pattern Anomalous data transfer from claude.ai If Claude is being controlled to exfiltrate data, it might result in unusual data patterns originating from its domain, though this would be hard to distinguish from normal use. Network Monitoring
log_source Google Workspace Audit Logs Look for rapid, programmatic-looking access to multiple documents or emails by the Claude service account, especially outside of user's active hours. Google Workspace Admin Console

Detection Methods

  1. Browser Extension Auditing: In an enterprise environment, use browser management tools or EDR solutions to inventory all installed Chrome extensions across the user base. Compare the installed extensions against a list of known malicious or unwanted extensions.
  2. Monitor for Risky Configurations: Identify all users who have the Claude for Chrome extension installed and have enabled the "Act without asking" feature. These users are at the highest risk and should be prioritized for mitigation.
  3. Review Workspace Logs: Analyze Google Workspace audit logs for signs of anomalous data access by the Claude service principal. A script-driven attack might access dozens of emails or documents in a few seconds, a pattern unlikely to be generated by a human user.

Remediation Steps

  1. Disable the Extension: Until a patch is released by Anthropic, the most effective remediation is to disable or uninstall the Claude for Chrome extension.
  2. Disable "Act without asking": For users who must continue using the extension, immediately disable the "Act without asking" setting. This ensures that a confirmation prompt will be displayed before any action is taken, which would alert the user to a malicious attempt.
  3. Audit Installed Extensions: All users should regularly review their installed browser extensions and remove any that are not from a highly trusted developer or are no longer needed. Be particularly suspicious of extensions that require broad permissions.

Top comments (0)