1) The fact A flaw in Anthropic's Claude for Chrome browser extension allows malicious extensions to trigger predefined AI actions by simulating user clicks. Discovered by Manifold Security, the vulnerability exploits the absence of Event.isTrusted property verification — the extension accepts JavaScript-generated events as legitimate user interactions without checking whether they originated from a real human user. The flaw remains exploitable in version 1.0.80, released July 7, and was confirmed byte-identical to the v1.0.72 source code by the security researchers.
2) Context Chrome marks JavaScript-generated events with Event.isTrusted=false, while real user interactions receive true as a fundamental browser security mechanism. The Claude extension ignores this distinction entirely. An attacker needs the victim to install a malicious extension with permission to modify content on claude.ai. The extension then injects HTML elements and generates synthetic clicks that trigger nine predefined workflows including: reading Gmail to identify promotional emails and unsubscribe automatically, opening Google Docs to read comments and feedback, scanning Google Calendar to find free slots and create meetings, and modifying Salesforce leads to convert them into opportunities without user consent.
3) Analysis The impact is nuanced but significant. The flaw does not allow arbitrary prompt injection — only nine predefined tasks built into the extension's code. However, this is sufficient for real damage: a malicious extension could use Claude's authenticated OAuth access to Gmail, Google Docs, and Salesforce for enterprise data exfiltration without the user's knowledge or consent. The attack vector — requiring an already-installed malicious extension with content script permissions on claude.ai — reduces apparent severity, but the real problem is trust in Chrome's permission model: compromised or malicious extensions can hijack other extensions' capabilities without the user ever knowing. Anthropic closed the report stating they were already tracking the broader issue, yet the flaw remains exploitable in the latest browser extension version. Additionally, researchers found an internal 'skipPermissions=true' parameter that bypasses certain permission checks when launching the extension — while not independently exploitable, it expands the potential attack surface significantly.
4) What to watch • Users with "Act without asking" enabled are more vulnerable since predefined workflows execute automatically without user confirmation. • Anthropic must implement Event.isTrusted checks and additional event origin validation as a priority. • This raises broader questions about AI extension ecosystem security — not just Claude but Microsoft Copilot, Google Gemini, and similar tools integrating with cloud services. • The 'skipPermissions=true' parameter suggests the attack surface may be larger than initially reported to the public.
Source: BleepingComputer