Claude's Chrome extension vulnerable to exploitation despite a fix: Report

Security researchers claim a flaw in Anthropic's Claude in Chrome extension could let malicious browser add-ons misuse Claude's AI-powered automation capabilities

Anthropic’s AI-powered Claude in Chrome extension has come under scrutiny after security researchers claimed that a flaw in the tool could allow malicious Chrome extensions to exploit Claude’s browser automation capabilities. According to reports by CSO Online and LayerX researchers, the issue, dubbed “ClaudeBleed,” may allow attackers to trigger actions through Claude even with browser extensions that request little or no special permissions. 

 

Researchers reportedly alleged the flaw could potentially be abused to access sensitive information, send emails, or interact with authenticated browser sessions across services such as Gmail, Google Drive, and GitHub.

What are Chrome extensions

Chrome extensions are small software add-ons that expand the functionality of the Chrome browser. They can add features such as password managers, ad blockers, productivity tools or AI assistants directly into browsing sessions.

What does Claude in Chrome extension do

Anthropic launched its Claude in Chrome extension earlier this year to allow Claude to interact more directly with webpages and browser workflows. The extension can assist users with tasks such as summarising webpages, helping draft content, navigating browser interfaces and automating certain actions across websites.

 

To perform these tasks, the extension communicates with browser pages and user sessions through Chrome’s extension framework. According to researchers, this communication mechanism is central to the reported security issue.

What is the ClaudeBleed vulnerability

According to LayerX researcher Aviad Gispan, the issue stems from how the Claude extension handles communication between scripts running on claude.ai and the extension itself.

 

The researchers claimed that the extension relied on Chrome’s externally_connectable feature, which allows websites or other extensions to communicate with browser extensions. However, according to LayerX, the Claude extension trusted scripts running under the claude.ai browser origin without sufficiently verifying whether those scripts genuinely came from Anthropic or had been injected by another extension.

 

As a result, researchers alleged that even a low-permission or zero-permission extension could potentially send commands to Claude’s internal messaging interface and gain control over select browser capabilities.

 

LayerX argued that this effectively weakens Chrome’s extension isolation model because an untrusted extension could leverage the permissions and access granted to Claude.

What actions did researchers take

According to the reports, researchers demonstrated multiple proof-of-concept attack scenarios to show how the flaw could potentially be abused.

 

These reportedly included sharing Google Drive files externally, sending emails through Gmail, extracting code from private GitHub repositories and summarising inbox messages before deleting traces afterward.

 

Researchers also claimed they were able to manipulate webpage elements to influence how Claude interpreted browser interfaces. According to the report, modifying buttons or hiding warning indicators within webpages could potentially make risky actions appear safe to the AI assistant.

 

The reports further mentioned a technique referred to as approval looping, where repeated approval prompts could allegedly weaken some of Claude’s confirmation safeguards.

Anthropic issued a patch, but researchers say concerns remain

According to LayerX, the issue was reported to Anthropic on April 27. The researchers said Anthropic responded that the issue had already been identified internally and that a fix would arrive in a future update.

 

Anthropic later released version 1.0.70 of the extension on May 6. According to LayerX, the update introduced additional internal security checks and approval flows intended to prevent remote command execution.

 

However, the researchers claimed the fix only partially addressed the issue. LayerX alleged that some attack paths may still remain possible through certain operational modes, including autonomous browsing settings such as Act without asking.

 

The researchers recommended measures such as stricter extension authentication, restricting communication only to trusted extension IDs, and binding approvals to one-time actions.

 

The reports also highlight broader concerns emerging around AI browser agents, especially as these tools gain deeper access to browsing sessions, authenticated accounts and cross-site automation features.