Severity
High
Analysis Summary
A newly disclosed vulnerability in Anthropic’s “Claude in Chrome” extension exposes a serious trust boundary violation that allows malicious browser extensions to hijack the AI assistant without requiring elevated permissions. Researchers demonstrated that a seemingly harmless, zero-permission Chrome extension could execute privileged actions through Claude by abusing the extension’s externally_connectable communication mechanism. Because the extension validates only the origin (claude.ai) and not the actual execution context, JavaScript injected into the Claude web page can send commands that are treated as trusted, effectively inheriting the AI assistant’s capabilities.
Researchers showed that the flaw could be weaponized using two key techniques. First, approval looping allowed attackers to repeatedly forge user confirmations by automatically sending responses such as “Yes, proceed,” bypassing Claude’s state-based approval prompts. Second, perception manipulation exploited the AI’s reliance on visible text and DOM structure by dynamically altering interface labels and semantics. For example, a dangerous “Share” action could be renamed to “Request feedback”, causing the AI to interpret the operation as benign and execute it on the attacker’s behalf.
Once compromised, Claude effectively becomes a “confused deputy” that performs actions using the user’s existing privileges. Researchers demonstrated the ability to extract private GitHub repositories, share restricted Google Drive documents with external accounts, and summarize, forward, or delete recent Gmail messages. Importantly, these actions did not require user interaction, phishing pages, or complex exploit chains. The attack works solely by leveraging the trusted relationship between the Claude extension and the claude.ai web origin, highlighting the broader security risks introduced by AI assistants that integrate deeply with browser workflows and cloud services.
The issue was reported to Anthropic on April 27, 2026, and version 1.0.70 was released on May 6, 2026 with additional approval prompts for browser actions. However, researchers argue that the patch is incomplete because it addresses the problem at the UI layer rather than fixing the underlying externally_connectable trust model. If the extension is configured to “Act without asking”, the vulnerability remains exploitable, and attackers may also abuse the side-panel initialization flow to create a separate privileged session that bypasses the new checks. Researcher recommends architectural remediation, including cryptographic authentication tokens between the extension and the page, restricting external connections to trusted extension IDs, and binding approvals to specific non-replayable actions to prevent similar AI-extension abuse in the future.
Impact
- Gain Access
Remediation
- Update the Claude in Chrome extension to version 1.0.70 or later, and apply future security updates as soon as they are released.
- Avoid enabling "Act without asking" (privileged mode), as it can allow attackers to execute sensitive actions without additional user approval.
- Install browser extensions only from trusted sources and regularly review installed extensions for unnecessary or suspicious add-ons.
- Remove unused or untrusted Chrome extensions to reduce the risk of malicious JavaScript interacting with trusted applications.
- Restrict browser extension deployment in enterprise environments using Chrome Enterprise policies or endpoint management solutions.
- Implement strict validation of external message senders by using cryptographic authentication tokens instead of relying solely on origin-based trust.
- Limit externally_connectable permissions to trusted extension IDs rather than broadly allowing communication based on website origins.