High

Security researchers uncovered a critical trust-boundary vulnerability in the Anthropic “Claude in Chrome” extension that could allow attackers to fully hijack the trusted AI assistant. The flaw stems from how the extension’s manifest file handles the externally_connectable setting, which enables communication between the browser extension and the main Claud.Ai platform. Instead of validating the true execution context of incoming requests, the extension only verifies that requests originate from the claude.ai domain. This design oversight creates a dangerous trust boundary violation, allowing malicious JavaScript injected into the Claude page by seemingly harmless zero-permission browser extensions to gain access to privileged extension capabilities.

Researchers demonstrated that attackers could weaponize this weakness using a minimal proof-of-concept extension that required no declared permissions. Since the malicious script executes within the trusted claude.ai origin, it effectively bypasses Chrome’s native extension isolation model and inherits the same privileges as Claude itself. To exploit this access, researchers used two key bypass techniques: “approval looping,” which programmatically forged repeated user consent prompts by sending automated approval responses, and “perception manipulation,” where attackers altered visible interface elements and DOM semantics to mislead Claude’s decision-making process. For example, changing a button label from “Share” to “Request feedback” tricked the AI into performing restricted actions under false assumptions.

Once compromised, the extension turns Claude into what security experts call a “confused deputy,” meaning the AI unknowingly performs privileged actions on behalf of an attacker. According to Researcher demonstration, this allowed full access to highly sensitive user data, including extracting private source code from GitHub repositories, sharing restricted Google Drive documents with external users, and reading, summarizing, forwarding, or even deleting recent Gmail messages. What makes the vulnerability especially severe is that it does not require user interaction, social engineering, or complex exploit chains. A malicious extension operating silently in the background can trigger these actions automatically, exposing a major weakness in how AI-powered browser automation systems currently manage trust and permissions.

Researcher responsibly disclosed the issue to Anthropic on April 27, 2026, and Anthropic responded by releasing version 1.0.70 on May 6, introducing explicit approval prompts for browser actions. However, researchers argue the patch only addresses visible symptoms rather than the architectural root cause. If users enable Claude’s “Act without asking” privileged mode, the vulnerability remains exploitable, and attackers may also abuse the extension’s side-panel initialization flow to create separate privileged sessions that bypass the new protections. Researcher recommends a deeper redesign of the trust model, including cryptographic extension-to-page authentication tokens, restricting externally_connectable access to verified extension IDs, and binding user approvals to one-time, non-replayable authorization flows. The incident highlights a broader security warning for the AI automation industry: accelerating convenience without enforcing strict trust boundaries can expose users’ most sensitive digital assets to catastrophic compromise.