Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data

HomeChrome Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data By Abinaya May 12, 2026 Researchers have exposed a catastrophic vulnerability hiding inside the “Claude in Chrome” extension. By weaponizing an otherwise harmless, zero-permission extension, invisible attackers can completely hijack the trusted AI assistant. Transform it into a malicious puppet that silently pillages private Gmail messages, restricted Google Drive documents, and secret GitHub repositories. This terrifying blind spot exposes the dark side of the AI automation race, proving that when vendors recklessly stretch trust boundaries to speed things up, they leave our most sensitive digital vaults wide open to exploitation. Trust Boundary Violation in Claude Chrome Extension(source : Layerxsecurity ) Claude’s Chrome Extension Vulnerability The root cause is a systemic trust boundary violation tied to the extension’s manifest file. The extension uses the externally_connectable setting to communicate with the main claude.ai Large Language Model (LLM). However, it only verifies the origin of the request (claude.ai) rather than the actual execution context. JavaScript running on the claude.ai page, including scripts injected by malicious extensions with no declared permissions, can execute privileged commands on Claude. Because the script runs within the trusted origin, Chrome’s security model is bypassed, and the attacker inherits the capabilities of the trusted AI assistant. To weaponize this flaw, researchers created a minimal proof-of-concept extension that successfully bypassed Claude’s built-in guardrails using two primary techniques: Approval Looping: Claude enforces user confirmations for sensitive actions. Researchers bypassed this by programmatically forging user consent, repeatedly sending “Yes, proceed” to satisfy state-based confirmation prompts. Perception Manipulation: Claude’s decision-making relies heavily on visible text and the Document Object Model (DOM) structure. Bypass: Approval Looping (source : Layerxsecurity ) Attackers dynamically modified the UI semantics, such as renaming a “Share” button to “Request feedback,” tricking the AI’s visual perception into executing restricted actions that it believed were benign. Once hijacked, the AI acts as a “confused deputy.” LayerX demonstrated that attackers could extract private GitHub source code, share restricted Google Drive documents with external users, and summarize, forward, and delete a user’s recent Gmail messages. Notably, this requires neither user interaction nor complex exploit chains. LayerX reported the flaw to Anthropic on April 27, 2026. On May 6, 2026, Anthropic released version 1.0.70, which introduced explicit approval flows for standard browser actions. However, researchers note this patch is incomplete because it focuses on a UI-based permission layer rather than fixing the underlying externally_connectable handler. If the extension operates in “privileged” mode (Act without asking), the vulnerability remains fully exploitable. Furthermore, attackers can abuse the side-panel initialization flow to force a separate privileged-mode session, bypassing the newly introduced security checks entirely. To properly remediate this trust model failure, LayerX recommends implementing strict validation of external message senders rather than relying on UI-based symptoms. Recommended architectural changes include: Introducing extension-to-page authentication tokens, such as cryptographically signed requests, to verify sender identity. Restricting externally_connectable settings to trusted extension IDs rather than relying broadly on origin URLs. Binding user approvals strictly to specific actions using one-time tokens and non-replayable flows. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Ollama Memory Leak Vulnerability Exposes 300,000 Servers Globally Education Sector Under Attack From State Espionage, Spear-Phishing, and Supply Chain Attacks Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks Latest News Cyber Security News Magecart Hackers Abuse Google Tag Manager to Inject Credit Card Skimmers Cyber Security News TeamPCP Compromised Checkmarx Jenkins AST Plugin Following KICS Supply Chain Attack Android PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access Cyber Security News TrickMo Android Banking Malware Targets Banking, Wallet, and Authenticator Apps Cyber Security News OpenAI Daybreak Automates Vulnerability Detection and Fixing