Unpatched Flaws in Claude for Chrome Extension Expose User Data to Malicious Scripts
Despite previous patches and reports, the **Claude for Chrome** browser extension (v1.0.80) remains vulnerable to exploits that could allow malicious third-party extensions to access sensitive user data from **Gmail**, **Google Docs**, and **Google Calendar**. Security researchers at **Manifold Security** have detailed how a forged click mechanism and a URL parameter can bypass user consent, potentially leading to unauthorized data exposure.
Users of **Anthropic**'s **Claude for Chrome** extension are advised to exercise caution, as critical security vulnerabilities persist in the latest version (v1.0.80). These flaws could allow rogue browser extensions to hijack **Claude**'s capabilities, accessing personal data from integrated **Google** services, even after previous attempts by **Anthropic** to address similar issues.

### The Forged Click Vulnerability
The primary concern lies in a mechanism that accepts forged clicks. Following the **ClaudeBleed** flaw, **Anthropic** implemented an allowlist of nine fixed task IDs for external callers, preventing arbitrary prompt injection. However, **Manifold Security** discovered that the extension's content script, which listens for clicks on a specific element (`#claude-onboarding-button`) on `claude.ai`, fails to check the `event.isTrusted` flag. This flag distinguishes legitimate user clicks from those dispatched by scripts.
Consequently, any other extension with script execution privileges on `claude.ai` can synthesize a click on this element, setting a `data-task-id` for one of the allowlisted tasks. These tasks include `usecase-gmail`, `usecase-gdocs`, and `usecase-calendar`, which are designed to read user emails, documents, and calendar entries.
In the default "ask before acting" mode, this forged click still requires user approval, leading **Manifold Security** to assign it a **CVSS** score of 7.7 (High). However, if a user has enabled the "Act without asking" setting, the task executes silently without any prompt, elevating the risk to a critical **CVSS** score of 9.6.
### The Quieter URL Parameter Flaw
A secondary, though currently not remotely exploitable, vulnerability involves a `?skipPermissions=true` URL parameter. If this parameter is present when **Claude**'s side panel loads, it automatically enables `skip_all_permission_checks`, allowing the extension to act without explicit user consent. While a red banner warning appears, it does so after the privileged session has already begun.
Currently, only the extension itself can construct this URL. However, a future bug that exposes this parameter to a lower-privileged context could transform the forged-click attack into a fully silent data exfiltration event. **Manifold Security** suggests that a simple fix, preventing the panel from reading permission mode from the URL, would mitigate this risk.

### Unaddressed Reports and Ongoing Risk
**Manifold Security** initially reported both issues to **Anthropic** on May 21 against v1.0.72. While **Anthropic** acknowledged the reports, they subsequently closed them. The forged-click report was closed under the premise that the underlying trust-boundary issue was already being tracked under the **ClaudeBleed** report, which **Anthropic** stated "remains open pending a complete fix." The URL parameter report was marked as informative, with **Anthropic** arguing it was only set for user-approved unattended tasks.
However, a subsequent analysis of v1.0.80 (updated July 7) by **The Hacker News** confirmed that the vulnerable code for both issues remains byte-for-byte identical to the version initially reported. As of July 14, no **CVE** has been assigned to these issues, and **Anthropic** has not released a public advisory.
This situation highlights a recurring pattern, with previous flaws like **ClaudeBleed** and **Claude Code** demonstrating a "confused-deputy problem," where the extension, possessing significant authority, acts on behalf of an unauthorized caller. Given that the **Claude for Chrome** extension is still in beta and available to all paid subscribers, users are urged to review their extension permissions and, crucially, disable the "Act without asking" setting to restore the approval step for any potentially forged tasks.
