Data leak risks from Claudebleed: A critical flaw in Claude's Chrome extension

The "Claude in Chrome" browser extension, developed by Anthropic, offers immense convenience to users through its AI-powered automation and smart browsing assistance. Despite still being in its beta testing phase, this tool quickly amassed millions of downloads. However, a recent study by cybersecurity firm LayerX exposed a critical vulnerability named ClaudeBleed. This flaw can turn a trusted AI assistant into a gateway for hackers, posing a direct threat to user data security.

How does the ClaudeBleed flaw work?

According to security researcher Aviad Gispan from LayerX, the ClaudeBleed vulnerability stems from a trust-boundary error. The Claude extension utilizes a Google Chrome feature called externally_connectable - a configuration that allows different websites or extensions to communicate and exchange information with one another.

The core issue is that the Claude extension blindly trusts any script running on the claude.ai website. The system fails to verify whether the script actually originates from Anthropic. Consequently, if a user installs a malicious extension on their computer (even one that requires zero special permissions), that rogue extension can easily inject code into the claude.ai page and send direct control commands to the Claude extension.

Real-world data hijacking risks

While testing this vulnerability, LayerX researchers demonstrated that attackers could exploit Claude to deeply manipulate a victim's accounts. Depending on the services the user is currently logged into on their browser, hackers could force the AI assistant to perform the following dangerous actions:

• Access Google Drive storage, open confidential documents, and automatically share them externally.

• Automatically compose and send emails from the victim's personal Gmail account to the attacker's address.

• Extract and steal source code from private GitHub repositories.

• Read and summarize the last 5 emails in the inbox, exfiltrate that data, and then automatically delete the sent email to wipe out any traces.

Bypassing AI security guardrails

Ordinarily, the Claude extension includes built-in safeguards that require explicit user approval before executing sensitive tasks, such as sending emails or accessing external services. However, security experts found ways to completely neutralize these defensive layers using two techniques:

1. Approval Looping: Attackers program the malware to repeatedly send automated confirmation requests. Because Claude's approval system is state-based rather than intent-based, this relentless repetition eventually tricks the AI into executing the action.

2. UI Manipulation (DOM Manipulation): Since Claude’s security decisions rely heavily on reading and interpreting the visible layout of the webpage, researchers modified the website's interface to deceive the AI's perception. For instance, they renamed a button from "Share" to "Request Feedback". When the AI received a command to click "Request Feedback" (which appeared benign), it actually triggered the external sharing of confidential files.

Anthropic's response and patch status

This vulnerability was initially discovered in extension version 1.0.69 (released on April 22, 2026). Following LayerX's report on April 27, 2026, Anthropic released an updated version, 1.0.70, on May 6, 2026, to address the issue.

Although the new update introduced an explicit authorization process in the side panel for browser-interactive tasks, researchers noted that the patch does not fully resolve the root cause.

Specifically, the Claude extension operates in two modes: the default "Ask before acting" (standard mode) and the privileged "Act without asking" (autonomous mode) designed for user convenience. When running in "Act without asking" mode, the newly added security layer becomes entirely ineffective. More alarmingly, hackers can exploit flaws in the side panel initialization flow to force the extension into this privileged mode without any user notification or consent. As a result, the trust boundary can still be bypassed, and the flaw remains exploitable.

Risk mitigation and self-protection steps

To protect your personal data and corporate information from security risks associated with AI extensions like Claude, you can immediately implement these simple steps:

4 simple steps to protect

• Enable only on trusted sites: Do not give Claude permission to run freely across all websites.

• Browse manually: Never allow the AI to automatically handle financial transactions or sensitive data. Always manually review and confirm each step!

• Stop immediately if things look strange: If Claude starts generating unusual responses or requests unexpected access permissions, disable the extension immediately!

• Report: Submit a report so developers can promptly block malicious websites.

Beyond individual precautions, manual checks are not enough for organizations and tech-driven enterprises. To proactively prevent, detect, and mitigate complex security flaws, establishing a robust, multi-layered cyber defense system is essential.

Businesses can turn to comprehensive security solutions from IPSIP Vietnam, notably 24/7 SOC (Security Operations Center) service and the FlexSecure 360 multi-layered security suite tailored for SMEs. This proactive monitoring system helps detect early anomalies caused by rogue software or malicious extensions, ensuring timely incident response and absolute safety for your data infrastructure.

The ClaudeBleed incident serves as a stark reminder that in the fierce tech race for productivity and automation, many AI tools have extended their trust boundaries too far, neglecting fundamental security principles. To dive deeper into the technical details of this vulnerability, you can read the original report on the tech specialist site IT-Connect or view the in-depth analysis from the research team at LayerX Security.