Unpatched vulnerability in Claude extension for Chrome risks exposing Gmail and Calendar data
- Thảo Nguyên

- 1 hour ago
- 3 min read
The Claude extension on the Chrome browser is becoming the center of attention in the tech community as security researchers have discovered a critical vulnerability that remains unpatched. This incident could create conditions for other malicious extensions to bypass security barriers to snoop on users' emails, documents, and schedules.
Risk of personal data leakage from a support tool
The AI cybersecurity company Manifold has just issued a warning about two security vulnerabilities present in the Claude extension for Chrome. This is an "agentic browser extension" - simply understood as a smart virtual assistant that can perform actions directly on the browser on behalf of the user.

According to Manifold, although they notified Anthropic (Claude's parent company) in May, these vulnerabilities can still be exploited in the latest version. Upon successful exploitation of this weakness, another malicious extension installed on the same browser can silently trigger Claude to perform actions without any clicks or approval from the victim. From there, an attacker could easily read messages in Gmail, Google Docs documents, and events saved on the calendar.
Origin and mechanism of the vulnerability
This security issue is closely related to a similar vulnerability previously discovered, named ClaudeBleed. To resolve the old ClaudeBleed bug, Anthropic released an update to limit the commands an external website could send to Claude. This update narrowed the extension's scope of operation to a set of fixed, pre-approved tasks.
However, Manifold found a core weakness in this mechanism: the system does not verify whether the request to trigger the task actually comes from a real user's click. This means another extension could forge this interaction to deceive the system.
In default settings, the attack would be blocked by a confirmation request displayed on the screen before any sensitive action takes place. However, if the user activates the extension's higher autonomy mode, "Act without asking", an attacker can freely carry out intrusive behavior without triggering any warnings.
Structural risks and unpatched status
Furthermore, researchers at Manifold also warned about a second design flaw related to Claude's side panel. This component has the capability to automatically launch directly into the non-confirmation mode based on a parameter located right in its own URL path.
Currently, an attacker cannot directly exploit this design flaw because only the extension itself has permission to generate that URL. Nevertheless, experts emphasize this is a major structural risk. In the future, if any bug emerges that allows an external script (program code) to interfere with how this URL is constructed, the attacker would gain silent control over all of the user's linked accounts.
Eight patches still unable to completely resolve the issue
Manifold stated they reported their findings to Anthropic on May 21, right after research on the ClaudeBleed vulnerability was widely published. At that time, AI giant Anthropic explained that the list of pre-approved tasks was merely a temporary mitigation measure while waiting for a complete fix to be deployed.
However, as noted by Manifold, a total of 8 new versions have been released since the time of the report, but the aforementioned vulnerability has still not been patched, including the current latest version, 1.0.80.
The fact that critical security vulnerabilities still persist through multiple update versions is a reminder for technology users. To protect the safety of their personal data, users need to be particularly cautious when granting automated permissions to browser extensions, especially features that allow tools to act on their own without asking first.











Comments