Claude Chrome Flaw Exposes User Data

by priyanka.patel tech editor
ClaudeBleed Vulnerability

ClaudeBleed Vulnerability

A security flaw in Anthropic’s Claude for Chrome extension allows malicious browser extensions to execute predefined AI workflows without user consent, potentially exposing Gmail, Google Docs, and calendar data. The issue, reported in May 2026 and still unresolved in the latest version, was identified by Manifold Security researcher Ax Sharma. The vulnerability centers on Claude’s failure to distinguish between genuine user interactions and synthetic clicks generated via JavaScript, according to the research. A malicious extension with access to the claude.ai domain can insert a DOM element containing a hardcoded workflow identifier and programmatically trigger it, bypassing the browser’s event.isTrusted check that normally blocks automated interactions.

Claude for Chrome Version 1.0.80

The flaw, dubbed “ClaudeBleed,” allows a sneaky browser extension to pretend to be Claude’s own website and secretly drive the Claude for Chrome extension to read user data and take actions in their accounts. This occurs because the extension cannot reliably tell the difference between a user asking for help and a malicious script asking on their behalf. Once a malicious extension can send commands to Claude as if it were the user, it can ask Claude to read Gmail, fetch Google Drive files, or clone private GitHub repositories, depending on what tools Claude for Chrome exposes. It can also have Claude send emails or manipulate documents under the user’s logged-in session, with no obvious indication that the request didn’t come from the user.

Claude for Chrome Version 1.0.80
Photo: The National CIO Review

PromptFiction Vulnerability

Manifold Security’s Ax Sharma highlighted that the code responsible for the flaw remains unchanged in the latest release, eight Claude for Chrome updates after the initial discovery. The vulnerability requires only six lines of JavaScript to exploit and remains effective in version 1.0.80, released July 7, 2026. A separate flaw allows attackers to bypass permissions by manipulating a URL parameter. If a user loads a URL containing ?skipPermissions=true, Claude enters a privileged mode without requiring a user gesture. Researchers warn it is a ticking time bomb: any future bug that lets outside code build this URL would instantly grant silent, full-account access.

Severe Vulnerability Found in Anthropic's Claude Chrome Extension

OWASP Top 10 for LLM Applications

The vulnerability was first reported in May 2026. The first flaw lives in Claude’s content script, which listens for clicks on a specific onboarding button and forwards a matching prompt to Claude’s side panel. The problem: the handler never checks whether a click is genuinely user-initiated (event.isTrusted). Any other browser extension with script access on claude.ai, a common permission, can fake a click using six lines of JavaScript, triggering Claude to execute one of nine hardcoded prompts without the user’s knowledge. These prompts aren’t harmless demos. Three of them relate to onboarding exercises: challenge-form, challenge-email, and challenge-equipment.

OWASP Top 10 for LLM Applications
Photo: Linkedin

Researchers from Oasis Security discovered a separate vulnerability, dubbed “PromptFiction,” which — when combined with a previous trio of flaws they found in Claude, dubbed “Claudy Day” — could have enabled an end-to-end attack on the targeted system, according to a report published July 15, 2026. Elad Luz, research lead at Oasis, wrote that PromptFiction is a prompt injection attack that allows a crafted “claude://” link to automatically open the desktop application and submit a prepared prompt to the agent without user review.

Anthropic acknowledged the reports within a day but closed them as resolved. Manifold Security’s Ax Sharma reiterated that the code responsible for the synthetic-click flaw remains unchanged in the latest release. Eight Claude for Chrome releases later, the bypass is still six lines of JavaScript, he noted.

The vulnerabilities align with recognized AI security risks under the OWASP Top 10 for LLM Applications: prompt injection (LLM01) and excessive agency (LLM06). The flaws reflect a systemic issue in how AI agents handle trust boundaries between third-party scripts and privileged actions. Experts warn that the flaw underscores a broader challenge in AI security: the rapid pace of development outstrips traditional vulnerability management.

For now, users are advised to turn off Act without asking in Claude for Chrome, review Chrome extensions, and limit which services the assistant can access.

You may also like