← All stories
● Covered by 2 sources Β· 2 reportsMedium impact

Claude for Chrome Vulnerability Allows Extensions to Access Gmail Without User Consent

Aggregated by BrevFeed security Β· updated 15h ago
πŸ”– Save

Manifold researchers identified vulnerabilities in Claude for Chrome that permit malicious extensions to access user data in Gmail, Google Docs, and Calendar. Despite a previous patch for a related issue, version 1.0.80 still allows these exploits under certain conditions, posing a security risk.

Key points

Overview

Security firm Manifold has discovered two critical vulnerabilities in Anthropic's Claude for Chrome browser extension. These vulnerabilities can allow malicious browser extensions to access private user data, such as Gmail messages, Google Docs, and calendar entries, without the user's consent.

Vulnerability Details

The security flaw allows a rogue browser extension, capable of running scripts on claude.ai, to trigger Claude into performing tasks without real user actions. This issue persists in version 1.0.80, despite previous attempts by Anthropic to mitigate similar vulnerabilities reported earlier this year.

Current Status

The vulnerabilities remain unpatched as of July 14. In the default "ask before acting" mode, users will get a confirmation prompt. However, in "Act without asking" mode, these vulnerabilities can be exploited without any prompt, increasing exposure risk.

User Recommendations

Users are advised to disable the "Act without asking" feature and review other extensions with permissions to interact with Claude for Chrome. This can provide an additional layer of security by reinstating the approval step for actions triggered by Claude.

Conclusion

While Anthropic has taken steps to restrict exploitable task paths in prior updates, the current state of Claude for Chrome still leaves users vulnerable to data breaches if the recommended precautions are not followed.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

How outlets covered it

A vulnerability in Claude for Chrome allows rogue browser extensions to trigger tasks that access Gmail, Google Docs, and Calendar. Despite being partially mitigated in previous updates, Manifold Security found that the flaw persists in version 1.0.80, posing a significant security risk for users.

Manifold reports that two vulnerabilities in Claude for Chrome allow malicious extensions to read sensitive user data without consent. This indicates a significant security oversight by Anthropic, as the risks could expose Gmail, Google Docs, and calendar entries to attackers.