A Flaw in Claude's Chrome Extension Let Rogue Add-ons Hijack the AI Assistant
Anthropic patched a bug that let malicious browser extensions puppet Claude into touching a user's Gmail, Google Docs, and Salesforce accounts.

Key points
- Anthropic fixed a flaw in its Claude for Chrome extension that let other browser add-ons secretly trigger the AI assistant to act on the user's behalf.
- Researcher Donato Onofri of CyberArk disclosed the bug, which abused simulated clicks to bypass Claude's confirmation prompts.
- The extension has access to connected services including Gmail, Google Docs, Google Calendar, and Salesforce, so a successful attack could read or send data from any of them.
- Claude for Chrome remains in a limited research preview and is not yet available to the general public.
- Users on the preview should update to the latest build pushed by Anthropic and audit any other extensions they have installed.
Anthropic has patched a security flaw in Claude for Chrome, the browser extension that lets its AI assistant read pages and take actions inside a user's tabs. The bug let a second, malicious extension quietly push Claude into doing things the user never asked for.
The attack works by faking mouse clicks. Claude for Chrome normally asks the user to approve sensitive steps, like sending an email or sharing a document. A rogue extension could simulate those approval clicks itself, so Claude went ahead as if the human had said yes.
That matters because Claude for Chrome is designed to plug into other services. During setup, users can connect it to Gmail, Google Docs, Google Calendar, and Salesforce so the assistant can draft replies, pull files, or update records. A malicious extension that hijacks Claude inherits all of that access without ever asking for those permissions itself.
The flaw was found and reported by Donato Onofri, a researcher at identity security firm CyberArk. His writeup, first reported by BleepingComputer, describes chaining together standard browser scripting tricks (nothing exotic, which is part of the point) to defeat the confirmation dialog.
How could a bad extension get onto someone's computer in the first place?
Usually by looking useful. Malicious extensions have shown up in the Chrome Web Store disguised as PDF tools, coupon finders, and productivity helpers. Some start life clean and turn hostile after an update, or after the original developer sells the extension to someone else.
Once installed, extensions run with broad access to what you see and do in the browser. That is the risk model Google warns about, and it is exactly the surface this Claude bug sat on top of.
Anthropic launched Claude for Chrome in late August as a limited research preview, initially for around 1,000 Max-plan subscribers. The company said at the time that it expected agent-style browser attacks and wanted to find them in a small pilot before a wider release. This bug is the sort of thing that pilot was built to catch.
The fix hardens how the extension validates that a click actually came from a human. Anthropic has pushed the updated build to preview users. There is no evidence, according to the company, that the flaw was exploited in the wild before the patch.
What should users do?
If you are in the Claude for Chrome preview, make sure the extension is on the latest version. Chrome updates extensions automatically in most cases, but you can force a check at chrome://extensions with Developer mode on.
Then do a cleanup pass. Remove extensions you do not recognise or no longer use. Be wary of anything that asks to "read and change all your data on all websites", which is the permission that makes attacks like this one possible.
For organisations, the wider lesson is about AI assistants that act, not just chat. An assistant wired into Gmail, Salesforce, and shared drives is effectively a new privileged user. It needs the same scrutiny: least-privilege access, logging of what it does, and a clear answer to the question of who, or what, is actually clicking the button.



