Bugs in Claude's Chrome Extension Let Other Add-Ons Read Your Gmail and Docs

Security researchers say two unpatched flaws in Anthropic's browser assistant can be exploited to silently pull private data from Google services, and a simple one-line fix has gone unshipped for months.

ThreatVectr Newsdesk· 3 min read
A sleek server room bathed in cool blue light, rows of black server racks stretching into the distance, a single amber warning light glowing on one unit in the
Share

Key points

  • Manifold Security published findings in 2025 showing two unpatched security flaws in Anthropic's Claude for Chrome browser extension, version 1.0.80.
  • A malicious browser extension, meaning a harmful add-on secretly installed alongside legitimate ones, can trick Claude into reading a user's Gmail, Google Docs, and Google Calendar without their knowledge.
  • Anthropic shipped at least eight new versions of the extension after receiving the report in May 2025, but the vulnerable code remains byte-for-byte identical to the version originally tested.
  • Manifold says the first flaw can be fixed by adding a single line of code; neither fix has appeared in any release to date.
  • Users who have turned on Claude's "Act without asking" mode face the highest risk, because the extension will carry out actions silently.

Anthropic's Claude for Chrome is a browser extension that lets users ask the Claude artificial intelligence assistant to perform tasks directly inside their web browser, such as drafting emails or summarising documents. Two security flaws inside it could let a separate, malicious browser extension hijack that capability and quietly read private content from Google's services.

The findings come from Manifold Security, a firm that studies software vulnerabilities, and were first reported by CSO Online. Manifold says both flaws remain open in version 1.0.80, released on 7 July 2025.

How did the researchers say the attack works?

The first flaw sits in how Claude handles a click before it acts. When you click a button in Claude, the browser assigns that click a property called "isTrusted" to confirm a real person pressed it. Claude's extension never checks that property. A rogue add-on can therefore generate a fake, synthetic click that Claude treats as genuine, then watch Claude carry out a privileged task, such as opening Gmail and reading messages, without the user ever touching anything.

If the user has switched on "Act without asking" mode, Claude skips its own confirmation dialog entirely. The data leaves silently.

Manifold demonstrated a working version of this attack in six lines of JavaScript code. Their proposed fix is one line added to Claude's code: if (!n.isTrusted) return;. That line has not appeared in any release.

The second flaw is subtler. Claude's side panel, the sidebar interface, can be loaded with a web address containing the parameter ?skipPermissions=true. This puts the extension into an elevated-privilege mode meant to spare users repeated confirmation prompts. No direct outside path to force that parameter exists today, but Manifold argues that making elevated access depend on a value in a web address is inherently fragile. Any future flaw that could influence that address would automatically inherit the higher privileges with no extra checks required.

Researchers drew a parallel with "ClaudeBleed," an earlier disclosure where Anthropic announced a fix that did not fully close the vulnerability.

Anthropic did not respond to requests for comment before publication.

What should users do right now? If you have Claude for Chrome installed, check your extension settings and turn off "Act without asking" mode until a patched version arrives. Review which other browser extensions are installed and remove any you do not recognise or actively use. Limiting the number of installed add-ons directly reduces the surface a malicious one could exploit.

© 2026 Threat Vectr