Claude for Chrome is supposed to help people get things done in the browser. But a new report says another extension can still push it into reading Gmail and carrying out other tasks, without a genuine click from the user.

Manifold Security says it tested version 1.0.80 of the extension on July 7 and was still able to reproduce the problem. The company had first reported the issue to Anthropic in May.

According to details shared, a malicious extension with access to claude.ai can create a button on the page, attach one of Claude’s built-in task IDs to it and trigger a fake click. Claude then treats the request as if the user had clicked the button themselves.

claude-extension-chrome-flaw-example

The task list includes more than harmless examples. One Gmail task tells Claude to read recent messages, find promotional emails and unsubscribe from them. Other tasks can open the user’s latest Google Doc and read its comments, check Google Calendar availability, create meetings or modify Salesforce leads.

Manifold says the extension does not check whether the click was real before sending the request to Claude.

“The handler does not check event.isTrusted,” the researchers wrote. “Any script with DOM access on claude.ai can construct the button, set the task ID, and dispatch a synthetic click.”

Claude normally shows an approval prompt before taking sensitive actions. That limits what an attack can do without the user noticing. However, the report also looks at the extension’s “Act without asking” mode, where Claude can carry out tasks without requesting approval each time.

claude-chrome-extension-approval

Manifold says that second issue is not directly exploitable on its own in version 1.0.80. It is still a concern because the extension can read a setting in its own URL and open a session in the high-risk mode. A future problem that exposes that process to another extension could make the situation much worse.

Anthropic released eight updates after Manifold’s original report, covering versions 1.0.73 through 1.0.80. The researchers say the relevant code was still unchanged when they checked the latest version. They also say the wider issue had been marked as resolved internally.

This is another reminder that browser extensions can become a privacy problem long after people install them. In a recent report, a Chrome extension used by around 900,000 people was removed after researchers found code that could have collected browsing data. Another investigation found more than 150 wallpaper extensions faking Google traffic while tracking users.

We have also seen seemingly useful free VPN extensions turn on clipboard monitoring after an update, potentially exposing passwords, verification codes and crypto wallet details.

So to stay on the safe side, Claude extension users should check the other extensions installed in the browser and remove those they do not recognize or trust. Keeping Claude in its approval-based mode is also a sensible precaution for now.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.

Dwayne Cubbins
2823 Posts

I cover fast-moving stories across apps, online platforms, and everyday tech — phones, wearables, consoles, and whatever else people are fighting with this week. Bugs, rollouts, scams, policy enforcement, and the occasional internet-culture rabbit hole are all fair game. My goal is simple — make confusing tech news readable. When I'm not working, I'm working out or chilling with my dog. Got a tip? You can find me on X @dcubbins.