Cybertech Europe 2026-IT Industry Official Media Partner
Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Contact us

Security flaw in Claude for Chrome could trigger AI workflows via malicious extensions

a security flaw in Claude for Chrome that shows how malicious browser extensions can trigger AI workflows and affect Gmail, Google Docs, Google Calendar, and Salesforce. a security flaw in Claude for Chrome that shows how malicious browser extensions can trigger AI workflows and affect Gmail, Google Docs, Google Calendar, and Salesforce.
The security flaw in Claude for Chrome could allow malicious browser extensions to trigger AI workflows in connected services like Gmail, Google Docs, Google Calendar, and Salesforce.

Claude Chrome security flaw could allow a malicious browser extension to trigger predefined AI workflows through simulated user clicks. The flaw could in turn be abused Claude's access to services like Gmail, Google Docs, Google Calendar, and Salesforce, depending on how the extension is configured and what permissions the user has given it.

The vulnerability was discovered by the security researcher Axe Sharma at Manifold Security. According to the researcher, the problem lies in how Anthropic's Chrome extension Claude determines whether a user has actually initiated one of its built-in AI workflows.

How the Claude Chrome vulnerability works

Chrome extensions that have permission to run on a website can inject JavaScript into the page's content. This means they can read and modify information, manipulate page elements, and generate click and keyboard events programmatically.

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

According to Manifold Security The Claude extension listens for clicks on specific page elements that are used to launch predefined AI workflows. These workflows enable Claude to perform tasks in connected services, including:

  • Gmail: read the latest emails, identify promotional emails and unsubscribe.
  • Google Docs: open the user's latest document and read comments and feedback.
  • Google Calendar: analyze the calendar, find available times and create meetings.
  • Salesforce: update leads and convert them into business opportunities.

Didn't check if the click came from a real user

The researchers discovered that The Claude addition accepted JavaScript-generated clicks without checking whether they came from a real user.

Web browsers use the property Event.isTrusted to distinguish between events created by a user and those generated programmatically via JavaScript. For example, when a user clicks the mouse, Event.isTrusted to true, while synthetic events are automatically marked as false.

According to Manifold Security, the Claude extension did not check this property before starting an AI workflow.

This meant that a malicious Chrome extension with permission to run on the domain claude.ai could create a special page element, specify one of the supported task identifiers, and then generate a synthetic click. Although the browser correctly marked the event as untrusted, the Claude extension treated it as a legitimate user click and performed the requested AI action.

The attack is limited but could have significant consequences

The researchers emphasize that the vulnerability does not allow arbitrary prompt injection or allow attackers to run arbitrary commands through Claude. Instead, the attack is limited to the nine predefined AI workflows built into the extension.

An attacker also cannot compromise Claude directly through a website. For the attack to succeed, the user must first be tricked into installing a malicious Chrome extension that has permission to execute code on it. claude.ai.

Once such an extension is installed, it can manipulate the web page and trigger the Claude extension's built-in workflows without the user intentionally initiating them.

Can abuse Claude's access to external services

Although a malicious browser extension already has extensive access to the websites it runs on, researchers believe this vulnerability poses an additional risk because it could exploit Claude's authenticated access to connected services.

How big the impact will be depends, among other things, on how The Claude addition is configured and if the user has enabled the feature “Act without asking”, which allows certain predefined workflows to run automatically without further approval.

In environments where Claude has access to sensitive information or business systems, the consequences may therefore be greater than with a typical malicious browser extension.

Further discovery around authorization checks

The researchers also identified an internal parameter, skipPermissions=true, which could bypass certain authorization checks when the extension was launched.

However, they noted that this mechanism could not be exploited directly on its own. To create a working attack, an additional vulnerability would be required to construct a specially crafted URL.

Anthropic was informed via the bug bounty program

Both findings were reported to Anthropic through the company's bug bounty program.

Anthropic confirmed the reports and stated that the synthetic click problem had already been recorded as part of a larger security effort. The second discovery, which concerned the parameter skipPermissions=true, was classified as informative.

According to Manifold Security, both flaws are still reproducible in version 1.0.80 by Claude Chrome extension, which was published on July 7.

In their report, the researchers write:

“Manifold verified on July 7 that both results are still reproducible in version 1.0.80. The content script and sidebar handlers that we analyzed are byte-identical to the source code in version 1.0.72.”

It is currently unclear when Anthropic will fix the main vulnerability. Until then, users are advised to only install Chrome extensions from trusted developers, regularly review the permissions of installed extensions, and avoid granting unnecessary permissions to extensions that have access to claude.ai, Google Workspace or other business-critical services.

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT