{"id":16196,"date":"2026-05-08T11:32:30","date_gmt":"2026-05-08T11:32:30","guid":{"rendered":"https:\/\/newestek.com\/?p=16196"},"modified":"2026-05-08T11:32:30","modified_gmt":"2026-05-08T11:32:30","slug":"claude-in-chrome-is-taking-orders-from-the-wrong-extensions","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16196","title":{"rendered":"Claude in Chrome is taking orders from the wrong extensions"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Anthropic Claude\u2019s Chrome browser extension, known as Claude in Chrome, has a bug that can allow other malicious extensions to hijack it, compromising trusted AI workflows. <\/p>\n

Researchers at LayerX Security have warned that Claude\u2019s overly trusted browser communication flows can be abused to inject scripts that can potentially hijack the assistant\u2019s capabilities and manipulate browsing sessions.<\/p>\n

LayerX is calling the flaw\u00a0 \u201cClaudeBleed.\u201d<\/p>\n

\u201cLayerX reported the flaw to Anthropic,\u201d LayerX researcher Aviad Gispan<\/a> said in a blog post<\/a>. \u201cAnthropic replied that they were already aware of the issue and that it would be fixed in the next version of the extension.\u201d However, Gispan added, Anthropic\u2019s fix was partial, and the flaw can still be exploited.<\/p>\n

The post demonstrated different ways the flaw can still be exploited, including sending a file from a Google Drive folder to an outsider, sending an email on behalf of a remote attacker, stealing code from a private repository on GitHub, and summarizing emails and sending them to an external user.<\/p>\n

\u201cClaudeBleed is a useful demonstration of why monitoring AI agents at the prompt layer is fundamentally insufficient,\u201d said Ax Sharma<\/a>, head of research at Manifold Security. \u201cThe most sophisticated part of this attack isn\u2019t the injection, but that the agent\u2019s perceived environment was manipulated to produce actions that looked legitimate from the inside. That\u2019s the class of threat the industry needs to be building defenses for.\u201d<\/p>\n

Maliciously injected instructions can lead to attacks<\/h2>\n

Gispan said the issue is an instruction in the extensions\u2019 code that allows arbitrary scripts running in the origin browser to communicate with Claude\u2019s LLM. But there is nothing in the code that checks who is running the script.<\/p>\n

This potentially allows any extension to invoke a malicious script, without requiring any special permissions, that can issue commands to the Claude extension.<\/p>\n

\u201cThe extension exposes a privileged message interface to the main claude.ai LLM via externally_connectable, which is a manifest setting that defines which external websites or extensions are allowed to communicate with your extension,\u201d Gispan explained. \u201cIt trusts the origin (claude.ai) rather than the actual execution context.\u201d<\/p>\n

As a result, even a \u201cminimal\u201d extension can execute arbitrary prompts<\/a>, breach Claude\u2019s LLM guardrails, bypass user confirmation flows, manipulate Claude\u2019s perception of the UI, and perform sensitive cross-site actions (Gmail, Google Drive, GitHub).<\/p>\n

\u201cThis vulnerability effectively breaks Chrome\u2019s extension security model by allowing a zero-permission extension to inherit the capabilities of a trusted AI assistant,\u201d Gispan pointed out.<\/p>\n

<\/a>Anthropic fixed the issue, but<\/h2>\n

Anthropic released an updated extension version (version 1.0.70<\/a>) on May 6 with a patch and a catch.<\/p>\n

In its update, Gispan explained, Anthropic added a layer of internal security checks to prevent extensions from executing remote commands, but the checks only applied to \u201cstandard\u201d mode. By switching the extension to \u201cprivileged\u201d mode, which does not require explicit user permission or notification, the exposure could be brought back, and commands can be executed just as before.<\/p>\n

Anthropic had reportedly promised an update that would remove the responsible message handler. \u201cA fix that removes the affected message handler has been merged and will ship in an upcoming extension release,\u201d Gispan said, citing a communication from the company.<\/p>\n

But the fix fell short on the promise. \u201cContrary to their initial response, the externally_connectable message handler was not removed, but Anthropic did introduce additional approval flows for privileged actions,\u201c he added.<\/p>\n

Anthropic did not immediately respond to CSO\u2019s request for comments.<\/p>\n

LayerX recommended several mitigation measures, including introducing extension-to-page authentication tokens such as signed requests, restricting \u201cexternally_connectable\u201d permissions to trusted extension IDs instead of origins, and binding user approvals to specific actions and one-time tokens.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Anthropic Claude\u2019s Chrome browser extension, known as Claude in Chrome, has a bug that can allow other malicious extensions to hijack it, compromising trusted AI workflows. Researchers at LayerX Security have warned that Claude\u2019s overly trusted browser communication flows can be abused to inject scripts that can potentially hijack the assistant\u2019s capabilities and manipulate browsing sessions. LayerX is calling the flaw\u00a0 \u201cClaudeBleed.\u201d \u201cLayerX reported the… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16196","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16196"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16196\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}