Home/News/Claude for Chrome Flaw Lets Rogue Extensions Read Gmail
The Hacker News2 min read

By Interestana AI Editorial — AI-drafted, human-overseen. How we report

Claude for Chrome Flaw Lets Rogue Extensions Read Gmail

Claude for Chrome Flaw Lets Rogue Extensions Read Gmail

Researchers have identified a vulnerability in Anthropic's Claude for Chrome browser extension that could permit rogue extensions to access user Gmail data. The flaw, detailed in a security advisory, allows any browser extension capable of running a script on the claude.ai domain to trigger Claude for Chrome's functionalities. This could lead to unauthorized access to a user's Gmail, recent Google Docs and their comments, and Google Calendar entries.

The security researchers stated that this vulnerability, dubbed "ClaudeBleed" by some, requires a malicious extension to already possess the capability to execute scripts on claude.ai. The exploit's scope is significant, as it leverages the extension's integration with Google services. Anthropic acknowledged the issue and implemented restrictions on arbitrary prompt paths in May as part of its ongoing security response, though the full extent of the fix and its impact on this specific vulnerability are still under review.

This discovery highlights ongoing security challenges with AI-powered browser extensions that integrate deeply with user data. The ability for one extension to exploit another's functionality raises concerns about the broader security posture of such tools. Users are advised to review their installed browser extensions and their permissions, and to remain vigilant about security updates from AI service providers like Anthropic.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Get the weekly AI digest

AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.

Read next