Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads
Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads
https://thehackernews.com/2026/07/claude-for-chrome-flaw-lets-other.html
Publish Date: 2026-07-14 13:27:00
Source Domain: thehackernews.com
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar.
Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the ClaudeBleed flaw, boxing external callers into a fixed set of tasks, but Manifold Security says the gap is still open in v1.0.80, the current release, eight versions later.
If you run Claude for Chrome and any other extension that can touch claude.ai, you are in scope. In the default “ask before acting” mode, the forged task still hits an approval box you have to click.
If you switched on “Act without asking,” the hands-off automation mode, it runs with no prompt at all. The quickest guard is to turn “Act without asking” off and review any extension with permission to read or change data on claude.ai. That restores the approval step but does not remove the forged-click path, and there is no patch as of July 14.
The Hacker News unpacked the current build and confirmed both mechanisms remain in v1.0.80.
The trigger accepts a forged click
After ClaudeBleed, Anthropic stopped letting the page hand Claude any text it wanted and boxed external callers into nine fixed task IDs baked into the extension bundle.
Three are onboarding practice prompts, three drive DoorDash, Salesforce, and Zillow, and the last three, usecase-gmail, usecase-gdocs, and usecase-calendar, are the ones that read your mail, your latest doc and its comments, and your calendar. The allowlist is a real improvement. The page can no longer put words in Claude’s mouth.
The weak point is what pulls the trigger. A content script in the extension listens on claude.ai for a click on a specific element (#claude-onboarding-button), reads its data-task-id, and if the ID is one of the nine allowlisted tasks,…