{"id":289508,"date":"2026-07-14T13:27:00","date_gmt":"2026-07-14T17:27:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/14\/researchers-say-claude-for-chrome-flaw-lets-rogue-extensions-trigger-gmail-reads\/"},"modified":"2026-07-14T16:25:09","modified_gmt":"2026-07-14T20:25:09","slug":"researchers-say-claude-for-chrome-flaw-lets-rogue-extensions-trigger-gmail-reads","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/14\/researchers-say-claude-for-chrome-flaw-lets-rogue-extensions-trigger-gmail-reads\/","title":{"rendered":"Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/claude-for-chrome-flaw-lets-other.html\">Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/claude-for-chrome-flaw-lets-other.html\">https:\/\/thehackernews.com\/2026\/07\/claude-for-chrome-flaw-lets-other.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-14 13:27:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar.<\/p>\n<p>Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the\u00a0ClaudeBleed\u00a0flaw, boxing external callers into a fixed set of tasks, but\u00a0Manifold Security\u00a0says the gap is still open in\u00a0v1.0.80, the current release, eight versions later.<\/p>\n<p>If you run Claude for Chrome and any other extension that can touch claude.ai, you are in scope. In the default &#8220;ask before acting&#8221; mode, the forged task still hits an approval box you have to click.<\/p>\n<p>If you switched on &#8220;Act without asking,&#8221; the hands-off automation mode, it runs with no prompt at all. The quickest guard is to turn &#8220;Act without asking&#8221; off and review any extension with permission to read or change data on claude.ai. That restores the approval step but does not remove the forged-click path, and there is no patch as of July 14.<\/p>\n<p>The Hacker News unpacked the current build and confirmed both mechanisms remain in v1.0.80.<\/p>\n<h2>The trigger accepts a forged click<\/h2>\n<p>After ClaudeBleed, Anthropic stopped letting the page hand Claude any text it wanted and boxed external callers into nine fixed task IDs baked into the extension bundle.<\/p>\n<p>Three are onboarding practice prompts, three drive DoorDash, Salesforce, and Zillow, and the last three,\u00a0usecase-gmail,\u00a0usecase-gdocs, and\u00a0usecase-calendar, are the ones that read your mail, your latest doc and its comments, and your calendar. The allowlist is a real improvement. The page can no longer put words in Claude&#8217;s mouth.<\/p>\n<p>The weak point is what pulls the trigger. A content script in the extension listens on claude.ai for a click on a specific element (#claude-onboarding-button), reads its\u00a0data-task-id, and if the ID is one of the nine allowlisted tasks,&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/claude-for-chrome-flaw-lets-other.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads https:\/\/thehackernews.com\/2026\/07\/claude-for-chrome-flaw-lets-other.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":289509,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi6dKqmptCkoLw0bB5PV9wa9zqqfMmsIU0yrc4vQ2FdIFYClQBeZyUifVSr4wny1umoGovVKP57bzeh3-8RjmK8VktgN_y8TGTnkkw6Ua49L3xfWT_n8Ks6ob2NpIy78NSAV4-XU7HxfdmYqAZcKYz7DIjihqBI8OsQIgW3a4vca7taNTohCTDrqEamAk4\/s1600\/claude-chrome-flaw.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,35],"class_list":["post-289508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-hacker"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289508"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=289508"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289508\/revisions"}],"predecessor-version":[{"id":289510,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289508\/revisions\/289510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/289509"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=289508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=289508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=289508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}