
A flaw in Anthropic's Claude for Chrome browser extension could allow a malicious extension to trigger predefined AI actions by simulating user clicks, potentially allowing it to abuse Claude's access to connected services such as Gmail, Google Docs, Google Calendar, and Salesforce.
The issue was discovered by Ax Sharma of Manifold Security, who says it stems from how the Claude extension determines whether a user intentionally requested one of its built-in tasks.
Chrome extensions with permission to run on a website can inject JavaScript into the page, allowing them to read and modify its contents. This includes changing page elements, reading information displayed on a site, and generating click and keyboard events programmatically.
According to Manifold's report, the Claude extension listens for click events on a specific page element that launches one of its built-in AI workflows. These workflows are predefined tasks that allow Claude to perform actions in connected services such as Gmail, Google Docs, Google Calendar, and Salesforce.
The supported workflows include:
- usecase-gmail: read recent Gmail, identify promotional emails, and click unsubscribe
- usecase-gdocs: open the user's latest Google Doc, read all comments and feedback
- usecase-calendar: read Google Calendar, find free slots, create meetings
- usecase-salesforce: modify Salesforce leads, convert them to opportunities
The researchers found the extension accepted JavaScript-generated click events without verifying whether they originated from a real user.
When a browser generates an event from a real user action, such as a mouse click or key press, it marks it as trusted by setting the Event.isTrusted property to true. However, if JavaScript is used to generate the event, the browser automatically sets Event.isTrusted to false, allowing webpages and extensions to distinguish between real user interactions and events generated by JavaScript.
According to Manifold Security, the Claude browser extension did not verify that a click event originated from a real user by checking the browser's Event.isTrusted property before executing one of its predefined workflows.
Instead, a malicious extension with permission to modify content on the 'claude.ai' domain could inject a page element containing one of nine supported task identifiers and generate a synthetic click event.
Although the browser correctly marked the event as untrusted, Sharma says the Claude extension treated it as a legitimate user click and executed the requested AI action.
The researcher notes that the flaw does not allow arbitrary prompt injection, but instead, the attack is limited to the nine predefined tasks built into the extension.
The attack also does not allow a website to compromise the Claude extension directly, but requires an attacker to trick a user into installing a malicious extension that can execute code on claude.ai.
That extension could then manipulate the webpage and trigger the Claude extension's workflows.
While a malicious browser extension already has broad access to webpages it can run on, the researchers say this flaw allows it to abuse Claude's authenticated access to various connected services.
The impact depends on the Claude extension's configuration and whether users choose to approve sensitive actions or have Claude's optional "Act without asking" setting enabled, which allows predefined workflows to execute automatically.
In a second finding, the researchers found an internal 'skipPermissions=true' parameter that bypassed certain permission checks when launching the extension.
However, they acknowledged that the mechanism was not directly exploitable on its own and would require another vulnerability to create a specially crafted URL.
The researchers reported both findings to Anthropic through the company's bug bounty program. Anthropic acknowledged the reports and closed the synthetic-click report, stating they were already tracking it as a broader issue. The second flaw, involving the internal skipPermissions=true parameter, was classified as informational.
Manifold says the flaws are still exploitable in the latest version, 1.0.80, of the browser extension, released on July 7.
"Manifold verified July 7 that both findings remain reproducible in 1.0.80. The content script and side-panel handlers we cited are byte-identical to the v1.0.72 source," reads the report.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper