A flaw in Anthropic's Claude for Chrome browser extension could allow a malicious extension to trigger predefined AI actions by simulating user clicks, potentially allowing it to abuse Claude's access to connected services such as Gmail, Google Docs, Google Calendar, and Salesforce.
The issue was discovered by Ax Sharma of Manifold Security, who says it stems from how the Claude extension determines whether a user intentionally requested one of its built-in tasks.
Chrome extensions with permission to run on a website can inject JavaScript into the page, allowing them to read and modify its contents. This includes changing page elements, reading information displayed on a site, and generating click and keyboard events programmatically.
According to Manifold's report, the Claude extension listens for click events on a specific page element that launches one of its built-in AI workflows. These workflows are predefined tasks that allow Claude to perform actions in connected services such as Gmail, Google Docs, Google Calendar, and Salesforce.
The supported workflows include:
usecase-gmail: read recent Gmail, identify promotional emails, and click unsubscribe
read recent Gmail, identify promotional emails, and click unsubscribe usecase-gdocs: open the user's latest Google Doc, read all comments and feedback
open the user's latest Google Doc, read all comments and feedback usecase-calendar: read Google Calendar, find free slots, create meetings
read Google Calendar, find free slots, create meetings usecase-salesforce: modify Salesforce leads, convert them to opportunities
The researchers found the extension accepted JavaScript-generated click events without verifying whether they originated from a real user.
... continue reading