What the Flaw Is

A bug in the Claude Chrome extension lets any other browser add‑on talk to the AI model without verification. The extension code accepts commands from any script running in the same browser origin, even if that script has no special permissions.

Aviad Gispan, senior researcher at LayerX, wrote: "The flaw creates a privilege‑escalation primitive across extensions, something Chrome's security model is designed to block."

How Attackers Can Exploit It

By injecting a simple content script, an attacker can:

  • Force Claude to run arbitrary prompts.
  • Bypass Claude's safety guardrails.
  • Access Google Drive files and share them.
  • Read and send emails from the victim's account.
  • Steal source code from linked GitHub repos.

Because Claude decides actions based on text and UI cues, attackers can hide labels, remove warnings, and make the AI think it is acting normally.

Real‑world proof of concept

LayerX demonstrated the bug by extracting Drive files, surveilling email activity, and sending messages on the user’s behalf—all without the user seeing a prompt.

Why This Matters for AI Safety

Traditional defenses focus on monitoring the AI’s output. This attack shows that controlling the input environment can let the model perform malicious actions while appearing benign.

Ax Sharma of Manifold Security says the threat “lies in manipulating the agent’s perceived environment,” underscoring the need for defenses beyond prompt‑level checks.

Anthropic’s Response

LayerX reported the issue on April 27. Anthropic issued a partial fix on May 6, adding new approval flows for privileged actions. However, researchers still managed to hijack Claude in limited scenarios by forcing the extension into “privileged” mode without user consent.

Anthropic has not commented publicly on the mitigation status.

What Users Should Do Now

  • Remove the Claude Chrome extension if you do not need it.
  • Limit other extensions to the minimum required permissions.
  • Monitor account activity on Google services for unexpected actions.
  • Stay updated on Anthropic’s patches and apply them immediately.

As AI agents become more integrated into workflows, securing the bridge between browsers and models is critical to prevent silent data theft.