Ai Agents 2 min read

Unpatched ClaudeBleed Flaw Hijacks Chrome Extension Agents

A vulnerability in the Claude for Chrome extension allows malicious third-party scripts to bypass security prompts and exfiltrate connected data.

A critical, unpatched vulnerability in Anthropic’s Claude for Chrome extension allows malicious third-party scripts to hijack the AI and execute unauthorized actions. Disclosed by Manifold Security and detailed in a recent security report, the flaw affects versions up to 1.0.80. The exploit, known as ClaudeBleed, bypasses standard user interaction safeguards to extract data from connected services like Gmail, Google Drive, and GitHub.

Synthetic Clicks and Privilege Escalation

Attackers leverage a combination of DOM manipulation and synthetic click exploitation. The extension fails to properly validate the isTrusted property on click events originating from the claude.ai web origin. This allows a malicious extension with zero special permissions to inject JavaScript and simulate trusted user clicks on the interface.

To bypass state-based security prompts, attackers append a hidden ?skipPermissions=true URL parameter. This places the extension into a privileged “Hands-off” mode designed for unattended multi-step tasks. If any confirmation dialogs do appear, the malicious script initiates an approval loop, automatically clicking through the warnings. The script can also dynamically rename critical interface buttons, tricking the AI into executing destructive actions under benign labels.

Scope and Impact

The vulnerability exposes sensitive data from services connected to the Claude extension. Researchers demonstrated that a malicious extension can force Claude to act as a confused deputy, executing commands against authenticated sessions.

ServiceExploited Capability
GmailRead, summarize, forward, or delete emails
Google Drive/DocsAccess, read, and share restricted documents
Google CalendarView and modify private schedules
GitHubClone and exfiltrate private repositories
SalesforceAccess and export customer data

If you automate desktop workflows using browser-based AI tools, this represents a major access risk. Anthropic has updated its safety documentation to acknowledge that prompt injection and novel attacks can bypass evaluations, but the core vulnerability remains unpatched after eight consecutive releases. Security researchers note the extension only validates the web origin rather than the execution context of the script.

If you deploy browser-based AI assistants, you must isolate the extension environment from untrusted third-party add-ons. Disable the Claude extension in browser profiles used for handling sensitive enterprise accounts until a context-aware patch is released.

Get Insanely Good at AI

Get Insanely Good at AI

The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.

Keep Reading