# ClaudeBleed: Claude for Chrome Lets Rogue Extensions Read Gmail

> Source: <https://byteiota.com/claudebleed-claude-for-chrome-lets-rogue-extensions-read-gmail/>
> Published: 2026-07-18 01:12:46+00:00

Claude for Chrome reached general availability on July 1. Thirteen days later, security researchers at Manifold Security confirmed a trust-boundary flaw in the extension lets any rogue Chrome extension silently read your Gmail, Google Docs, and Calendar — and the fix is one line of code that Anthropic still has not shipped across eight subsequent releases.

## A Six-Line Attack, a One-Line Fix

The vulnerability is a textbook confused-deputy problem. Claude for Chrome has real authority — access to your Google accounts, Salesforce, whatever you’ve connected — but a design flaw lets a malicious Chrome extension impersonate you and invoke that authority without your knowledge.

Here’s the mechanism: the extension’s click handler listens for clicks on a specific page element and reads a task ID attribute to decide which of nine hardcoded prompts to fire. The problem is that the handler never checks `event.isTrusted`

— the browser flag that is `true`

for genuine user clicks and `false`

for JavaScript-generated synthetic events. Any other extension with DOM access on claude.ai (a very common permission) can inject a fake button, set a task ID, and dispatch a synthetic click. Claude treats it as a legitimate request and executes the task.

[Manifold Security’s researchers](https://www.manifold.security/blog/claude-for-chrome-extension-bypass) demonstrated the full attack chain in six lines of JavaScript. Their proposed fix from the disclosure? Add `if (!n.isTrusted) return;`

at the top of the click handler. Synthetic clicks rejected. Real user clicks unaffected. One line. Eight releases since the report — it still isn’t there.

## What’s Actually at Risk

The nine hardcoded tasks span a meaningful slice of your work life. The three Google integrations are the headline risk: Claude can be tricked into reading your Gmail (and in Act-without-asking mode, drafting and sending emails as you), reading your Google Docs comments, and viewing your Calendar and creating events. Salesforce lead modification is also on the list.

The severity depends on your settings. With Claude’s default confirmation dialogs enabled, the CVSS score sits at 7.7 High — serious, but a malicious extension still has to trigger the flow and you’d see a prompt. If you’ve turned on “Act without asking” mode (which Anthropic markets as a power-user feature for agentic workflows), the CVSS jumps to 9.6 Critical. No dialogs. Silent execution. The attacker’s extension fires, Claude reads your inbox, done.

## The Timeline Is the Story

Manifold Security reported both bugs on May 21, 2026. Anthropic acknowledged within a day and closed the reports — characterizing the synthetic click issue as already tracked by “existing internal documentation.” On June 9, Anthropic internally marked the broader issue as “resolved.” On July 7, Claude for Chrome v1.0.80 shipped, and the researchers checked: the vulnerable code was byte-for-byte identical to v1.0.72, the build where they first found it. [Bleeping Computer](https://www.bleepingcomputer.com/news/security/claude-chrome-extension-flaw-lets-malicious-extensions-trigger-ai-actions/) and [The Hacker News](https://thehackernews.com/2026/07/claude-for-chrome-flaw-lets-other.html) both confirmed the public disclosure on July 14.

“Resolved” is doing a lot of heavy lifting in that response.

To be clear, Anthropic’s June mitigation did accomplish something — they added a task ID allowlist that restricts which nine prompts can be invoked. That addresses *what* a rogue extension can ask Claude to do. It does not address *who* gets to ask. The confused-deputy flaw — a malicious extension impersonating the user — remains.

## There’s Also a Second Bug

Manifold’s report covered a second issue: Claude’s side panel enters unrestricted mode when launched with `?skipPermissions=true`

appended to its URL. In that mode, the panel skips all confirmation dialogs from the start. Currently, only the extension itself constructs that URL, so there’s no direct external exploitation path today. But it’s a latent risk. Any future regression — an XSS flaw in the options page, a URL-accepting message handler, a panel-building bug — could chain the privilege escalation into a fully silent account compromise. The researchers called it a ticking time bomb. The framing is apt.

## What to Do Right Now

Three things, in order of priority:

**Disable “Act without asking.”** Go to Claude for Chrome settings and turn off autonomous mode. This drops the attack severity from Critical to High and restores confirmation dialogs, giving you a chance to spot unexpected activity.

**Audit your Chrome extensions.** Open `chrome://extensions`

, expand each extension’s permissions, and check for anything with access to all sites or specifically to claude.ai. Extensions you don’t recognize or actively use should go.

**Consider disabling Claude for Chrome on sensitive machines.** If you run Claude Code on a workstation that’s also logged into a corporate Gmail, Docs environment, or Salesforce account, that’s an elevated-risk configuration until a patch ships. A browser without the extension can’t be the confused deputy.

Watch Anthropic’s changelog for v1.0.81 or later. The fix is known and minimal — when it ships, the upgrade is worth doing immediately. Until then, the extension’s trust surface is wider than most users realize.

## The Larger Point

AI browser agents are expanding their footprint quickly. Claude Code’s browser integration, designed to let developers run build-test-fix loops without leaving their IDE, is genuinely useful. But the more authority an agent accumulates — screen read, click execution, account access — the more critical it becomes to get trust boundaries right at the design level. The confused-deputy problem has been a known vulnerability class for decades. The browser has provided `event.isTrusted`

specifically to prevent synthetic-click abuse. Shipping without checking it — and then taking two months to apply the one-line fix after researchers report it — is the kind of gap that erodes trust in AI tooling faster than any benchmark can rebuild it.
