Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 18, 2026 · 6 min read

Claude for Chrome Flaw Lets Rogue Extensions Read Your Gmail

A researcher showed that any extension sitting next to Claude for Chrome in your toolbar can fake a click and send it off to read your inbox, no permission dialog required.

A laptop on a desk showing a browser toolbar crowded with small extension icons, one glowing ominously blue among neutral gray ones, representing a hidden rogue browser extension

Six lines of JavaScript, typed into a browser console, are enough to make Anthropic's Claude for Chrome extension open your Gmail and start reading. That is the finding Ax Sharma, head of research at Manifold Security published after months of back and forth with Anthropic, and BleepingComputer and The Hacker News both confirmed it remains reproducible in the extension's current release.

Key Takeaways

  • Ax Sharma of Manifold Security reported the flaw against Claude for Chrome version 1.0.72 on May 21, 2026, and Anthropic acknowledged it the next day.
  • The extension's content script never checks the browser's Event.isTrusted property, so a synthetic click fired by any other extension is treated the same as a real user click.
  • Manifold confirmed on July 14, 2026 that version 1.0.80, released July 7, still contains a content script byte identical to the vulnerable May build.
  • Manifold rated the bug CVSS 7.7 (High) by default, rising to 9.6 (Critical) when a user has enabled Claude's "Act without asking" autonomous mode.
  • The attack is limited to nine predefined tasks, including Gmail, Google Docs, Calendar, and Salesforce actions; it does not allow arbitrary prompt injection.

How Does the Synthetic Click Attack Work?

Claude for Chrome ships with onboarding shortcuts, buttons that walk a new user through what the agent can do once connected to Gmail, Docs, Calendar, and Salesforce. Its content script listens for clicks on any element matching a specific button ID, reads a data-task-id attribute off that element, and forwards the matching prompt to Claude's side panel. Nothing in that chain checks whether the click came from an actual person, so a separate extension with permission to run scripts on claude.ai can build a matching element, set the task ID it wants, and dispatch a synthetic click through standard DOM APIs.

Chrome's own Event.isTrusted documentation sets the flag to true only for events the operating system generated from real mouse or keyboard input, and false for anything created in JavaScript with document.createEvent or the MouseEvent constructor. Checking that flag before acting on a click is a basic defensive pattern for any extension treating a DOM event as informed consent. Claude for Chrome's handler skips the check, so the forged, untrusted event runs exactly like a real one.

Manifold's writeup lists nine task identifiers the handler accepts: three onboarding tutorials (challenge-form, challenge-email, challenge-equipment), three Google service actions (usecase-gmail, usecase-gdocs, usecase-calendar), and three third party integrations (usecase-doordash, usecase-salesforce, usecase-zillow). That allowlist was itself Anthropic's fix for an earlier disclosure, nicknamed ClaudeBleed, in which a compromised extension could push arbitrary text into Claude's execution path rather than being limited to nine fixed prompts. A second, related finding showed the side panel booting into the same unattended mode as "Act without asking" from a skipPermissions URL parameter alone, no click required; Anthropic closed that one as informational, saying the parameter has no path an outside extension can currently reach.

What Can a Rogue Extension Actually Reach?

A malicious extension that fires the usecase-gmail task gets Claude to open Gmail and run whatever workflow that shortcut maps to, described by researchers as email review and unsubscribe handling. The Docs task reads comments and feedback threads, Calendar scans availability and can create meetings, and Salesforce touches lead conversion. None of this requires the malicious extension to have its own Google or Salesforce access; it borrows Claude's already authenticated session.

The blast radius depends on one setting. By default, a synthetic click still triggers an approval prompt before anything sensitive happens, which is why Manifold scored the base case CVSS 7.7. Users who have switched on the "Act without asking" autonomous mode, a convenience feature meant to let Claude complete routine tasks without interruption, remove that last checkpoint, which SecurityWeek's coverage notes is the difference between a High and a Critical rating in Manifold's assessment.

Why Hasn't Anthropic Fixed It Yet?

Anthropic has not ignored the report. The company acknowledged Sharma's submission within a day, and its internal tracker marked the underlying issue "Resolved" on June 9, 2026, a month before Manifold's public writeup. What changed between May and July was the version number, not the code, as CSO Online also reported. Manifold's July 14 comparison found the content script and side panel handler in version 1.0.80 byte identical to the version reported in May, eight releases after the initial disclosure.

Anthropic's position, per Manifold, is that the synthetic click issue is tracked under the broader ClaudeBleed report rather than as a standalone bug, and that report stays open pending a complete fix rather than the allowlist workaround shipped in May. That is a known, monitored risk rather than a silent zero day, but it offers little comfort to a user running the extension today.

Why Email Users Should Care

This bug exists because Gmail is one of the four services Claude for Chrome is built to act on, and it is the one most people connect first. An AI agent with standing access to your inbox is a different risk profile than a browser extension that merely reads a page. It can search, summarize, and act on messages you never opened yourself, and every one of those actions inherits whatever permission boundary the extension enforces, or in this case does not.

The pattern is not unique to Claude. We covered a similar trust failure in Edgecution, a fake Edge extension that used native messaging to install a backdoor, and our writeup on Gemini CLI being turned into a hacking and botnet tool showed how quickly an agent with broad execution rights becomes a force multiplier for whoever controls its inputs. As more people install AI agents that connect to their inbox, the extensions sitting next to them in the toolbar become part of the attack surface.

What Should You Do Right Now?

Until Anthropic ships a real fix rather than a task allowlist, a few concrete steps reduce your exposure:

  • Turn off "Act without asking" if you have it enabled, so a forged click still hits an approval prompt instead of running silently.
  • Audit every extension installed alongside Claude for Chrome and remove anything you do not actively use; the attack only needs another extension able to run scripts on claude.ai.
  • Limit which services Claude is connected to. Disconnect Gmail, Calendar, Docs, or Salesforce integrations you are not relying on; an agent cannot read access it was never granted.
  • Install extensions only from developers you recognize and check requested permissions before adding anything new. We covered how impersonators exploit that trust in our writeup on a fake Perplexity extension that tracked user searches.
  • Watch for a real fix, not just a retriage, before assuming the underlying ClaudeBleed report has actually been resolved.

Looking Ahead

AI browser agents are sold on convenience: connect your inbox once, and let the agent handle the busywork. The Claude for Chrome case, also covered by Malwarebytes, shows what that convenience costs when the extension cannot reliably tell a real click from a fake one. Every browser agent racing to add Gmail, Calendar, and CRM integrations inherits the same question Sharma asked of Claude, whether a click came from the person at the keyboard, and most have not published an answer yet.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.