What Happened
Anthropic's Claude for Chrome extension has two vulnerabilities that allow malicious browser extensions to hijack the AI's capabilities to read and exfiltrate user data. Security researchers at Manifold Security reported these issues in May. Eight releases later, they're still exploitable.
The attack works because Claude for Chrome doesn't verify that user clicks are genuine. A malicious extension can inject synthetic click events using six lines of JavaScript, tricking Claude into processing unauthorized commands. Once activated, the compromised extension gains the same document access Claude has, your emails, spreadsheets, internal wikis, whatever's on screen.
The second vulnerability stems from URL-based privilege checks. Claude determines what it can access by examining the current page's URL. A malicious extension can manipulate these checks, expanding its access beyond intended boundaries.
Timeline
May 2024: Manifold Security discovers and reports both vulnerabilities to Anthropic through responsible disclosure.
May-December 2024: Anthropic releases eight updates to Claude for Chrome. Neither vulnerability is addressed.
December 2024: Manifold publishes their findings after waiting months for a fix.
Current status: Both vulnerabilities remain exploitable in the latest version of Claude for Chrome.
Which Controls Failed
User Interaction Validation
The extension processes click events without checking the isTrusted property. This property distinguishes genuine user actions from synthetic events generated by scripts. Every browser exposes this flag, it's a one-line check.
The fix is: if (!n.isTrusted) return;
Without this validation, any extension with page access can simulate user consent. Your click becomes my click. Your authorization becomes my backdoor.
Privilege Isolation
The extension grants AI capabilities based on URL context rather than maintaining strict privilege boundaries between extensions. When you install Claude for Chrome, it gets broad permissions to interact with web pages. Those same permissions become available to any extension that can trigger Claude's functionality.
This violates the principle of least privilege at the architectural level. Claude should operate in an isolated context, not inherit the ambient authority of whatever extension happens to invoke it.
Vulnerability Management Process
Eight releases without addressing reported security issues suggest a broken triage process. Either the reports weren't reaching the right people, the severity wasn't properly assessed, or fixing security issues isn't prioritized in the release cycle.
What Standards Require
OWASP ASVS v4.0.3 - Requirement 1.4.2
"Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized."
URL-based privilege checks fail this requirement. URLs are user-controllable. Any security decision based on a user-controlled input needs additional validation. The extension trusts the URL without verifying the actual context or user intent.
OWASP ASVS v4.0.3 - Requirement 4.2.1
"Verify that sensitive data and APIs are protected against Insecure Direct Object References (IDOR) targeting creation, reading, updating and deletion of records."
The synthetic click exploit is effectively an IDOR attack against the extension's command interface. The API (click handler) doesn't verify that the reference (click event) came from an authorized source (actual user interaction).
NIST 800-53 Rev 5 - Control IA-2(8)
"The information system implements replay-resistant authentication mechanisms."
Synthetic clicks are replay attacks. The extension accepts the same event structure whether it originates from a genuine user action or a scripted replay. The isTrusted flag exists to prevent exactly this scenario.
ISO/IEC 27001:2022 - Control 8.25
"Secure development life cycle: Rules for the secure development of software and systems shall be established and applied."
The persistence of these vulnerabilities across eight releases indicates a gap in secure development practices. Security issues reported during development (or in this case, post-release) should have defined SLAs for triage, assessment, and remediation.
Lessons and Action Items
For Browser Extension Development
Validate event trust before processing user actions. Check
event.isTrustedon every click, keypress, or form submission that triggers sensitive operations. This isn't optional, it's a basic input validation control.Don't use URLs as security boundaries. URLs are user input. If your privilege model depends on URL matching, you're building on sand. Use explicit permission grants tied to extension identity, not page context.
Isolate AI capabilities from general extension APIs. When you embed AI functionality, create a separate privilege domain. Don't let one extension's permissions become another extension's attack surface.
For Vulnerability Management
Define SLAs for security reports. You need published timelines: 24 hours for triage, 72 hours for severity assessment, 30 days for critical fixes. Eight months isn't a process, it's negligence.
Track security issues separately from feature requests. If your bug tracker treats a privilege escalation vulnerability the same as a UI polish request, you'll ship eight releases with an open exploit.
Test for the vulnerability class, not just the specific exploit. The synthetic click issue is one instance of missing input validation. Your test suite should verify
isTrustedchecks on every event handler, not just the one a researcher reported.
For Security Reviews
Audit third-party extensions before deployment. If your organization uses AI-powered browser extensions, audit their permission models. What can they access? What prevents malicious extensions from abusing those capabilities?
Review extension interaction patterns. Map how your installed extensions communicate. Can extension A trigger actions in extension B? What privilege boundaries exist between them?
Monitor for synthetic events in production. Log and alert on untrusted events reaching sensitive handlers. This won't prevent the vulnerability, but it'll tell you when someone's exploiting it.
The Claude for Chrome case isn't unique. It's representative of how quickly we're shipping AI integrations without applying basic security controls. A six-line exploit. A one-line fix. Eight months of exposure. That's not a sophisticated attack, it's a fundamental failure to validate input at the trust boundary.
Your AI assistant can read everything you can read. Make sure it's actually you asking it to do so.



