Security researchers have identified a vulnerability in Anthropic’s Claude for Chrome browser extension that allows rogue Chrome extensions to trigger Gmail reads without user knowledge. The flaw exploits how the Claude extension handles cross-extension messaging permissions in the Chrome browser.
The vulnerability resides in the extension’s message-passing architecture, where other installed extensions can send crafted requests that Claude processes as legitimate user commands. This enables an attacker-controlled extension to ask Claude to access Gmail content, read drafts, and extract sensitive information without triggering any visible indication to the user.
Anthropic and Google were notified of the issue. The flaw is particularly concerning because Chrome extensions are frequently updated and users rarely audit their installed extension list. A malicious extension with minimal permissions could still exploit the trust relationship established by Claude for Chrome’s broad access to Gmail and other Google services.
CSO Online reports that the issue reflects a growing class of AI agent permission problems, where extensions granted wide access to user data become attractive targets for lateral exploitation by other, less privileged extensions in the same browser environment.
