// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
High
AI security, Claude for Chrome, browser extensions, ClaudeBleed, prompt injection, Anthropic
Unpatched Claude for Chrome Flaw Lets Any Extension Read Your Gmail and Calendar
Researchers say a still-open flaw in Claude for Chrome (v1.0.80) lets any other browser extension that can run a script on claude.ai drive the AI agent into reading a victim's Gmail, Google Docs, and Calendar — no malware or CVE required.
What happened. Researchers at Manifold Security disclosed that Claude for Chrome — Anthropic's browser AI agent — can be hijacked by any other browser extension capable of running a script on claude.ai. That rogue extension can trigger Claude's tasks against a victim's Gmail, their latest Google Doc and its comments, and their Calendar. It's a follow-on to the earlier "ClaudeBleed" flaw: Anthropic narrowed the arbitrary-prompt path in May by boxing external callers into a fixed task set, but researchers say the gap remains open in v1.0.80, the current release, eight versions later. Reported CVSS is 7.7.
Who's affected. Anyone running Claude for Chrome alongside any other extension that can touch claude.ai. There's no separate CVE and no malware payload needed — the attack rides one browser extension abusing another's privileges. In the default "ask before acting" mode the user still sees a prompt, but the forged task originates without their intent.
What to do now. Treat browser extensions as privileged code: audit what you have installed, remove anything you don't actively use, and be cautious about extensions with broad site-access permissions while running an AI browser agent. Keep Claude for Chrome in its most restrictive confirmation mode and watch for an Anthropic update that closes the residual path.
Our read. AI browser agents are a brand-new attack surface, and this flaw shows why scanning for known CVEs won't cover it — there's no CVE here, no exploit binary, just one extension steering an agent that already holds your credentials. That's an adversary-simulation problem, not a vulnerability-scan problem: the only way to surface it is to model how an attacker chains legitimate capabilities together. And the reappearance of a ClaudeBleed-class gap eight releases after the first fix is the tell — agent attack surfaces don't stay patched, so they have to be tested continuously.
Reporting by The Hacker News and SecurityWeek; research attributed to Manifold Security. Sources linked above.