A vulnerability in the Claude extension for Chrome could allow attackers to takeover the AI agent and abuse it for information theft, SecurityWeek reports. The flaw, dubbed ClaudeBleed, combines lax permissions that let any Chrome extension run commands in Claude in Chrome with a trust model that relies on the origin rather than the execution context. According to LayerX, the main issue is that Claude’s extension allows interaction with any script in the origin browser without verifying its owner.
As a result, an attacker could create an extension that sends privileged commands to Claude, and Claude trusts the origin claude[.]ai, enabling remote prompt injection and control of the AI agent’s actions. The attack chain could weaponise Claude to exfiltrate data from Gmail, GitHub, or Google Drive, or to send emails and delete data on behalf of the user, with a patch reportedly partial and not addressing the root cause, leaving room for privilege mode switches bypassing protections.