ทันเอไอ

Global AI & tech news, in your language · every story source-checked

🌐Follow
← Back to news
LINE Facebook X
AI Models & ResearchVerified

Vulnerability in Claude for Chrome extension could allow malware to hijack clicks and access Gmail and Google Docs data

Security researchers have discovered a flaw in the official Claude browser extension that could allow malicious extensions to 'spoof' user clicks, tricking the AI into performing unauthorized actions on connected services.

📅 17 Jul 2026, 13:41
Vulnerability in Claude for Chrome extension could allow malware to hijack clicks and access Gmail and Google Docs data

Security firm Manifold Security has disclosed a vulnerability in Anthropic's 'Claude for Chrome' browser extension, which could allow malicious extensions to manipulate Claude AI into accessing a user's private data without their consent.

The flaw, discovered by researcher Ax Sharma, stems from a failure to validate the Event.isTrusted property—a browser standard used to distinguish between genuine user interactions and scripted, programmatic clicks. Consequently, if a malicious extension is installed, it can simulate user clicks to trigger pre-defined Claude functions, such as summarizing Google Docs, drafting emails in Gmail, or managing appointments in Google Calendar.

However, the attack has significant limitations: it does not allow for arbitrary prompt injection. It is restricted to the nine hard-coded commands built into the extension. Furthermore, the attack requires the user to first install a malicious extension capable of sending these forged click commands, meaning it cannot be triggered simply by visiting a compromised website.

Manifold Security rated the vulnerability at 7.7 on the CVSS scale, noting it could climb to a critical 9.6 if users enable 'unattended execution' mode, which allows the AI to perform tasks automatically. At the time of reporting, the vulnerability remains unpatched.

Why it matters
Users of the Claude extension on Chrome face risks to sensitive data in connected services like Gmail or Google Docs if they inadvertently install untrusted third-party browser extensions.
#Claude#AI Security#ช่องโหว่#Cybersecurity