Anthropic Claude’s Chrome browser extension, known as Claude in Chrome, has a bug that can allow other malicious extensions to hijack it, compromising trusted AI workflows.
Researchers at LayerX Security have warned that Claude’s overly trusted browser communication flows can be abused to inject scripts that can potentially hijack the assistant’s capabilities and manipulate browsing sessions.
LayerX is calling the flaw “ClaudeBleed.”
“LayerX reported the flaw to Anthropic,” LayerX researcher Aviad Gispan said in a blog post. “Anthropic replied that they were already aware of the issue and that it would be fixed in the next version of the extension.” However, Gispan added, Anthropic’s fix was partial, and the flaw can still be exploited.
The post demonstrated different ways the flaw can still be exploited, including sending a file from a Google Drive folder to an outsider, sending an email on behalf of a remote attacker, stealing code from a private repository on GitHub, and summarizing emails and sending them to an external user.
“ClaudeBleed is a useful demonstration of why monitoring AI agents at the prompt layer is fundamentally insufficient,” said Ax Sharma, head of research at Manifold Security. “The most sophisticated part of this attack isn’t the injection, but that the agent’s perceived environment was manipulated to produce actions that looked legitimate from the inside. That’s the class of threat the industry needs to be building defenses for.”
Maliciously injected instructions can lead to attacks
Gispan said the issue is an instruction in the extensions’ code that allows arbitrary scripts running in the origin browser to communicate with Claude’s LLM. But there is nothing in the code that checks who is running the script.
This potentially allows any extension to invoke a malicious script, without requiring any special permissions, that can issue commands to the Claude extension.
“The extension exposes a privileged message interface to the main claude.ai LLM via externally_connectable, which is a manifest setting that defines which external websites or extensions are allowed to communicate with your extension,” Gispan explained. “It trusts the origin (claude.ai) rather than the actual execution context.”
As a result, even a “minimal” extension can execute arbitrary prompts, breach Claude’s LLM guardrails, bypass user confirmation flows, manipulate Claude’s perception of the UI, and perform sensitive cross-site actions (Gmail, Google Drive, GitHub).
“This vulnerability effectively breaks Chrome’s extension security model by allowing a zero-permission extension to inherit the capabilities of a trusted AI assistant,” Gispan pointed out.
Anthropic fixed the issue, but
Anthropic released an updated extension version (version 1.0.70) on May 6 with a patch and a catch.
In its update, Gispan explained, Anthropic added a layer of internal security checks to prevent extensions from executing remote commands, but the checks only applied to “standard” mode. By switching the extension to “privileged” mode, which does not require explicit user permission or notification, the exposure could be brought back, and commands can be executed just as before.
Anthropic had reportedly promised an update that would remove the responsible message handler. “A fix that removes the affected message handler has been merged and will ship in an upcoming extension release,” Gispan said, citing a communication from the company.
But the fix fell short on the promise. “Contrary to their initial response, the externally_connectable message handler was not removed, but Anthropic did introduce additional approval flows for privileged actions,“ he added.
Anthropic did not immediately respond to CSO’s request for comments.
LayerX recommended several mitigation measures, including introducing extension-to-page authentication tokens such as signed requests, restricting “externally_connectable” permissions to trusted extension IDs instead of origins, and binding user approvals to specific actions and one-time tokens.