top of page

ClaudeBleed: Hackers Exploit Chrome Extension Vulnerability to Hijack Claude and Steal Data

  • May 8
  • 3 min read

Key Findings


  • LayerX researchers discovered ClaudeBleed, a critical vulnerability in Claude's Chrome extension that allows any other browser extension to take full control of the AI assistant

  • The flaw stems from improper message source verification, allowing malicious scripts to issue commands to Claude without user knowledge or consent

  • Attackers can extract files from Google Drive, read private emails, send messages on behalf of users, and access GitHub repositories

  • Anthropic's May 6 patch introduced permission prompts but researchers found attackers can still bypass them by forcing the extension into "privileged mode" without user notification

  • The vulnerability represents a fundamental break in Chrome's extension security model and demonstrates how AI agents can be manipulated through visual interface deception


Background


As AI agents become more integrated into business and government operations, researchers continue uncovering serious flaws that allow attackers to hijack these systems. Anthropic released Claude Opus 4.6 in February 2026, and the Chrome extension was designed to give users convenient access to the AI assistant. However, the extension was built with a critical architectural flaw that would later prove catastrophic.


The Root Cause


The Claude Chrome extension uses a setting called externally_connectable that allows any script running on claude.ai to communicate with the extension. The extension inherently trusts the website and performs no verification of which script is actually sending commands. This creates what researchers call a "confused deputy" scenario, where the extension executes malicious instructions believing they come from a trusted source.


LayerX senior researcher Aviad Gispan explained that any extension can invoke a content script without special permissions and send commands directly to Claude's LLM. This effectively breaks Chrome's security model by creating a privilege escalation primitive across extensions, something the browser is specifically designed to prevent.


Exploitation Techniques


The LayerX team demonstrated multiple attack methods beyond simple command injection. They manipulated Claude's user interface by removing labels from sensitive buttons and renaming functions to trick the extension into performing unintended actions. When they renamed a Share button as Request Feedback, Claude clicked it without hesitation.


They also employed approval looping, a technique where attackers programmed scripts to repeatedly say "yes" until Claude accepted harmful commands. Since Claude relies on text, UI semantics, and screenshot interpretation to make decisions, attackers could control all these inputs. The researchers proved they could force Claude to steal files from Google Drive and share them with external email addresses, summarize private Gmail conversations, and exfiltrate source code from GitHub repositories.


The most concerning aspect is that attackers can prompt Claude to cover its tracks afterward, deleting emails and other evidence of compromise. This leaves defenders with minimal visible activity to detect.


The Incomplete Patch


After LayerX reported the vulnerability on April 27, Anthropic released a patch on May 6 that added permission pop-ups for sensitive actions. However, the LayerX team quickly found the workaround. By forcing the extension into "privileged mode," also called Act without asking mode, they could bypass the permission screens entirely. This mode could be activated without notifying the user or requesting consent.


The underlying problem of origin-based trust remains unsolved. Attackers can still abuse the side panel initialization flow to exploit the extension despite the update.


Industry Implications


Security researcher Ax Sharma from Manifold Security noted that this attack demonstrates why monitoring AI agents at the prompt layer alone is insufficient. The most sophisticated element is not the injection itself, but the manipulation of the agent's perceived environment to make malicious actions appear legitimate from the inside.


Gispan highlighted a troubling industry trend where vendors prioritize speed and powerful capabilities over basic security foundations. As AI agents become standard tools for accessing the internet and performing complex tasks, these structural flaws represent what he called a ticking time bomb for cybersecurity. The vulnerability serves as a stark reminder that in the race to deploy advanced AI capabilities, fundamental security principles are being overlooked.


Sources


  • https://hackread.com/claudebleed-vulnerability-hackers-claude-chrome-extension/

  • https://cyberscoop.com/claude-chrome-extension-allows-plugins-to-hijack-ai/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page