A vulnerability within the Claude extension for Chrome might permit attackers to take over the AI agent and abuse it for data theft, cybersecurity agency LayerX reviews.
The flaw, dubbed ClaudeBleed, is a mix of lax permissions, the place any Chrome extension can run instructions in Claude in Chrome, and poorly carried out belief within the origin of the command, not the execution context.
Based on LayerX, the primary challenge is that the Claude extension permits interplay with any script working within the origin browser, with out verifying its proprietor.
“Because of this, any extension can invoke a content material script (which doesn’t require any particular permissions) and challenge instructions to the Claude extension,” the corporate explains.
Claude in Chrome, it says, trusts the origin of the execution, which is claude.ai, and never the execution context, thus permitting any JavaScript working within the origin to challenge privileged instructions.
This enables an attacker to create an extension with a declared content material script and configured to run within the Important world, thus guaranteeing the script is executed as a part of the web page, and ship a message to the Claude extension, which trusts the sender as a result of it runs in claude.ai.
As a result of a message handler in Claude in Chrome accepts and forwards arbitrary prompts, the attacker can carry out distant immediate injection and management the AI agent’s actions.
Whereas Claude enforces person affirmation for delicate actions, in addition to insurance policies that stop sure actions, and makes selections primarily based on sure inputs, LayerX found that the attacker’s script might bypass these protections.
The corporate was in a position to forge person approval by repeatedly sending a affirmation message and relied on Doc Object Mannequin (DOM) manipulation to dynamically modify UI components and alter Claude’s notion of the actions.
It was additionally in a position to acquire visibility into command execution by way of repeated triggering of the motion and by observing the consequences.
“This vulnerability successfully breaks Chrome’s extension security mannequin by permitting a zero-permission extension to inherit the capabilities of a trusted AI assistant,” LayerX says.
This assault chain, the corporate says, permits an attacker to weaponize Claude to exfiltrate information from Gmail, GitHub, or Google Drive, in addition to to ship emails, delete information, and share paperwork on behalf of the person.
When notified of the problem, Anthropic informed LayerX it was engaged on a patch, however the repair solely partially addressed the underlying vulnerability, by way of “inner security checks to forestall extensions working in ‘normal’ mode from executing distant instructions”.
As a result of the basis explanation for the weak point was not addressed, an attacker can merely change the extension to ‘privileged’ mode and bypass the repair. The person is rarely notified or requested to approve the change, LayerX says.
