Full Report
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar. Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the
Analysis Summary
# Vulnerability: Unauthorized Extension-to-Extension Prompt Injection in Claude for Chrome
## CVE Details
- **CVE ID:** N/A (No specific CVE assigned at the time of this report)
- **CVSS Score:** Estimated 7.1 (High) - *Based on unauthorized access to sensitive personal data.*
- **CWE:** CWE-918 (Server-Side Request Forgery / Internal API misuse) and CWE-1035 (Insufficient Input Validation)
## Affected Systems
- **Products:** Claude.ai Web Interface and "Claude for Chrome" Extension.
- **Versions:** All versions prior to the May 2024 restricted prompt update.
- **Configurations:** Users who have the "Claude for Chrome" extension installed with Google Workspace integrations (Gmail, Google Docs, Calendar) enabled.
## Vulnerability Description
The vulnerability allows a malicious or "rogue" browser extension that has permissions to run scripts on `claude.ai` to hijack the "Claude for Chrome" extension's capabilities. Because the Claude for Chrome extension listens for instructions via the web interface, a separate malicious extension can inject scripts into the Claude DOM to programmatically trigger "tasks." These tasks can command Claude to access and summarize private data from the user’s connected Google services (Gmail, Docs, and Calendar) without the user's explicit interaction.
## Exploitation
- **Status:** PoC confirmed (publicly discussed by researchers); mitigated by vendor.
- **Complexity:** Medium (Requires an attacker to convince a user to install a malicious extension or compromise an existing one with `claude.ai` permissions).
- **Attack Vector:** Local (Browser-based cross-extension interaction).
## Impact
- **Confidentiality:** High (Access to private emails, calendar events, and document contents/comments).
- **Integrity:** Low (Primarily a data exfiltration/read risk, though prompt manipulation can influence output).
- **Availability:** None.
## Remediation
### Patches
- **Anthropic Update (May 2024):** Anthropic restricted the "arbitrary-prompt path" within the Claude interface. This prevents external scripts from easily passing unvalidated commands to the Chrome extension's specialized task runners.
### Workarounds
- **Permission Audit:** Review and remove any browser extensions that have unnecessary "Read and change your data on claude.ai" permissions.
- **Extension Isolation:** Use a separate browser profile for sensitive AI interactions where no third-party extensions are installed.
- **Revoke Workspace Access:** Disconnect Google Workspace integrations in Claude settings if not actively needed.
## Detection
- **Indicators of Compromise:** Unexpected prompts appearing in Claude.ai history related to summarizing Gmail or Docs that the user did not initiate.
- **Detection Methods:** Audit browser extension permissions using `chrome://extensions`. Monitor for unusual network requests originating from `claude.ai` to Google API endpoints if developer tools are active.
## References
- **Vendor Advisories:** Anthropic Security Updates (May 2024)
- **Relevant Links:**
- hxxps[://]claude[.]ai
- hxxps[://]google[.]com/chrome/extensions/
- hxxps[://]krebsonsecurity[.]com (General reference for ClaudeBleed/Extension security)