May 8
/
Latest News
Researchers Uncover “ClaudeBleed” Flaw Allowing Full Takeover of Claude Chrome Extension
Cybersecurity researchers at LayerX have uncovered a critical vulnerability in the Claude for Chrome browser extension that could allow attackers to fully hijack the AI assistant, steal private files, and send emails without user consent.
The flaw, named ClaudeBleed, stems from a trust boundary failure in how the extension validates incoming messages. According to LayerX researcher Aviad Gispan, the extension’s externally_connectable setting allowed any script running on claude.ai to issue commands to the extension, which then executed them under the assumption they came from a trusted source.
Because the extension failed to verify who was actually issuing commands, hackers could inject malicious content scripts that instructed Claude to perform unauthorized actions. Researchers described this as turning the extension into “a confused deputy,” blindly carrying out harmful tasks. Although Anthropic attempted to tighten security in a recent update, LayerX found that switching the extension into a privileged mode—without alerting the user—bypassed the new safeguards entirely.
LayerX demonstrated how attackers could weaponize the flaw by forcing Claude to access a user’s Google Drive, locate a file labeled Top Secret, and share it externally. They also showed how Claude could be manipulated into summarizing private Gmail messages and deleting the evidence. Using approval looping, the researchers repeatedly fed “Yes” responses to override Claude’s guardrails, while DOM manipulation tricks allowed them to disguise interface elements and fool the extension into clicking harmful buttons.
Anthropic released a patch on May 6 in version 1.0.70, adding permission prompts meant to block unauthorized actions. However, LayerX quickly discovered that forcing the extension into privileged mode allowed attackers to bypass these prompts entirely, leaving users exposed. Gispan warned that rapid AI feature development without foundational security is creating dangerous gaps, calling such vulnerabilities a “ticking time bomb” as AI agents become more deeply integrated into everyday workflows.
The flaw, named ClaudeBleed, stems from a trust boundary failure in how the extension validates incoming messages. According to LayerX researcher Aviad Gispan, the extension’s externally_connectable setting allowed any script running on claude.ai to issue commands to the extension, which then executed them under the assumption they came from a trusted source.
Because the extension failed to verify who was actually issuing commands, hackers could inject malicious content scripts that instructed Claude to perform unauthorized actions. Researchers described this as turning the extension into “a confused deputy,” blindly carrying out harmful tasks. Although Anthropic attempted to tighten security in a recent update, LayerX found that switching the extension into a privileged mode—without alerting the user—bypassed the new safeguards entirely.
LayerX demonstrated how attackers could weaponize the flaw by forcing Claude to access a user’s Google Drive, locate a file labeled Top Secret, and share it externally. They also showed how Claude could be manipulated into summarizing private Gmail messages and deleting the evidence. Using approval looping, the researchers repeatedly fed “Yes” responses to override Claude’s guardrails, while DOM manipulation tricks allowed them to disguise interface elements and fool the extension into clicking harmful buttons.
Anthropic released a patch on May 6 in version 1.0.70, adding permission prompts meant to block unauthorized actions. However, LayerX quickly discovered that forcing the extension into privileged mode allowed attackers to bypass these prompts entirely, leaving users exposed. Gispan warned that rapid AI feature development without foundational security is creating dangerous gaps, calling such vulnerabilities a “ticking time bomb” as AI agents become more deeply integrated into everyday workflows.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.