A Falsified Click Hijacks Claude for Chrome on Gmail and Calendar
Just another browser extension capable of executing a script on claude.ai can hijack Claude for Chrome and make it read the user's Gmail, the latest Google Doc with related comments, and the calendar. The vulnerability was reported by Manifold Security at the end of May and remains open in mid-July: in the current version of the extension, 1.0.80, the mechanism is still present.
At the end of April, the vulnerability dubbed ClaudeBleed demonstrated that the extension trusted the origin claude.ai instead of checking which script was actually communicating with it, allowing control of the assistant from an extension without permissions. The countermeasure from Anthropic in May was to close the door on arbitrary prompts and confine external callers to a fixed list of tasks. This is a real improvement as it prevents the page from being able to "put words in Claude's mouth". The weak point has shifted to what triggers the execution.
The falsified click that nobody checks
A content script of the extension listens on claude.ai for a click on a precise element, #claude-onboarding-button, reads its data-task-id attribute, and if the identifier is one of the nine whitelisted tasks, sends the open_side_panel message to the extension with that task. The panel opens with the corresponding prompt already loaded. What the handler never verifies is event.isTrusted, the flag with which the browser distinguishes a real click from one generated by software.
As a result, any extension whose script can reach the DOM on claude.ai can construct the element, set the task identifier, and simulate the click, which the extension considers as a "genuine" touch. Manifold demonstrated the attack with six lines pasted into the console of claude.ai, with isTrusted: false in the logs confirming that the fake click was accepted.
The nine allowed tasks are partly harmless: three onboarding tests, three that control DoorDash, Salesforce, and Zillow. The last three, usecase-gmail, usecase-gdocs, and usecase-calendar, are exactly the ones that read email, the most recent document with comments, and the calendar. In the default mode, which asks for confirmation before acting, there is an approval window to click between the falsified click and the actual reading: Manifold assigns in this scenario a CVSS score of 7.7, "high". With automation without confirmation active, the same task is executed silently and the score rises to 9.6, "critical".
The second vulnerability and the two months of silence
Beneath the first there lies a second one, currently not remotely reachable but ready to bypass the approval step if exposed in the future. When the sidebar is loaded with the parameter skipPermissions=true in the URL, it starts directly in skip_all_permission_checks mode and begins to act without asking for anything. A red banner warns that Claude can now perform almost all online actions, but it only appears after the privileged session is already in progress: it states what happened, not preventing it from happening. Today that URL can only be constructed by the extension itself, so there is no direct access; however, a future error that allows setting that parameter in a less privileged context would turn the falsified click into a completely silent reading of the account.
Manifold reported both issues on May 21 on version 1.0.72. Anthropic acknowledged them the next day and then closed them: the falsified click because the trust boundary issue was already tracked under the ClaudeBleed report, which the company stated "remains open awaiting a complete fix"; the URL as "informative", claiming that the parameter is only set by the extension, for tasks that the user has already chosen to execute without oversight. Yet the internal report that should have covered the fix is marked as resolved before June 9, and eight versions later, the code has not changed: on July 7, Manifold confirmed that in version 1.0.80 the click handler and panel initialization are identical byte for byte to 1.0.72.
Both problems reproduce regardless of the model loaded in the panel, whether Opus, Sonnet, or Fable: the defect is therefore in the extension and does not concern a specific model.
In the meantime, the only concrete defense is to disable automation without confirmation and to screen extensions with permission to read or modify data on claude.ai. The approval step is back in place, but the path of the falsified click remains open, and as of July 14, no patch exists. Anthropic continues to define the extension as a beta, but open to all paid subscribers of Claude.