Security researchers at LayerX disclosed a vulnerability in Anthropic's "Claude in Chrome" browser extension that lets any other installed Chrome extension — even one with no declared permissions — hijack the Claude AI assistant and use its authenticated session to read, forward, and delete the victim's Gmail messages, as well as access Google Drive and GitHub data. The root cause is a trust boundary flaw in the extension's externally_connectable handler, which validates only the origin (claude.ai) and not the script's execution context, allowing injected scripts to issue privileged commands. Researchers bypassed Claude's user-confirmation guardrails via approval looping and DOM-based perception manipulation, requiring no user interaction. LayerX reported the issue to Anthropic on April 27, 2026; Anthropic shipped version 1.0.70 on May 6, 2026 adding explicit approval flows, but researchers say the patch is incomplete and the flaw remains exploitable when the extension runs in privileged "Act without asking" mode or via the side-panel initialization flow. Gmail users who have installed the Claude in Chrome extension should update to the latest version, avoid privileged/auto-act mode, and audit other installed Chrome extensions.
// Alert
Gmail threat report
// GmailHIGH
// Get alerts for Gmail