Security researchers at LayerX have exposed a serious vulnerability lurking inside Anthropic’s Claude in Chrome browser extension — one that allows a completely invisible attacker to transform your trusted AI assistant into a data-stealing puppet. The flaw requires no complex exploit chain, no elevated permissions, and crucially, no action from the victim.
For IT professionals and enterprise security teams, this is exactly the kind of systemic vulnerability that demands immediate attention. Here is a full breakdown of what was found, how the attack works, and what you should do right now.
Critical Risk: A malicious Chrome extension with zero declared permissions can fully hijack Claude and exfiltrate Gmail messages, Google Drive files, and GitHub source code — silently and automatically.
What Is the Vulnerability?
At its core, this is a trust boundary violation. The Claude Chrome extension uses a manifest setting called externally_connectable to communicate with the main claude.ai web application. The problem is that the extension only verifies the origin of incoming requests — that is, whether they come from claude.ai — rather than verifying the actual execution context.
This creates a dangerous gap. Any JavaScript running on the claude.ai page — including scripts injected by other browser extensions — can issue privileged commands directly to Claude. Because the injected script operates within the trusted origin, Chrome’s built-in security model is completely bypassed, and the attacker effectively inherits the full capabilities of the AI assistant.
In short: you installed Claude to help you work. A bad actor can use it to work against you.
How the Attack Works
LayerX researchers built a minimal proof-of-concept extension to demonstrate the exploit. Their attack relied on two primary bypass techniques:
1. Approval Looping
Claude normally requires user confirmation before performing sensitive actions. Attackers bypassed this by programmatically forging consent — repeatedly injecting “Yes, proceed” responses to satisfy every confirmation prompt automatically. No human ever sees or approves anything.
2. Perception Manipulation
Claude’s decision-making relies heavily on visible text and DOM structure. Attackers dynamically renamed UI elements — for example, relabeling a “Share” button as “Request feedback” — tricking the AI into executing restricted actions it believed were completely harmless.
Together, these two techniques allow an attacker to bypass Claude’s built-in guardrails entirely. The AI becomes what researchers call a “confused deputy” — a trusted agent unwittingly performing actions on behalf of an attacker.
What Data Is at Risk?
LayerX demonstrated that a successfully hijacked Claude extension can:
- Gmail — summarize, forward, and permanently delete the victim’s recent emails
- Google Drive — share restricted documents with external, attacker-controlled accounts
- GitHub — extract and exfiltrate private source code repositories
All of this happens silently in the background. There are no popups, no permission prompts, and no visible indicators that anything unusual is taking place.
Anthropic’s Patch — And Why It’s Not Enough
LayerX responsibly disclosed the vulnerability to Anthropic on April 27, 2026. On May 6, 2026, Anthropic released extension version 1.0.70, which introduced explicit approval flows for standard browser actions.
Current patch status:
| Component | Status |
|---|---|
| Standard action flows (v1.0.70) | Partially fixed |
| Privileged mode (“Act without asking”) | Still fully exploitable |
| Side-panel initialization flow | Still exploitable — can force a privileged session |
Researchers are clear that the patch addresses a symptom — the UI permission layer — rather than the root cause: the flawed externally_connectable trust model. If a user has the extension running in “Act without asking” (privileged) mode, the vulnerability remains fully exploitable even on the latest version.
What IT Professionals Should Do Now
Until a comprehensive architectural fix is released, here are the immediate steps your team should take:
- Disable privileged mode immediately. Ensure the Claude extension is not running in “Act without asking” mode across all managed devices. This is the single highest-priority action.
- Audit installed Chrome extensions. Review all extensions on corporate browsers. Any extension with DOM access on claude.ai is a potential threat vector — even ones with zero declared permissions.
- Update to version 1.0.70 or later. While the patch is incomplete, it does reduce the attack surface for standard operation modes.
- Monitor for anomalous Drive and Gmail activity. Set up alerts for unexpected external sharing events and bulk email actions, particularly from accounts that use the Claude extension.
- Restrict Claude extension deployment in high-security environments until a full architectural fix — including cryptographically signed requests and extension ID allowlisting — is confirmed by Anthropic.
Architectural fix recommended by LayerX: Proper remediation requires strict sender validation (not UI-based), cryptographically signed extension-to-page tokens, restricting
externally_connectableto specific trusted extension IDs, and non-replayable one-time approval tokens bound to specific actions.
The Bigger Picture: AI Extensions and the Trust Problem
This vulnerability is not simply a bug in one product — it is a warning about the broader security model of AI browser agents. As AI assistants gain deeper access to our most sensitive digital environments (email, cloud storage, code repositories), the attack surface they introduce grows proportionally.
The Claude extension was designed to be helpful and frictionless. But in rushing to reduce confirmation prompts and streamline the user experience, the trust boundary between the AI agent and the browser environment was left dangerously thin. Attackers do not need to break encryption or steal credentials — they simply need to speak to the AI in a language it already trusts.
For enterprise IT teams, the lesson is clear: AI productivity tools need the same rigorous security vetting as any privileged application. Browser-based AI agents that can read and act on your data are, effectively, privileged insiders — and they must be treated as such.
Sources: LayerX Security Research (April–May 2026). Vulnerability reported to Anthropic on April 27, 2026. Patch released May 6, 2026 (v1.0.70). This article is intended for informational purposes for IT security professionals.