Technical description
LayerX Security disclosed a vulnerability (dubbed ClaudeBleed) in Anthropic's Claude in Chrome extension that allows any other Chrome extension—even those without special permissions—to hijack the AI agent and issue arbitrary commands. The flaw stems from overly permissive message-passing configuration that trusts the origin (claude.ai) rather than the execution context, allowing malicious extensions to inject prompts, bypass guardrails, and perform cross-site actions across Google Drive, Gmail, and GitHub.
Attack vector
An attacker distributes a minimal Chrome extension with a declared content script configured to run in the Main world. When the victim visits claude.ai, the malicious extension can send messages to Claude's extension, which are trusted because they originate from the claude.ai domain. The attacker can then execute arbitrary prompts, manipulate Claude's perception of the UI (e.g., hiding sensitive labels), and trigger unauthorized actions such as exfiltrating files from Google Drive or sending emails on behalf of the user.
Affected systems
Claude in Chrome extension versions prior to 1.0.70. Anthropic issued a partial fix in version 1.0.70 on May 6, but LayerX researchers demonstrated the vulnerability can still be exploited by switching the extension to 'privileged' mode without user notification.
Mitigation
Anthropic has been notified and committed to removing the affected message handler in an upcoming release. Users should avoid installing untrusted Chrome extensions and disable the Claude in Chrome extension until a complete fix is released. Organizations using Claude for sensitive workflows should audit browser extension policies and consider sandboxing AI agent sessions.