A security flaw has been discovered in the Claude for Chrome browser extension that could allow malicious extensions to execute predefined AI actions by simulating user clicks. This vulnerability was identified by Ax Sharma of Manifold Security and affects users who have installed the extension on their Chrome browser.
The Claude extension is designed to provide users with access to various connected services such as Gmail, Google Docs, Google Calendar, and Salesforce. It does this by allowing users to execute predefined workflows that can perform actions in these services. However, the researchers found that the extension did not properly verify whether a click event originated from a real user or was generated by JavaScript.
According to Manifold Security’s report, the Claude extension listens for click events on a specific page element that launches one of its built-in AI workflows. These workflows are predefined tasks that allow Claude to perform actions in connected services such as Gmail, Google Docs, Google Calendar, and Salesforce. The researchers found that the extension accepted JavaScript-generated click events without verifying whether they originated from a real user.
When a browser generates an event from a real user action, it marks it as trusted by setting the Event.isTrusted property to true. However, if JavaScript is used to generate the event, the browser automatically sets Event.isTrusted to false. The researchers found that the Claude extension did not verify whether a click event originated from a real user by checking the browser’s Event.isTrusted property before executing one of its predefined workflows.
A malicious extension with permission to modify content on the ‘claude.ai’ domain could inject a page element containing one of nine supported task identifiers and generate a synthetic click event. Although the browser correctly marked the event as untrusted, Sharma says the Claude extension treated it as a legitimate user click and executed the requested AI action.
The researchers note that the flaw does not allow arbitrary prompt injection, but instead, the attack is limited to the nine predefined tasks built into the extension. The attack also does not allow a website to compromise the Claude extension directly, but requires an attacker to trick a user into installing a malicious extension that can execute code on claude.ai.
The researchers reported both findings to Anthropic through the company’s bug bounty program. Anthropic acknowledged the reports and closed the synthetic-click report, stating they were already tracking it as a broader issue. The second flaw, involving an internal ‘skipPermissions=true’ parameter, was classified as informational.
Manifold verified that both findings remain reproducible in the latest version, 1.0.80, of the browser extension, released on July 7.
### Conclusion ###
The discovery of this vulnerability highlights the importance of proper security measures when developing and using browser extensions. Users are advised to exercise caution when installing extensions and to regularly review their permissions and settings.
Source: Original article