A rogue browser extension can trigger Claude for Chrome’s fixed Gmail, Docs, Calendar and business workflows; the attack is constrained by default approvals but can run silently for users who enabled unattended action.
claude.ai can forge the click that starts one of nine built-in Claude workflows.Chrome marks a script-generated click as untrusted, but the Claude for Chrome handler that launches built-in workflows does not check that signal. Another extension can therefore use Claude’s access to Gmail, Google Docs, Google Calendar and other services without first producing a genuine user click.
This is not a drive-by website attack, nor is it automatically silent. An attacker first needs a rogue extension able to execute code on claude.ai; what happens next depends on whether the user kept Claude’s default approval mode or enabled “Act without asking.” The flaw is consequential because an add-on with access to one site can invoke selected actions through an agent connected to other logged-in services.
The issue survives inside Anthropic’s response to an earlier vulnerability known as ClaudeBleed. That path allowed outside code to supply arbitrary instructions. Manifold says Anthropic then limited external callers to nine task IDs and their corresponding prompts, materially reducing what an attacker could ask Claude to do.
The remaining gap is in the trigger. A content script listens for clicks on an element identified as #claude-onboarding-button, reads its data-task-id, and forwards the matching prompt to Claude’s side panel. According to the researchers’ analysis, the handler does not reject an event when the browser marks its isTrusted property as false.
Another extension with script access to claude.ai can create the expected element, attach an allowed task ID and dispatch a synthetic click. A technical account of the attack stresses two limits: a normal website cannot directly compromise the extension through this route, and the injected request must be one of the nine prompts rather than attacker-written text.
Those fixed prompts still carry material authority. Three are onboarding exercises. Three interact with DoorDash, Salesforce and Zillow. The remaining three can:
The Salesforce workflow can modify leads and convert them to opportunities, according to the research. The vulnerability is therefore not simply about reading Google data. It lets an extension invoke a limited but consequential set of actions through an agent connected to services that the extension need not access directly.
Claude’s default “Ask before acting” setting leaves a confirmation dialog between the forged request and a sensitive action. A user can still stop the workflow. In “Act without asking,” that dialog disappears and the selected task can execute without another visible approval.
Manifold rated the synthetic-click issue CVSS 7.7, or high severity, in default mode and 9.6, or critical severity, when unattended action had previously been enabled. A review of the findings likewise notes that the default confirmation prompt materially limits the attack, while autonomous mode removes the visible warning.
That split changes the immediate risk. The research does not show that every Claude for Chrome installation can be silently drained of data. It shows that the same forged input reaches different outcomes depending on whether the user retained the approval checkpoint.
The researchers reproduced the behavior with Opus, Sonnet and Fable selected in the side panel. They attribute the failure to extension code, not to the language model. That distinction also makes the proposed repair unusually direct: reject synthetic clicks at the handler with an isTrusted check while leaving genuine user clicks intact.
Manifold separately found that Claude’s side panel enters a privileged state when its own URL contains ?skipPermissions=true. The parameter initializes skip_all_permission_checks without a user gesture or consent gate. A “HIGH RISK” banner appears after the session has entered that state, making it a warning rather than a control that blocks the transition.
This second issue is not currently reachable by an outside attacker on its own. The intended caller is the extension’s scheduled-task flow, and constructing the relevant side-panel URL still requires same-extension privilege. The report on the privilege mode describes it as a latent risk: another vulnerability would first have to let a lower-privileged context influence that parameter.
| Finding | What works now | What limits it |
|---|---|---|
| Synthetic click | A rogue extension on claude.ai can launch one of nine fixed workflows | No arbitrary prompt; default mode still asks for approval |
| URL-set privilege mode | The side panel can initialize without per-action checks | No direct external path to construct that URL has been identified |
Combining the two as though they already form a universal silent exploit would overstate the evidence. The synthetic-click path is working now; the URL parameter shows how a future URL-construction bug could turn a separate foothold into silent execution. Manifold recommends booting the panel in approval mode unconditionally, then allowing scheduled tasks to request a privilege change through an authenticated internal message.
Manifold says it reported both findings to Anthropic on May 21, 2026, while testing version 1.0.72. According to its disclosure chronology, Anthropic acknowledged them the next day. Manifold says Anthropic closed the synthetic-click submission because a broader internal report was already tracking the trust-boundary issue, and classified the URL-parameter finding as informational because the URL was constructed internally for tasks users had already authorized to run unattended.
Anthropic released versions 1.0.73 through 1.0.80 afterward. Manifold said it retested on July 7, when version 1.0.80 was released, and found the cited content-script and side-panel handlers byte-identical to the earlier build. The broader internal issue had been marked resolved before June 9, according to the disclosure chronology, although the researcher could not determine whether that status meant Anthropic considered the residual behavior acceptable or planned a later change.
That finding is no longer supported only by the disclosing vendor. An independent inspection says it unpacked version 1.0.80 and reviewed all 90 JavaScript bundles. It found that the onboarding handler still lacked an event.isTrusted guard and that the side panel still read skipPermissions from its URL.
Anthropic had not publicly commented on these specific findings in the archived reports. An enterprise-focused assessment says the company did not immediately respond to a request for comment and recommends that organizations disable unattended mode, review extensions able to read or change claude.ai, and limit which accounts a browser agent can reach.
The recurrence is the more important history. A separate chronology notes that version 1.0.41 fixed a different flaw earlier in 2026 that had allowed websites to inject commands without a click. ClaudeBleed then exposed a cross-extension caller-authentication problem. The nine-prompt allowlist reduced the range of possible instructions, but the current code still does not bind an allowed instruction to a genuine human action.
Until code changes, the immediate defense is to keep “Act without asking” disabled and remove or restrict extensions that can inject scripts into claude.ai. The default approval dialog reduces the chance of silent action, but users must still recognize and reject a workflow they did not initiate.
Manifold’s proposed fixes address two different boundaries: reject synthetic events at the task handler, and stop using a URL parameter to initialize no-approval mode. Evidence that those changes have shipped—and independent confirmation that the six-line reproduction no longer works—would resolve the central question left by version 1.0.80. Until then, the fixed task list limits the attacker’s choice of action, but it does not prove that a human chose to start it.
Get concise AI news and useful context from the Magica team.
Read the newsletterOpenAI has put conversations and Projects back in its redesigned ChatGPT desktop app and enabled cloud Work threads to move across devices, correcting the launch's biggest usability failures without merging local Work or Codex histories.
Meta reportedly plans to put departing AWS compute executive Dave Brown to work on its data-center buildout, adding hyperscale operating experience while leaving any customer-facing cloud business conditional and undefined.
China has paired a five-year AI training offer for developing countries with cooperation centers, a weather-warning rollout and a new 29-country organization. The package gives Beijing a platform for influence, but no budget, selection rules or delivery timetable has been published.
RoboTTT extends a robot policy’s visuomotor context to 8,000 timesteps and raises its average rubric score from 42% to 79%, but the evidence comes from three author-run assembly tasks and the longest task was completed in only two of ten trials.
Zhipu reportedly reached $1 billion in annual recurring revenue in July, roughly four times a March estimate, but the unconfirmed run rate is not annual sales and still sits far ahead of recognized cloud revenue while margins remain thin.
Nebius has arranged its first senior secured facility against an operating GPU deployment and one customer’s cash flows. The deal adds project-level debt to its expansion toolkit, but an unnamed customer and a larger rival financing limit what it proves about the rest of Nebius’s backlog.
Cursor says automatically running a repository-root git.exe on Windows does not meet its criteria for patching, while the researcher calls it an untrusted-search-path defect and separate research shows the same weakness across several competing AI coding tools.
Huawei publicly displayed a 16-cabinet Atlas 950 configuration rated at 1 EFLOPS in FP8, providing tangible evidence of its system-scale AI strategy while leaving price, power use and sustained workload performance undisclosed ahead of the full system's planned fourth-quarter release.
CIA Director John Ratcliffe said US intelligence is consistent with an estimate that Russian recruits last 20 to 30 minutes on Ukraine’s battlefield, but the public trail leads to an unsourced claim about assault troops and does not establish a representative average.
UK testing places leading open-weight models four to seven months behind selected closed-model cyber results, yet longer attack chains, U.S. benchmarks and mixed cost comparisons show why that interval is a warning signal rather than a universal capability clock.
TSMC reached the top of its second-quarter revenue guidance and raised its 2026 outlook, but a one-off investment gain boosted profit growth while the company committed more capital to 2-nanometer production, advanced packaging and an undated Arizona expansion.
Moonshot AI's Kimi K3 added to a global technology selloff with near-frontier performance, but unreleased weights, mixed cost comparisons and a recommended 64-accelerator deployment leave its effect on chip demand unresolved.
Moonshot AI has made Kimi K3 available through its apps and API, pairing a 2.8-trillion-parameter architecture with early frontier-level results, but the model's open-weight claim cannot be tested until its weights and technical report arrive.
Two binding EU decisions require Google to give rival AI services comparable access to 11 Android features and offer eligible search competitors a restricted, anonymized dataset, but phased deadlines, certification, pricing and privacy safeguards leave the competitive effect unproven.
Databricks has signed a term sheet for a Coatue-led financing at a $188 billion valuation, while unidentified sources put the round at $3 billion. The proposed capital would deepen its push into AI governance, data agents and operational databases, but the transaction remains open and the company supplied no new operating figures.
Netflix says generative AI workflows were used on roughly 300 titles in 2026, but its only quantified example tied to that disclosure covers 17 minutes and does not establish how much finished material, spending or labor changed across the slate.
Gemini 3.5 Pro missed its expected June rollout. An anonymous-source account says a late-June data change fell short of Google's coding goals, but Google has confirmed only partner testing—not the reported cause, a new date, or public results and pricing.
Google is bringing Gemini Omni editing and a reusable face-and-voice avatar to Vids, but the sharper distinction is account-level identity across Vids and Gemini rather than a new category of AI video; Vids already offered Veo generation and customizable avatars, while specialist rivals already sell digital presenters.
Intel plans to adopt Gemini Enterprise across engineering, supply-chain and corporate work while extending chip-simulation capacity into Google Cloud, but the companies supplied no rollout schedule, contract value or performance baseline.
The Navy has approved an immediate department-wide framework for turning data into operational effects, but the public rollout leaves budgets, owners, deadlines, performance measures and assurance rules to a promised implementation roadmap.