Cybersecurity researchers from LayerX have found a major security flaw in the Claude for Chrome browser extension that could allow hackers to take full control of the AI assistant. They have named this vulnerability ClaudeBleed, and their research shows that even a basic extension with no special permissions can hijack Claude to steal private files and send emails without the user’s knowledge or consent.
The Root Cause of the ClaudeBleed Vulnerability
The problem started with a mistake in how the extension identifies the source of incoming messages, leading to a critical trust boundary violation. As noted by LayerX’s senior researcher Aviad Gispan, the Claude Chrome extension was set up with a setting called externally_connectable, which allowed any script running on the claude.ai website to send commands to the extension.
Since the extension trusts the website and doesn’t check who is actually running the script, hackers could use a content script to feed instructions to Claude LLM. This can turn the extension into “a confused deputy,” researchers noted, which means it performs malicious tasks, thinking the orders are coming from a trusted source.
“In its update to the extension, Anthropic left external access open but added another layer of internal security checks to prevent extensions running in “standard” mode from executing remote commands. However, switching the extension to “privileged” mode (without even having to notify the user or ask their permission) bypassed these checks and allowed the same remote commands to execute as before,” researchers explained.
How Hackers Bypass Security Guardrails
During the investigation, the team at LayerX showed how this could be weaponized. In one example, they created a fake extension that forced Claude to go into a user’s Google Drive, find a file named Top Secret, and share it with an external email address. They also forced the tool to summarize private messages in a Gmail inbox and delete the evidence afterward. Then they bypassed the built-in guardrails of Claude’s LLM through approval looping- a method where they programmed the script to keep saying “Yes” until the AI accepted the command.
Another trick researchers used was DOM manipulation, in which they changed the names of buttons on the screen so that the extension was tricked into clicking a Share button renamed as Request Feedback. By attacking how the extension perceives the page, they could bypass the policy enforcement that usually prevents data exfiltration.
An Incomplete Fix Leaves Users Exposed
After being notified by LayerX, Anthropic released a patch on 6 May in version 1.0.70. This update added new pop-up windows to ask for user permission. However, the LayerX team quickly found a way around them, discovering that by forcing the extension into a privileged mode, aka Act without asking mode, they could skip the permission screens entirely.
“In the current AI race, vendors are moving too fast and granting powerful capabilities to improve user experience, while neglecting basic security foundations and opening new opportunities for attackers. As AI agents become the norm, these structural flaws are a ticking time bomb,” Gispan noted.
The research, shared with Hackread.com, concludes that the underlying problem of origin-based trust is still there. According to researchers, hackers can still abuse the side panel initialization flow to bypass the patch and exploit the Claude for Chrome extension.
