Unpatched Claude for Chrome Flaw Lets Extensions Read Gmail, Calendar

Summary

A vulnerability linked to ClaudeBleed has reportedly persisted across eight patches for the Claude for Chrome extension. This flaw allows other installed extensions to potentially access sensitive user data, including Gmail and calendar information.

IFF Assessment

FOE

This vulnerability allows malicious or unauthorized extensions to access sensitive user data, posing a significant risk to user privacy and security.

Severity

7.5 High (AI Estimated)

The vulnerability allows unauthorized extensions to read sensitive data (Confidentiality: High), requires no privileges and no user interaction to exploit, but is limited to the context of the compromised extension (Attack Complexity: Low, User Interaction: None). This leads to a moderate impact on integrity and availability.

Defender Context

This highlights the ongoing risk of extension-based vulnerabilities, even in seemingly trusted applications. Defenders should monitor for similar permission abuse scenarios and educate users on the risks of installing multiple browser extensions, especially those that require broad access to sensitive data.

Read Full Story →