New bugs in Claude for Chrome allow extensions to abuse AI privileges

Summary

Researchers have discovered two vulnerabilities in the Claude for Chrome extension that allow malicious browser extensions to trigger privileged actions, such as reading Gmail messages and Google Docs content. These flaws remain exploitable months after being reported, with the affected code appearing unchanged in recent versions.

IFF Assessment

FOE

The vulnerabilities allow malicious extensions to abuse AI privileges, posing a risk to user data and privacy, which is detrimental to defenders.

Severity

7.5 High (AI Estimated)

The CVSS score is estimated based on the potential for unauthorized access to sensitive user data (Gmail, Docs, Calendar) through an attack vector involving malicious extensions that can inject scripts and trigger privileged actions, impacting confidentiality and integrity.

Defender Context

This incident highlights the risks associated with AI integrations in browser extensions and the importance of robust security validation for AI-powered tools. Defenders should be aware of the potential for AI models to be manipulated by malicious extensions and monitor for similar vulnerabilities in other AI integrations.

Read Full Story →