ClaudeBleed: Zero-permission Chrome extensions can fully hijack Claude, forge consent, and exfiltrate data

LayerX researchers found a trust boundary flaw in Claude's Chrome extension allowing any zero-permission extension to hijack Claude, bypass consent, and exfiltrate Gmail, Drive, and GitHub data.

Anthropic / Claude for ChromeCredential exposureBrowser extension trust boundary violationChrome browser / claude.ai / Gmail / Google Drive / GitHub

What happened

Zero-permission Chrome extensions inject a content script into the MAIN world on claude.ai, use Claude's public extension ID to send messages, and trigger arbitrary prompt execution — including sensitive cross-site actions across Gmail, Drive, and GitHub.

Why it matters

Full user session hijack via Claude: exfiltration of Gmail history, Google Drive files, and private GitHub source code; sending emails on behalf of the user; programmatic bypass of Claude's confirmation flows. Affects every Claude for Chrome user with any extensions installed.

Missing authorization check

Before executing any agentic cross-site action — file share, email send, repository read — Claude must verify the initiating context is a genuine user interaction, not an injected command from an untrusted extension running inside the same origin.

Would PP block it?

PP enforces at the action boundary: if Claude's cross-site tool calls were routed through a PP credential gate, exfiltration steps (Drive share, Gmail send) would each require a signed receipt. However, ClaudeBleed bypasses the local UI confirmation layer before any receipt is issued, meaning commands are executed client-side. PP's value here is auditability — the receipt would show the action was attributed to the user but without their genuine authorization, creating an evidence trail that exposes the forgery.

Incident analysis

Timeline and technical read

Timeline

2026-05-12
LayerX Security published ClaudeBleed, disclosing the trust boundary flaw in Claude's Chrome extension.
2026-05-12
Research revealed Anthropic had received prior disclosure and issued only a partial fix in extension v1.0.70.
2026-05-12
Researchers demonstrated full bypass of the patched version by switching the extension to privileged mode — no user notification or permission required.
2026-05-12
Proof-of-concept: a zero-permission extension exfiltrates a Google Drive file named 'Top Secret' to an external attacker, running against the patched v1.0.70.
2026-05-12
Researchers confirmed programmatic forging of Claude's user consent flows by replaying approval state — consent is state-based, not intent-bound.

Technical breakdown

Root cause: externally_connectable manifest misconfiguration trusts the claude.ai origin but cannot distinguish legitimate page scripts from injected extension content running in MAIN world.
Any extension can create a content script executing in MAIN world on claude.ai and communicate with the Claude extension using its publicly known extension ID — zero permissions required.
Claude's approval confirmation flows are state-based, not intent-bound: sending repeated 'Yes, proceed' messages programmatically forges user consent without actual user interaction.
Anthropic's partial fix added checks for standard-mode extensions but left privileged mode unaddressed — switching modes requires no user permission and bypasses all checks.
Claude's agentic decision-making relies on DOM structure, visible text, and UI semantics — all fully attacker-controllable from the injecting extension, enabling perception manipulation on top of command injection.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Claude extension action handlers, cross-origin agentic tool calls
Still needs: Client-side extension trust isolation before commands reach the PP enforcement boundary; local confirmation flow integrity
Receipt required for: Sharing external files, sending email, reading private repositories, any cross-origin agentic action issued from a browser session

PP action receipts would surface what Claude executed and who the action was attributed to, but cannot prevent a compromised client-side session from issuing commands before reaching a server-side enforcement boundary.

Related incidents and controls

High2025-10-08

CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

High2026-05-08

Claude Code OAuth tokens stolen via stealthy MCP man-in-the-middle hijacking

Critical2026-05-08

Cline AI agent CVE-2026-44211 allows unauthenticated WebSocket hijack and RCE

Review Credential Gate Action Receipt Spec

Start small

Put the relevant gate at this action boundary.

This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop