Share with your CISO
A verified flaw in Anthropic’s Claude for Chrome extension lets a malicious browser extension simulate user clicks and trigger predefined AI workflows, including reading Gmail, modifying Salesforce leads, creating calendar events, and accessing Google Docs, without any real user action. Manifold Security researcher Ax Sharma found the extension fails to check the browser’s built-in Event.isTrusted flag before executing these tasks. The Claude Chrome extension vulnerability remains unpatched in version 1.0.80, released July 7, despite Anthropic acknowledging the report.
What this means for your business
Organizations that have deployed Claude for Chrome in their environments are carrying active, unpatched exposure right now, not theoretical future risk. The attack chain requires a malicious extension to already be running on a user’s machine with permission to operate on claude.ai, which narrows the blast radius somewhat. But “Act without asking” mode, the optional Claude setting that removes approval prompts before workflows execute, eliminates the last friction point between a rogue extension and your connected SaaS data. If any segment of your workforce has that mode enabled, the effective attack surface is much wider than the technical preconditions suggest.
The deeper structural problem here is what you might call authenticated proxy risk: Claude’s extension doesn’t perform the action directly, it inherits the user’s existing authenticated session with Gmail, Salesforce, and Google Workspace. A malicious extension exploiting this flaw doesn’t need to steal credentials or bypass OAuth because it’s riding Claude’s already-approved access. That’s a qualitatively different threat model than a phishing attack. It’s closer to session hijacking, except the “session” being hijacked belongs to an AI agent with broad, user-consented permissions across your most sensitive business applications.
Anthropic closing the synthetic-click report as a “broader issue they’re already tracking” without shipping a fix is the tell here. The vendor’s incentive is to minimize the story while the extension remains in production, which means the remediation timeline is entirely on their schedule, not yours. Any enterprise managing browser extension policy through MDM or a browser security tool should be evaluating whether Claude for Chrome belongs on a restricted list until a verified patch ships. I’d revise that call only if Anthropic publishes a specific remediation commit with a confirmed version number.
Concept deep-dive: Event.isTrusted
Every interaction a real user makes in a browser, clicking a button, pressing a key, generates an event the browser automatically marks as trusted by setting Event.isTrusted to true. When JavaScript code generates the same event programmatically, the browser sets it to false. This flag exists precisely so extensions and web applications can distinguish human intent from scripted automation. The Claude extension’s failure to check this flag before executing high-privilege workflows is the equivalent of a bank teller accepting a withdrawal slip without verifying a signature.
Based on reporting from Claude Chrome extension flaw lets malicious extensions trigger AI actions, originally published 2026-07-16 15:26:00.

