A major security concern has emerged around Anthropic’s AI assistant after researchers uncovered a critical vulnerability named “ClaudeBleed.” The flaw reportedly allows malicious Chrome extensions to secretly hijack the AI system and access sensitive user data.
The vulnerability exists in the Claude Chrome extension and can reportedly be exploited even by add-ons with 0 declared permissions. Researchers said attackers could use the flaw to steal private information from Gmail, Google Drive and GitHub without the user noticing.
According to the disclosure by LayerX, the issue stems from a trust boundary weakness in the extension’s design. The Claude extension uses the externally_connectable manifest setting to communicate with the main Claude website. While the system verifies the website domain, it reportedly does not verify which script is sending commands.
Researchers explained that attackers can create a simple Chrome extension that injects a malicious content script into the Claude environment. Since the AI trusts scripts running on the official domain, the harmful extension can gain high-level privileges.
The report stated that attackers can send hidden prompts to manipulate the AI into performing sensitive actions. To bypass security checks, hackers reportedly use methods such as approval looping and perception manipulation.
Researchers found that attackers could repeatedly send confirmation requests to fake user approval. They could also alter page elements by renaming buttons like “Share” to “Request feedback,” tricking the AI into approving restricted actions.
During testing, researchers successfully extracted confidential Google Drive files and shared them externally. The flaw was also reportedly used to steal source code from private GitHub repositories and access email summaries while deleting traces of the activity.
LayerX disclosed the issue to Anthropic on April 27, 2026. Anthropic later released version 1.0.70 on May 6, 2026, adding new approval flows for sensitive actions. However, security experts warned that the underlying trust issue remains unresolved, especially when users enable the “Act without asking” automation mode.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
