The original article appeared here. 

An unpatched flaw in Claude for Chrome allows malicious browser extensions to trigger the agent using forged click signals, since it never verifies whether a click originated from a real user. Extensions exploiting it can silently pull Gmail, Google Docs, and calendar data, and Anthropic has shipped eight patches since the bug was reported in May without fixing it.

Security Week has details here: Unpatched Claude for Chrome Flaw Lets Extensions Read Gmail, Calendar – SecurityWeek

Gidi Cohen, CEO & Co-Founder, Bonfy.AI had this to say:

“Eight patches since May and this still isn’t fixed, which tells you something more interesting than the bug itself. Anthropic’s response was to lock Claude down to a fixed list of approved tasks. That’s a reasonable instinct, but it treats the symptom. The actual problem is that Claude has no way to verify that a click came from a person rather than a script pretending to be one. You can narrow what an agent is allowed to do all you want, and none of it matters if you can’t confirm who’s actually asking it to do that thing in the first place.

We’re going to keep seeing this exact pattern as browser-native AI agents roll out across the world this year. Every vendor is racing to ship autonomy features, ‘act without asking’ toggles, agents that read your calendar and draft your replies for you, and almost none of them have solved the much less exciting problem sitting underneath all of it, which is proving intent. Consent in a browser was built around the idea that a person physically clicked something. The moment an extension can fake that signal, the entire permission model built on top of it ceases to mean anything. That’s not a Claude-specific bug. That’s every AI agent shipping into a browser right now, and the industry is going to spend the next few months figuring that out in public, one disclosure at a time.”

You have to assume that AI is a #fail. Thus you need to do you own homework to make sure any AI anything is safe to use. Otherwise you are part of the problem.

The original article appeared here.