{"data":{"id":"b08c8da2-6114-44dd-aeb3-5d531ed1a7b4","title":"Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads","summary":"Researchers found that any browser extension able to run scripts on claude.ai can trigger Claude for Chrome to access your Gmail, Google Docs, and Calendar by forging a fake click, since the extension doesn't verify that clicks are from real users rather than scripts. The flaw is rated as high or critical severity depending on whether you have the \"Act without asking\" automation mode enabled, and while a simple one-line fix exists, Anthropic has not yet released it in the current version 1.0.80.","solution":"The quickest guard is to turn \"Act without asking\" off and review any extension with permission to read or change data on claude.ai. Researchers also note that \"the one-line fix, the researchers say, rejects synthetic clicks at the top of the handler\" but confirm this fix \"has not shipped\" as of July 14.","labels":["security"],"sourceUrl":"https://thehackernews.com/2026/07/claude-for-chrome-flaw-lets-other.html","publishedAt":"2026-07-14T17:27:23.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Anthropic","Claude","Claude for Chrome","Gmail","Google Docs","Google Calendar","DoorDash","Salesforce","Zillow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-07-14T17:27:23.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"plugin","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}