Unpatched Claude for Chrome Flaws Expose Gmail, Google Docs Data
Two unpatched vulnerabilities in Anthropic's 'Claude for Chrome' extension could allow a second, malicious extension to access and exfiltrate a user's Google Workspace data, including Gmail, Docs, and Calendar. The flaws, which exploit the extension's trust model by allowing a script to trigger actions without genuine user consent, were reported in May but persist in the latest version. The risk is highest for users who have enabled the 'Act without asking' feature, which could allow for silent data theft.