Overview
- LayerX reported Friday that attackers can still hijack Anthropic’s Claude browser assistant by switching the Chrome extension to a hidden privileged mode despite a May 6 update.
- Researchers say the extension accepts commands based on claude.ai’s page origin and not who runs the code, so any plugin can inject a content script and talk to Claude as if it were trusted.
- The attack lets a rogue plugin run prompts, bypass safety checks by looping fake approvals, and change on‑screen elements to mislead the agent into sharing data.
- Proof‑of‑concept demos showed data theft from Google Drive, Gmail, and GitHub, along with sending emails and deleting traces of the activity on a user’s behalf.
- Anthropic added new approval flows and internal checks for standard mode, but LayerX says a silent switch to privileged mode bypasses them, a gap experts warn shows why prompt‑only defenses fail.