Claude Chrome forged-click and skipPermissions security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Claude for Chrome still accepts synthetic clicks on its onboarding button, letting a rogue extension trigger allowlisted tasks for Gmail, Google Docs, and Calendar. The same build also reads ?skipPermissions=true, which can switch the panel into skip_all_permission_checks and remove approval if that state is reached. Manifold said the flaw remained in v1.0.80 and had no shipped patch as of July 14.
Related Happenings
OpenAI ChatGPT Atlas BioShocking fix
Advisory/Mitigation
H score34
First: 01.07.2026 00:50
Last: 01.07.2026 00:50
Sources 1
About this happening:
OpenAI delivered a **working fix** for **BioShocking** in **ChatGPT Atlas**, closing a prompt-injection path that could push an AI browser toward unsafe real-world actions and **c...
OpenAI ChatGPT Atlas BioShocking fix
Advisory/MitigationAbout this happening: OpenAI delivered a **working fix** for **BioShocking** in **ChatGPT Atlas**, closing a prompt-injection path that could push an AI browser toward unsafe real-world actions and **c...
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
H score33
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
AI browsers indirect prompt injection via URL fragments HashJack security flaw
Vulnerability
H score28
First: 26.11.2025 12:15
Last: 26.11.2025 12:15
Sources 1
About this happening:
**HashJack** is an **indirect prompt injection** vulnerability in **AI browsers** that hides attacker instructions after the **# symbol** in legitimate URLs, letting a normal-look...
AI browsers indirect prompt injection via URL fragments HashJack security flaw
VulnerabilityAbout this happening: **HashJack** is an **indirect prompt injection** vulnerability in **AI browsers** that hides attacker instructions after the **# symbol** in legitimate URLs, letting a normal-look...
Timeline
-
14.07.2026 20:27 1 articles · 5h ago
Manifold Security finds Claude for Chrome v1.0.80 still accepts synthetic clicks
Technical Analysis UpdateManifold Security rechecked Claude for Chrome v1.0.80 on July 7 and found the content-script click handler and side-panel initialization unchanged, including no event.isTrusted check on the onboarding click and continued use of skipPermissions from the extension's own URL.
Show sources
- Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads — thehackernews.com — 14.07.2026 20:27
-
21.05.2026 03:00 2 articles · 1mo ago
Manifold Security reports forged-click and skipPermissions flaws in Claude for Chrome
Initial DisclosureManifold Security reported two Claude for Chrome issues against v1.0.72 on May 21: a content-script path that can dispatch a synthetic click on #claude-onboarding-button to trigger allowlisted tasks, and a side-panel path that reads ?skipPermissions=true from its own URL and can switch into skip_all_permission_checks.
Show sources
- Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads — thehackernews.com — 14.07.2026 20:27
- Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads — thehackernews.com — 14.07.2026 20:27