TECH NEWS

Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover

https://www.securityweek.com/wp-content/uploads/2024/06/Chrome.jpeg

A vulnerability in the Claude extension for Chrome could allow attackers to take over the AI agent and abuse it for information theft, cybersecurity firm LayerX reports.

The flaw, dubbed ClaudeBleed, is a combination of lax permissions, where any Chrome extension can run commands in Claude in Chrome, and poorly implemented trust in the origin of the command, not the execution context.

According to LayerX, the main issue is that the Claude extension allows interaction with any script running in the origin browser, without verifying its owner.

“As a result, any extension can invoke a content script (which does not require any special permissions) and issue commands to the Claude extension,” the company explains.

Claude in Chrome, it says, trusts the origin of the execution, which is claude.ai, and not the execution context, thus allowing any JavaScript running in the origin to issue privileged commands.

This allows an attacker...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE

Read more

https://substackcdn.com/image/fetch/$s_!sGDs!,w_1200,h_675,c_fill,f_jpg,q_auto:good,fl_progressive:steep,g_auto/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F250e5...

An analysis based on current valuations of OpenAI and Anthropic suggests ~$370B of philanthropic assets tied to the two AI companies are poised to become liquid

Sponsor Posts Niantic Spatial: World models need real-world data — Scaniverse is the gateway to spatial services — self-serve and built for AI and robotics. Large-area 3D reconstruction from 360° cameras and precise localization, anywhere machines operate. Protecting your Cloud Applications Data — Backing up Office 365, Google Workspace, Dropbox & Salesforce data