Security researchers have uncovered a critical vulnerability in Anthropic's "Claude for Chrome" extension (version v1.0.80) that allows malicious browser extensions to hijack authorized user sessions, enabling unauthorized access to sensitive data like Gmail, Google Docs, and Calendar. This flaw, disclosed on July 14, stems from a fundamental architectural weakness in how AI tools manage persistent sessions, posing systemic risks to the broader browser extension ecosystem.

At its core, the issue revolves around a "shared session model" where any extension capable of running scripts on the claude.ai domain can exploit established sessions without requiring new authentication. This effectively transforms the AI assistant into an unwitting "data transfer proxy," letting attackers trigger actions on behalf of users—a risk that previous patches, such as those for the "ClaudeBleed" flaw in May, failed to address comprehensively. By focusing on symptom-level fixes like restricting arbitrary prompt paths, Anthropic has not resolved the underlying problem of overly broad, persistent trust boundaries within AI integrations.

The vulnerability highlights a growing security gap in browser-based AI assistants. As tools like GitHub Copilot and ChatGPT extensions gain deeper integration into workflows, their demand for long-lived sessions and wide permissions creates an expanded and poorly regulated attack surface. Traditional browser security frameworks, designed for short-term interactions, are ill-equipped to safeguard AI agents that require ongoing access, necessitating a shift toward fine-grained, operation-level consent mechanisms.

For users and administrators, immediate action involves auditing browser extensions—particularly those with extensive permissions on claude.ai or Google services—and considering temporary restrictions on Claude for Chrome until robust fixes are deployed. Long-term solutions demand industry-wide collaboration to redesign session isolation and trust models, ensuring that AI platforms implement stricter security architectures that prevent cross-extension hijacking.

As Anthropic has yet to release an official response or patch timeline for this architectural flaw, questions remain about the role of browser vendors in introducing new APIs or restrictions. Moreover, the incident underscores the urgent need for standardized security frameworks across AI developers and standards bodies to protect the evolving landscape of AI browser integrations.


安全研究人員近日揭露了Anthropic「Claude for Chrome」擴充功能(版本v1.0.80)的一個嚴重漏洞。攻擊者可利用惡意瀏覽器擴充功能劫持已獲授權的用戶會話,從而未經授權訪問Gmail、Google文件及日曆等敏感資料。這項於7月14日披露的缺陷,源於AI工具管理持久性會話的基本架構缺陷,為更廣泛的瀏覽器擴充功能生態系統帶來系統性風險。

問題核心在於一種「共享會話模型」:任何能在claude.ai網域執行腳本的擴充功能,均可利用已建立的會話而無需重新驗證。這實質上將AI助手轉變為不自覺的「資料傳輸代理」,使攻擊者能代表用戶觸發操作。此前針對5月「ClaudeBleed」漏洞的補丁(例如限制任意提示路徑)未能全面解決此風險,因為Anthropic僅處理症狀層面的修復,而未解決AI整合中過於寬泛的持久性信任邊界這一根本問題。

該漏洞揭示了基於瀏覽器的AI助手日益嚴重的安全缺口。隨著GitHub Copilot與ChatGPT等擴充功能深度融入工作流程,其要求的長期會話與廣泛權限形成了監管不足的擴大攻擊面。傳統瀏覽器安全框架為短期互動設計,難以保護需要持續訪問的AI代理,亟需轉向細粒度、操作層級的授權機制。

對用戶與管理員而言,短期措施包括審計瀏覽器擴充功能——特別是對claude.ai或Google服務具備廣泛權限者,並在完善修復部署前考慮暫停使用Claude for Chrome。長期解決方案需要業界共同協作,重新設計會話隔離與信任模型,確保AI平台實施更嚴格的安全架構以防範跨擴充功能劫持。

由於Anthropic尚未對此架構缺陷發布官方回應或修復時間表,瀏覽器廠商在引入新API或限制措施方面的角色仍存疑問。此事件亦凸顯出AI開發者與標準制定機構亟需建立標準化安全框架,以保護不斷演進的AI瀏覽器整合環境。

新聞來源 / Original News Source