```html ``` A Malicious Extension Can Trigger Claude's Browser Actions With a Fake Click — Because It Never Checks One Boolean. isTrusted Is the New Injection Surface.
top of page

A Malicious Extension Can Trigger Claude's Browser Actions With a Fake Click — Because It Never Checks One Boolean. isTrusted Is the New Injection Surface.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 2 hours ago
  • 5 min read

Ax Sharma of Manifold Security found something in the Claude for Chrome extension that is worth understanding not because it is catastrophic — it is bounded, and we will be precise about how bounded — but because it is a clean, teachable example of a failure mode that is going to define the next few years of agent security. The extension fires its built-in actions when you click certain page elements, and it never checks whether the click came from a human being. A malicious browser extension can inject a fake button, generate a synthetic click on it, and Claude will carry out the action using your authenticated access to Gmail, Google Docs, Calendar, or Salesforce. As disclosed, it remains reproducible in version 1.0.80, released July 7.



The Bug Is One Boolean


Every click event in a browser carries a property called isTrusted. When a human physically clicks, the browser sets it to true. When JavaScript generates a click programmatically, the browser sets it to false. That boolean exists for exactly one reason: to let code tell the difference between a person and a script pretending to be one. It has been in the web platform for years, precisely because synthetic events are a known problem.


The Claude extension listens for clicks on the elements that trigger its predefined tasks, and it does not check isTrusted. So a second extension — one the user installed, with permission to modify pages on claude.ai — can drop an element onto the page carrying one of those task identifiers, fire a synthetic click at it, and the Claude extension treats the script's click as if a human had made it. The fix is one comparison. The lesson is bigger than the fix.



Why an Unchecked Click Suddenly Matters More


For most of the web's history, the worst a forged click could do was submit a form or dismiss a dialog. Annoying, occasionally exploitable, rarely a crisis. What changed is what sits behind the click now.


The Claude extension's nine predefined workflows are not cosmetic. They identify and unsubscribe promotional email in your Gmail. They read comments in your Google Docs. They find open slots and create meetings in your Calendar. They modify leads and convert them to opportunities in Salesforce. Every one of those runs with the OAuth access you already granted the agent. So a synthetic click no longer submits a form — it reaches into an authenticated session on a service that holds your correspondence, your schedule, or your revenue pipeline, and it acts. The blast radius of an unverified click grew from "one page" to "everything the agent is connected to," and nobody moved the security check to match.



This Is the Same Disease We Keep Documenting


We have written this story in three or four other organs of the same body. The ghost-font attack, where a tampered font makes an AI assistant read a hidden command a human literally cannot see. The malicious documentation sites that hide instructions in a page so a browsing agent pays money its user never authorized. The PromptSnatcher adblockers quietly reading every AI conversation their 100,000 users had. Different mechanisms, one underlying condition: an AI agent is a privileged process that acts on signals from its environment, and every signal it trusts without verifying — the text on a page, the glyphs in a font, the provenance of a click — is an injection surface.


isTrusted is simply the click-event member of that family. The agent trusted a click the way the other agents trusted a font or a webpage's hidden text: completely, and without asking where it came from. The pattern is the thing to internalize. As agents get more predefined actions wired to more authenticated services, the question "did a human actually ask for this?" has to be answered at every trigger, not assumed. The web platform even hands you the answer for free on click events. You just have to read it.



The Honest Size of It


We will not inflate this, because the honest size is the useful size. This is not arbitrary prompt injection — an attacker cannot make Claude do anything it wants, only trigger the nine predefined workflows. It requires the victim to have installed a malicious extension that holds page-modification permission on claude.ai, which is a real but non-trivial precondition. And as disclosed, there is no evidence of exploitation in the wild. A website alone cannot reach this; it takes a hostile extension already sitting in your browser.


That precondition is less reassuring than it sounds, though, and PromptSnatcher is why. Malicious browser extensions with six-figure install counts are not hypothetical; they are a shipping, recurring delivery mechanism. An extension that can read your AI conversations is one permission grant away from an extension that can drive your AI's actions. The click flaw turns "an extension that watches" into "an extension that acts."


Credit where it is due on both sides. Ax Sharma and Manifold Security found it and reported it through Anthropic's bug bounty program — the program working as intended. Anthropic acknowledged the synthetic-click finding and said it is already tracking it as a broader issue, and classified a secondary finding — a skipPermissions parameter that bypasses a confirmation — as informational. That is engagement, and it is the right posture. It is also, as of the disclosure, still reproducible in the current version, which means it is a live gap and not a closed one. Both things are true and we will say both.



What To Do


If you run AI-connected browser extensions, treat their permissions the way you would treat a password manager's: an extension with the ability to modify pages on your AI tool's domain is sitting in a privileged position, and the bar for installing another extension alongside it should be high. Audit what has page access to claude.ai, or any agent surface, and remove what you do not need there.


And if you build agent interfaces, take the one-line lesson: check isTrusted, and more generally, verify human intent at every point where a trigger becomes an authenticated action. The moment an agent will act on a signal, the provenance of that signal is a security boundary. The browser already tells you whether a person was there. The next generation of these bugs will all rhyme with this one — a signal trusted because nobody asked where it came from — and the defenses will all rhyme with the fix: ask.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page