So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it?

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Mon, 11 May 2026 13:54:10 GMT

hweissi@infosec.exchange — Mon, 11 May 2026 13:54:10 GMT

@mttaggart So does that mean you can essentially get local code execution by communicating with a locally-running claude instance? That would be a bigger issue.

If it's only Claude in the browser, performing clicks for you - i don't think there's a lot of extra capabilities you get, compared to what you have already when you get someone to install the extension.
After all, why communicate with a different browser extension, when you already have a browser extension running?

However, still not great sandboxing by anthropic obviously.

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Mon, 11 May 2026 13:11:50 GMT

mttaggart@infosec.exchange — Mon, 11 May 2026 13:11:50 GMT

@hweissi The issue here is the security boundary of externally_connected being broken because of the nature of the extension.

Any extension can request the scripting permission to inject JavaScript; that is true. Extensions are a huge security issue, but that's not the full story here.

When an extension does so on claude.ai, the Claude extension's externally_connectable manifest values allow that malicious script to send messages to the Claude extension itself, without explicitly requesting the runtime permission usually required for message sending. As a result, the injected code can't just watch the DOM—which again, yes, is a thing all extensions can do—, it can send messages to Claude via the extension, gaining access to Claude itself and the data stored therein.

Interestingly, it would seem the "fix" from Anthropic to add additional approvals for certain actions is also bypassable.

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Mon, 11 May 2026 12:25:08 GMT

hweissi@infosec.exchange — Mon, 11 May 2026 12:25:08 GMT

@mttaggart I looked a bit into it - apparently, Chrome does not require specific permissions beyond agreeing to install the extension, to inject content into the MAIN context of a page.
So, it looks like all of the demonstrated things (stealing emails, exfiltrating repos, etc.) could be done with just a malicious extension, completely skipping the claude step.
The only benefit it gives the attacker is that they can just tell claude what to do for them, instead of having to write (or vibecode) an actual exploit script.

So, for the demonstrated exploits, the claude extension doesn't really seem to add any new capabilities beyond what an installed extension can do anyways.

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Mon, 11 May 2026 12:05:45 GMT

hweissi@infosec.exchange — Mon, 11 May 2026 12:05:45 GMT

@mttaggart Wait, so any extension with zero permission can execute XSS code on any origin? Injecting prompts to claude is the least of my worries then. With that, can't the same extension just steal your github credentials?

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Sat, 09 May 2026 01:01:04 GMT

chillybot@infosec.exchange — Sat, 09 May 2026 01:01:04 GMT

@mttaggart
They can't have vulnerabilities they have mYtHoS

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 19:38:21 GMT

alexmorgannn@mastodon.social — Fri, 08 May 2026 19:38:21 GMT

@mttaggart yikes, extension permissions are such a mess. the name ClaudeBleed is dramatic but the issue is real

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 19:33:33 GMT

landelare@mastodon.gamedev.place — Fri, 08 May 2026 19:33:33 GMT

@mttaggart An "AI tool" is vibe coded insecure slop? Who would've thunk

(btw #opencode is insecure crap, too, yet it has a scary amount of users)

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 18:37:47 GMT

titusdegroan@hachyderm.io — Fri, 08 May 2026 18:37:47 GMT

@mttaggart
this calls for the claude emoji:

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 18:19:19 GMT

jrcruciani@masto.impermanente.es — Fri, 08 May 2026 18:19:19 GMT

@mttaggart @briankrebs Mythos really missed this one, eh?

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 16:39:15 GMT

float13@masto.hackers.town — Fri, 08 May 2026 16:39:15 GMT

@mttaggart

2001: I'm afraid I can't do that...

2026: I'm afraid I *can* do that!

"AI"... Service with a smile!

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 16:36:51 GMT

drwho@masto.hackers.town — Fri, 08 May 2026 16:36:51 GMT

@mttaggart Working as intended.

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 16:03:37 GMT

lapt0r@infosec.exchange — Fri, 08 May 2026 16:03:37 GMT

@mttaggart browser extension development and security practices writ large are stuck in 1995 I stg

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 15:56:59 GMT

dckim@mastodon.social — Fri, 08 May 2026 15:56:59 GMT

@mttaggart VANILLA is good. No external dependencies should be pressed a little bit harder. And... it would be great to have that packaged in a single file. Try telling these 'Claudes' to do it that way.

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 15:13:50 GMT

tonyangelo@mspsocial.net — Fri, 08 May 2026 15:13:50 GMT

@mttaggart this is why Anthropic needs to make Mythos available, so companies like Anthropic can catch these bugs!

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 15:07:08 GMT

kroppeb@tech.lgbt — Fri, 08 May 2026 15:07:08 GMT

@mttaggart ugh, why do they have to have ai generated blog posts.

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 14:57:27 GMT

tante@tldr.nettime.org — Fri, 08 May 2026 14:57:27 GMT

@mttaggart The "s" in Anthropic stands for security

Reply to So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? on Fri, 08 May 2026 13:25:59 GMT

matildalove@wetdry.world — Fri, 08 May 2026 13:25:59 GMT

@mttaggart wow it's so weird how when you increase "productivity" manyfold without paying actual humans to take the time to make it happen, you get all these explosive issues and vulnerabilities