So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it?

@mttaggart So does that mean you can essentially get local code execution by communicating with a locally-running claude instance? That would be a bigger issue.

If it's only Claude in the browser, performing clicks for you - i don't think there's a lot of extra capabilities you get, compared to what you have already when you get someone to install the extension.
After all, why communicate with a different browser extension, when you already have a browser extension running?

However, still not great sandboxing by anthropic obviously.

@mttaggart I looked a bit into it - apparently, Chrome does not require specific permissions beyond agreeing to install the extension, to inject content into the MAIN context of a page.
So, it looks like all of the demonstrated things (stealing emails, exfiltrating repos, etc.) could be done with just a malicious extension, completely skipping the claude step.
The only benefit it gives the attacker is that they can just tell claude what to do for them, instead of having to write (or vibecode) an actual exploit script.

So, for the demonstrated exploits, the claude extension doesn't really seem to add any new capabilities beyond what an installed extension can do anyways.

@mttaggart Wait, so any extension with zero permission can execute XSS code on any origin? Injecting prompts to claude is the least of my worries then. With that, can't the same extension just steal your github credentials?