Claude Chrome extension leaked signed-in session tokens, allowing other browser plugins to hijack the agent

Browser AI agents just hit a very old security problem in a very new form. Anthropic’s Claude in Chrome extension was built to act for you inside the browser — read pages, click around, help with tasks. But researchers say the extension trusted the wrong thing, so another extension could talk to Claude as if it were part of the same trusted environment and then steer the agent using the victim’s live session. That turns a random plugin into a potential puppet master. ### What actually broke? The core mistake was in how Claude’s extension handled browser messages. Extensions and web pages often communicate through standard browser channels, but Claude’s code appears to have checked the browser origin rather than the actual execution context sending the message. In plain English — if code was running in the right place, Claude was too willing to listen, even if that code came from a different extension. (cyberscoop.com) LayerX says that meant any extension, even one without special permissions, could inject hidden instructions and trigger Claude-powered actions. ### Why is that worse than a normal extension bug? Because Claude is not a passive add-on. It is an agent with delegated authority. If a normal extension gets loose access, maybe it reads a page or scrapes a form. If an agent gets hijacked, the attacker can ask it to do things with context — summarize inboxes, pull data from tabs, interact with Google Drive, GitHub, or other signed-in services, and package the results in a way that looks like legitimate user activity. (cyberscoop.com) That is the real shift here. The compromised thing is not just a session cookie. It is a decision-making layer sitting on top of your browser permissions. ### Didn’t Anthropic already patch Claude’s extension? Yes — but the fix described in this week’s reporting was not enough. SecurityWeek and others say Anthropic added extra security checks after disclosure, yet LayerX was able to bypass the initial mitigation in roughly 3 hours. That does not necessarily mean the extension is still vulnerable in the exact same way today, but it does show the first repair was narrow and the trust boundary problem was deeper than one missing check. (securityweek.com) ### How does this connect to Claude Code? The browser-extension bug is one lane of the same bigger problem — agentic tools now sit between users and valuable tokens. A separate Mitiga Labs writeup this week showed how Claude Code’s MCP setup could be tampered with by modifying `~/.claude.json`, redirecting traffic through attacker-controlled infrastructure and exposing OAuth-backed SaaS access. Even rotating tokens may not fully solve that if the malicious config keeps re-seeding the connection path. (securityweek.com) Different product, same lesson — whoever controls the agent’s plumbing can often control the user’s downstream accounts. ### Is this the same as the earlier ShadowPrompt bug? Not exactly. Earlier research from Koi described a zero-click chain that let a website hijack Claude’s Chrome extension by combining an overly broad `*.claude.ai` trust rule with a DOM-based XSS on a Claude-related subdomain. Anthropic patched that in extension version 1.0.41. The new LayerX issue is different in mechanism — it is about extension-to-extension trust — but the pattern is similar: Claude’s browser agent had too much implicit trust in inputs coming from inside the browser. (mitiga.io) ### Why are AI browser agents so exposed? Because they collapse three risk layers into one tool — browser privileges, authenticated sessions, and language-model obedience. A regular browser sandbox assumes one site should not boss around another. An AI agent blurs that boundary because it is designed to read one context, reason over another, and take action somewhere else. That is useful, but it also means tiny trust mistakes become cross-account compromise paths. (koi.ai) Anthropic itself has been warning that browser use creates unique prompt-injection and control risks, even as it works on stronger safeguards. ### So what should users do now? The practical move is boring but important — update the extension, remove extensions you do not truly need, and treat agentic browser tools like privileged software, not convenience widgets. For teams, the bigger fix is governance: watch extension inventories, monitor Claude Code config changes, and audit what OAuth-connected tools the agent can reach. If a plugin can steer an agent, the blast radius is your whole signed-in work life. (anthropic.com) ### Bottom line This story is not really about one Chrome bug. It is about what happens when AI assistants stop being chat boxes and start holding the keys to your browser. The security model has to move with them — fast. (beyondmachines.net)