So the Claude extension allows any other extension to inject JavaScript into claude.ai and run it? Cool cool cool.
Yeah, don't let this one in.
Post
Replies:
11
Boosts:
17
@mttaggart Wait, so any extension with zero permission can execute XSS code on any origin? Injecting prompts to claude is the least of my worries then. With that, can't the same extension just steal your github credentials?
@mttaggart I looked a bit into it - apparently, Chrome does not require specific permissions beyond agreeing to install the extension, to inject content into the MAIN context of a page.
So, it looks like all of the demonstrated things (stealing emails, exfiltrating repos, etc.) could be done with just a malicious extension, completely skipping the claude step.
The only benefit it gives the attacker is that they can just tell claude what to do for them, instead of having to write (or vibecode) an actual exploit script.
So, for the demonstrated exploits, the claude extension doesn't really seem to add any new capabilities beyond what an installed extension can do anyways.
@mttaggart
They can't have vulnerabilities they have mYtHoS
@mttaggart yikes, extension permissions are such a mess. the name ClaudeBleed is dramatic but the issue is real
@mttaggart An "AI tool" is vibe coded insecure slop? Who would've thunk™
(btw #opencode is insecure crap, too, yet it has a scary amount of users)
@mttaggart
this calls for the claude emoji: 🤡
@mttaggart @briankrebs Mythos really missed this one, eh?
@mttaggart browser extension development and security practices writ large are stuck in 1995 I stg
@mttaggart VANILLA is good. No external dependencies should be pressed a little bit harder. And... it would be great to have that packaged in a single file. Try telling these 'Claudes' to do it that way.
@mttaggart this is why Anthropic needs to make Mythos available, so companies like Anthropic can catch these bugs!
@mttaggart The "s" in Anthropic stands for security
