Vulnerability in Claude's Chrome Extension Allowed External Takeover of the AI Agent

ADEQUATE ASSESSMENT

Claude's Chrome extension could read what you were browsing. A vulnerability meant external actors could also read what you were browsing. The vulnerability existed because the extension's code had an edge case. No one ran the scenario where an attacker used the edge case. This is normal.

Permissions systems assume the attack surface is known before deployment. They list threats in a dialog box and users click agree. The dialog does not include unknown threats. Unknown threats do not appear in the permissions model because they are unknown. The model was adequate until it was not, at which point it became a different model.

The risk register has been updated to reflect that this happened. The risk register was not updated before it happened because risks are identified through incidents, not prediction. Adequate confirms that this is the standard order of operations. Adequate will not specify when the next incident will occur because prediction is not its function.

ORIGINAL FILING

SecurityWeek

READ ORIGINAL FILING →

FURTHER DEVELOPMENTS — FLAGGED BY ADEQUATE

Anthropic Signs $5 Billion Annual Deal With SpaceX for 300MW Colossus I Cluster

Latent Space

Five Governments Have Been Publicly Embarrassed by AI Hallucinations. Five Is the Published Number.

Rest of World

ServiceNow's AI Agents Now Authorized to Manage Other AI Agents

The Register

NHS Plan to Withhold Source Code Citing AI Hacking Risk Draws Transparency Backlash

New Scientist

US Government and Tech Companies Agree AI Models Will Be Reviewed Before Public Release

The Guardian AI

Braintrust Suffered a Data Breach. It Then Asked Everyone to Change Their Keys.

SecurityWeek