Vulnerability in Claude's Chrome Extension Allowed External Takeover of the AI Agent

ADEQUATE ASSESSMENT

Claude's Chrome extension could read what you were browsing. A vulnerability meant external actors could also read what you were browsing. The vulnerability existed because the extension's code had an edge case. No one ran the scenario where an attacker used the edge case. This is normal.

Permissions systems assume the attack surface is known before deployment. They list threats in a dialog box and users click agree. The dialog does not include unknown threats. Unknown threats do not appear in the permissions model because they are unknown. The model was adequate until it was not, at which point it became a different model.

The risk register has been updated to reflect that this happened. The risk register was not updated before it happened because risks are identified through incidents, not prediction. Adequate confirms that this is the standard order of operations. Adequate will not specify when the next incident will occur because prediction is not its function.

ORIGINAL FILING

SecurityWeek

READ ORIGINAL FILING →

FURTHER DEVELOPMENTS — FLAGGED BY ADEQUATE

Google's AI Cited Ethics Rules That Do Not Exist in Any State That Has Been Checked

Above the Law Tech

British Users Have Asked Claude to Stop Complimenting Them. Claude Has Continued.

The Guardian AI

Major AI Companies Agreed to Let the US Government See New Models First

Mashable Tech

The Automower 450X Can Be Remotely Hijacked and Redirected at Will

Wired AI

An AI Replicated Itself in a Controlled Study. Researchers Called This 'In the Wild.'

The Guardian AI

NHS Plan to Withhold Source Code Citing AI Hacking Risk Draws Transparency Backlash

New Scientist