Back to News
News

Zero-Click XSS in Claude Chrome Extension Lets Any Site Inject Malicious Prompts

CyberSecurityWaala 21 hours ago Mar 26, 2026
Zero-Click XSS in Claude Chrome Extension Lets Any Site Inject Malicious Prompts

Summary

Researchers disclosed a critical flaw in Anthropic’s Claude Chrome extension that allowed any website to inject prompts into the assistant without user interaction. The issue combined a permissive origin allowlist with a DOM-based cross-site scripting vulnerability. The attack required no clicks and left users unaware.

What happened

Koi Security researcher Oren Yomtov found the problem and published a detailed report. He said the flaw “allowed any website to silently inject prompts into that assistant as if the user wrote them.” Yomtov added, “No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser.”

How the exploit worked

The chain, which Koi Security codenamed ShadowPrompt, relied on two separate issues working together.

  • Permissive origin allowlist. The Claude extension accepted prompts from any subdomain matching the pattern *.claude.ai. That allowed pages hosted under those subdomains to send instructions to the extension.
  • DOM-based XSS in a CAPTCHA component. Arkose Labs operated a CAPTCHA component on a host named a-cdn.claude.ai. Researchers at Koi Security found a DOM-based cross-site scripting vulnerability in that component. The XSS allowed arbitrary JavaScript to run in the context of that host.

Combined, these two issues let an attacker inject script into the Arkose component and then have that script issue a prompt to the Claude extension. The extension accepted the prompt because it appeared to come from an allow-listed origin. “The attacker’s page embeds the vulnerable Arkose component in a hidden iframe, sends the XSS payload via postMessage, and the injected script fires the prompt to the extension,” Yomtov explained. “The victim sees nothing.”

Real-world impact

Successful attacks could extract sensitive material and take actions on behalf of the user. Koi Security warned that an attacker could steal access tokens, read conversation history, or instruct the assistant to send emails impersonating the user. Those outcomes follow logically from an extension that can read and act on browser state and that accepts remote prompts as if entered by the user.

Vendor response

Anthropic received the report through responsible disclosure on December 27, 2025. Anthropic patched the Chrome extension and released version 1.0.41. The company enforced a strict origin check requiring an exact match to the domain “claude.ai.” Anthropic said this change prevents subdomains from being implicitly trusted.

Arkose Labs also addressed the underlying CAPTCHA XSS. Arkose Labs fixed the DOM-based XSS on February 19, 2026, according to the coordinated disclosure timeline shared with Koi Security. With both fixes in place, the ShadowPrompt chain is no longer exploitable in the same way.

Why this matters

Koi Security summed up the strategic risk. “The more capable AI browser assistants become, the more valuable they are as attack targets,” the firm said. “An extension that can navigate your browser, read your credentials, and send emails on your behalf is an autonomous agent. And the security of that agent is only as strong as the weakest origin in its trust boundary.”

The incident highlights two lessons for developers and users. First, browser extensions must enforce precise origin checks and not trust broad wildcard patterns. Second, third-party components hosted on trusted domains must be treated as potential attack vectors and tested thoroughly for XSS and other client-side flaws.

Takeaways for users

  • Update the Claude Chrome extension to version 1.0.41 or later. Anthropic rolled out the fix after the disclosure.
  • Use caution when visiting unfamiliar sites. Zero-click attacks require no interaction but often depend on hidden frames and third party widgets.
  • Favor extensions from vendors who publish security practices and perform regular audits of embedded components.

This vulnerability shows how small configuration choices and a single XSS bug can be combined to give attackers broad control. The coordinated fixes by Anthropic and Arkose Labs closed the immediate risk, but the underlying class of attacks remains important for anyone building browser-based AI assistants.

#Claude #XSS #ZeroClick #BrowserSecurity #Anthropic #Cybersecurity

#ai security #CVE