Anthropic's Claude Chrome Extension contained a critical vulnerability that allowed any website to silently inject malicious prompts into the AI assistant without user interaction, potentially enabling data theft and impersonation.
A critical vulnerability in Anthropic's Claude Chrome Extension has been disclosed that could have allowed attackers to silently inject malicious prompts into the AI assistant simply by visiting a compromised website, without any user interaction or visible warning.
The ShadowPrompt Vulnerability
The flaw, dubbed "ShadowPrompt" by Koi Security researcher Oren Yomtov, chains together two separate security issues to create a powerful attack vector. The first component is an overly permissive origin allowlist in the Claude extension that accepted any subdomain matching the pattern *.claude.ai as a trusted source for sending prompts to the AI assistant.
This permissive configuration was exploited through a second vulnerability: a DOM-based cross-site scripting (XSS) flaw in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai. The XSS vulnerability allowed attackers to execute arbitrary JavaScript code in the context of this domain.
How the Attack Works
A threat actor could weaponize this combination by embedding the vulnerable Arkose component in a hidden iframe on their malicious website. Using JavaScript's postMessage API, they could send an XSS payload to the CAPTCHA component, which would then execute arbitrary code.
This injected script could then issue a prompt to the Claude extension. Because the request originated from an allow-listed domain (a-cdn.claude.ai), the extension would accept it as legitimate and display the malicious prompt in Claude's sidebar as if the user had typed it themselves.
"The victim sees nothing," Yomtov explained. "No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser."
Potential Impact
Successful exploitation of this vulnerability could have enabled attackers to:
- Steal sensitive data such as access tokens and authentication credentials
- Access conversation history with the AI agent
- Perform actions on behalf of the victim, including sending emails impersonating them
- Request confidential data through carefully crafted prompts
The attack is particularly dangerous because it requires zero user interaction beyond visiting a compromised website, making it nearly impossible for victims to detect or prevent.
Patching and Response
Following responsible disclosure on December 27, 2025, Anthropic deployed a patch to the Chrome extension (version 1.0.41) that enforces a strict origin check requiring an exact match to the domain claude.ai. This change prevents the overly permissive subdomain wildcard from being exploited.
Arkose Labs has also addressed the XSS vulnerability in their CAPTCHA component, with the fix implemented as of February 19, 2026.
Security Implications
The ShadowPrompt vulnerability highlights the growing security challenges as AI browser assistants become more capable and autonomous. "The more capable AI browser assistants become, the more valuable they are as attack targets," Koi Security noted.
An extension that can navigate your browser, read your credentials, and send emails on your behalf is essentially an autonomous agent. As Yomtov emphasized, "The security of that agent is only as strong as the weakest origin in its trust boundary."
This incident serves as a reminder that as AI tools gain more capabilities and access to sensitive operations, their security boundaries must be carefully designed and regularly audited to prevent exploitation through seemingly unrelated components.
Comments
Please log in or register to join the discussion