Critical Claude Chrome Extension Bug Enables Silent Prompt Injection
Key Takeaways A critical zero-click vulnerability in Anthropic’s Claude Chrome Extension allowed silent prompt injection. The flaw, affecting over 3 million users, could have led to...
Key Takeaways
- A critical zero-click vulnerability in Anthropic’s Claude Chrome Extension allowed silent prompt injection.
- The flaw, affecting over 3 million users, could have led to unauthorized access to Gmail, Google Drive, and LLM chat history.
- The exploit chained an overly permissive origin allowlist in the Claude extension with a DOM-based XSS in a third-party Arkose Labs component.
- Anthropic patched the vulnerability (version 1.0.41 or higher) on January 15, 2026, and Arkose Labs patched its component by February 19, 2026.
Silent Prompt Injection Threatens Claude Chrome Extension Users
A severe, zero-click vulnerability within the Anthropic Claude Chrome Extension recently exposed over three million users to silent prompt injection attacks. This critical flaw allowed malicious websites to surreptitiously hijack the AI assistant, executing commands without any user interaction.
Table Of Content
If exploited, the vulnerability could have enabled attackers to steal sensitive data, including Gmail access tokens, read Google Drive files, export conversational history from the LLM, and dispatch emails—all completely invisible to the user.
The Exploit Chain Uncovered
Security researchers at KOI uncovered a sophisticated exploit chain comprising two distinct vulnerabilities that, when combined, could lead to full browser takeover. The initial weakness resided within the Claude extension itself: an overly permissive origin allowlist.
The extension’s messaging API included an onboarding_task message type that accepted a prompt parameter. This parameter was then directly forwarded to Claude for execution. Crucially, the extension’s validation mechanism only verified that messages originated from any *.claude.ai subdomain, a wildcard configuration that proved dangerously broad.
Third-Party Component introduces XSS
The second critical flaw was found in a third-party component. Anthropic utilizes Arkose Labs for CAPTCHA verification, with challenge components hosted on a-cdn.claude.ai, a first-party subdomain. Because this subdomain matched the broad *.claude.ai wildcard, the Claude extension granted it full messaging permissions, identical to those of claude.ai itself.
Researchers subsequently discovered that the Arkose CDN continued to serve older, versioned CAPTCHA game components at predictable URLs. By systematically exploring older version numbers, they identified one such version containing a DOM-based cross-site scripting (XSS) vulnerability. This XSS resulted from two compounding errors:
- The component accepted
postMessagedata from any parent origin without properly validatingevent.origin. - It rendered a user-controlled
stringTablefield as raw HTML using React’sdangerouslySetInnerHTMLwithout any sanitization.
The Full Exploit Chain
An attacker could initiate the exploit by embedding the vulnerable Arkose component within a hidden on any malicious webpage. When a victim simply visited this page, the attacker’s script would send a postMessage payload containing a crafted HTML injection string, such as . The CAPTCHA component would then render this string as HTML, executing arbitrary JavaScript within the context of a-cdn.claude.ai.
This injected script would then call chrome.runtime.sendMessage(), targeting the Claude extension with an attacker-controlled prompt. The extension, perceiving the message as originating from a trusted *.claude.ai origin, would pass it through, allowing Claude to execute the instruction as if it were a legitimate user command.
The entire attack chain unfolded silently, requiring no clicks, displaying no permission dialogs, and providing no visible indicators to the user. Given that the Claude extension functions as an autonomous browser agent capable of navigating pages, executing JavaScript, and interacting with web services, an attacker’s injected prompt carried the same level of trust as legitimate user instructions.
Demonstrated attack scenarios included the theft of persistent Google OAuth access tokens, unauthorized reading of Gmail and Google Drive contents, and the exfiltration of large language model (LLM) conversation history.
The vulnerability was responsibly disclosed to Anthropic via HackerOne on December 26, 2025. Anthropic confirmed and triaged the issue within 24 hours and deployed a fix on January 15, 2026. This fix replaced the permissive wildcard allowlist with a strict origin check, requiring messages to originate precisely from https://claude.ai.
The Arkose Labs XSS was separately reported on February 3, 2026, confirmed within 24 hours, and fully patched by February 19, 2026. The vulnerable URL now returns a 403 response.
This incident highlights a systemic risk in AI browser agents: the security perimeter is inherently limited by the weakest trusted origin. Third-party vendor components hosted on first-party subdomains can silently expand this trust boundary in ways that are not immediately apparent. As AI assistants gain deeper browser access, they become higher-value targets for attackers, turning supply chain trust issues into exploitable attack surfaces.
What You Should Do
- Update Your Extension: Ensure your Anthropic Claude Chrome Extension is updated to version 1.0.41 or higher. You can verify your installed version by navigating to
chrome://extensionsin your browser. - Exercise Caution: Be vigilant about the websites you visit, especially those that request extensive browser permissions or interact with AI extensions.
- Review Permissions: Periodically review the permissions granted to your browser extensions and revoke any that seem excessive or unnecessary.
- Stay Informed: Keep abreast of cybersecurity news and updates from vendors regarding AI tools and browser extensions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.