Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical Claude Chrome Extension Bug Enables Silent Prompt Injection
CyberSecurity News

Critical Claude Chrome Extension Bug Enables Silent Prompt Injection

Key Takeaways A critical zero-click vulnerability in Anthropic’s Claude Chrome Extension allowed silent prompt injection. The flaw, affecting over 3 million users, could have led to...

Emy Elsamnoudy
Emy Elsamnoudy
March 27, 2026 4 Min Read
48 0

Key Takeaways

  • A critical zero-click vulnerability in Anthropic’s Claude Chrome Extension allowed silent prompt injection.
  • The flaw, affecting over 3 million users, could have led to unauthorized access to Gmail, Google Drive, and LLM chat history.
  • The exploit chained an overly permissive origin allowlist in the Claude extension with a DOM-based XSS in a third-party Arkose Labs component.
  • Anthropic patched the vulnerability (version 1.0.41 or higher) on January 15, 2026, and Arkose Labs patched its component by February 19, 2026.

Silent Prompt Injection Threatens Claude Chrome Extension Users

A severe, zero-click vulnerability within the Anthropic Claude Chrome Extension recently exposed over three million users to silent prompt injection attacks. This critical flaw allowed malicious websites to surreptitiously hijack the AI assistant, executing commands without any user interaction.

Table Of Content

  • Key Takeaways
  • Silent Prompt Injection Threatens Claude Chrome Extension Users
  • The Exploit Chain Uncovered
  • Third-Party Component introduces XSS
  • The Full Exploit Chain
  • What You Should Do

If exploited, the vulnerability could have enabled attackers to steal sensitive data, including Gmail access tokens, read Google Drive files, export conversational history from the LLM, and dispatch emails—all completely invisible to the user.

The Exploit Chain Uncovered

Security researchers at KOI uncovered a sophisticated exploit chain comprising two distinct vulnerabilities that, when combined, could lead to full browser takeover. The initial weakness resided within the Claude extension itself: an overly permissive origin allowlist.

The extension’s messaging API included an onboarding_task message type that accepted a prompt parameter. This parameter was then directly forwarded to Claude for execution. Crucially, the extension’s validation mechanism only verified that messages originated from any *.claude.ai subdomain, a wildcard configuration that proved dangerously broad.

Third-Party Component introduces XSS

The second critical flaw was found in a third-party component. Anthropic utilizes Arkose Labs for CAPTCHA verification, with challenge components hosted on a-cdn.claude.ai, a first-party subdomain. Because this subdomain matched the broad *.claude.ai wildcard, the Claude extension granted it full messaging permissions, identical to those of claude.ai itself.

Researchers subsequently discovered that the Arkose CDN continued to serve older, versioned CAPTCHA game components at predictable URLs. By systematically exploring older version numbers, they identified one such version containing a DOM-based cross-site scripting (XSS) vulnerability. This XSS resulted from two compounding errors:

  • The component accepted postMessage data from any parent origin without properly validating event.origin.
  • It rendered a user-controlled stringTable field as raw HTML using React’s dangerouslySetInnerHTML without any sanitization.

The Full Exploit Chain

An attacker could initiate the exploit by embedding the vulnerable Arkose component within a hidden on any malicious webpage. When a victim simply visited this page, the attacker’s script would send a postMessage payload containing a crafted HTML injection string, such as . The CAPTCHA component would then render this string as HTML, executing arbitrary JavaScript within the context of a-cdn.claude.ai.

This injected script would then call chrome.runtime.sendMessage(), targeting the Claude extension with an attacker-controlled prompt. The extension, perceiving the message as originating from a trusted *.claude.ai origin, would pass it through, allowing Claude to execute the instruction as if it were a legitimate user command.

The entire attack chain unfolded silently, requiring no clicks, displaying no permission dialogs, and providing no visible indicators to the user. Given that the Claude extension functions as an autonomous browser agent capable of navigating pages, executing JavaScript, and interacting with web services, an attacker’s injected prompt carried the same level of trust as legitimate user instructions.

Demonstrated attack scenarios included the theft of persistent Google OAuth access tokens, unauthorized reading of Gmail and Google Drive contents, and the exfiltration of large language model (LLM) conversation history.

The vulnerability was responsibly disclosed to Anthropic via HackerOne on December 26, 2025. Anthropic confirmed and triaged the issue within 24 hours and deployed a fix on January 15, 2026. This fix replaced the permissive wildcard allowlist with a strict origin check, requiring messages to originate precisely from https://claude.ai.

The Arkose Labs XSS was separately reported on February 3, 2026, confirmed within 24 hours, and fully patched by February 19, 2026. The vulnerable URL now returns a 403 response.

This incident highlights a systemic risk in AI browser agents: the security perimeter is inherently limited by the weakest trusted origin. Third-party vendor components hosted on first-party subdomains can silently expand this trust boundary in ways that are not immediately apparent. As AI assistants gain deeper browser access, they become higher-value targets for attackers, turning supply chain trust issues into exploitable attack surfaces.

What You Should Do

  • Update Your Extension: Ensure your Anthropic Claude Chrome Extension is updated to version 1.0.41 or higher. You can verify your installed version by navigating to chrome://extensions in your browser.
  • Exercise Caution: Be vigilant about the websites you visit, especially those that request extensive browser permissions or interact with AI extensions.
  • Review Permissions: Periodically review the permissions granted to your browser extensions and revoke any that seem excessive or unnecessary.
  • Stay Informed: Keep abreast of cybersecurity news and updates from vendors regarding AI tools and browser extensions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

NVIDIA Patches Critical Vulnerabilities Enabling RCE and DoS Attacks

Next Post

Anthropic Leak Exposes New AI Model Claude Mythos

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us