Cybersecurity researchers have disclosed a vulnerability in Anthropic’s Claude Google Chrome Extension that would have been exploited to set off malicious prompts just by visiting an internet web page.
The flaw “allowed any web site to silently inject prompts into that assistant as if the person wrote them,” Koi Safety researcher Oren Yomtov stated in a report shared with The Hacker Information. “No clicks, no permission prompts. Simply go to a web page, and an attacker fully controls your browser.”
The difficulty, codenamed ShadowPrompt, chains two underlying flaws:
- A very permissive origin allowlist within the extension that allowed any subdomain matching the sample (*.claude.ai) to ship a immediate to Claude for execution.
- A doc object mannequin (DOM)-based cross-site scripting (XSS) vulnerability in an Arkose Labs CAPTCHA part hosted on “a-cdn.claude[.]ai.”
Particularly, the XSS vulnerability allows the execution of arbitrary JavaScript code within the context of “a-cdn.claude[.]ai.” A risk actor may leverage this conduct to inject JavaScript that points a immediate to the Claude extension.
The extension, for its half, permits the immediate to land in Claude’s sidebar as if it is a respectable person request just because it comes from an allow-listed area.
“The attacker’s web page embeds the weak Arkose part in a hidden <iframe>, sends the XSS payload by way of postMessage, and the injected script fires the immediate to the extension,” Yomtov defined. “The sufferer sees nothing.”
Profitable exploitation of this vulnerability may permit the adversary to steal delicate knowledge (e.g., entry tokens), entry dialog historical past with the AI agent, and even carry out actions on behalf of the sufferer (e.g., sending emails impersonating them, asking for confidential knowledge).
Following accountable disclosure on December 27, 2025, Anthropic deployed a patch to the Chrome extension (model 1.0.41) that enforces a strict origin test requiring a precise match to the area “claude[.]ai.” Arkose Labs has since fastened the XSS flaw at its finish as of February 19, 2026.
“The extra succesful AI browser assistants turn into, the extra useful they’re as assault targets,” Koi stated. “An extension that may navigate your browser, learn your credentials, and ship emails in your behalf is an autonomous agent. And the security of that agent is just as robust because the weakest origin in its belief boundary.”
