Key Findings

• Vulnerability in Anthropic's Claude Chrome extension allowed zero-click prompt injection from any website without user interaction or permission prompts

• Attack chains two flaws: overly permissive origin allowlist and DOM-based XSS in Arkose Labs CAPTCHA component

• Successful exploitation could enable data theft, access token compromise, conversation history access, and account takeover

• Patch deployed December 27, 2025 (version 1.0.41); Arkose Labs fixed XSS component February 19, 2026

Background

Researchers at Koi Security discovered the vulnerability, codenamed ShadowPrompt, which exploited fundamental trust assumptions in how the Claude extension validates requests. The flaw demonstrated how even well-intentioned browser extensions can become attack vectors when security boundaries are not carefully defined.

Technical Vulnerability Chain

The attack relied on two underlying flaws working in tandem. First, the extension maintained an overly permissive allowlist that trusted any subdomain matching the pattern *.claude.ai to send prompts for execution. Second, a DOM-based XSS vulnerability existed in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai that allowed arbitrary JavaScript execution.

An attacker could embed the vulnerable Arkose component in a hidden iframe on their website, send an XSS payload via postMessage, and the injected script would fire a prompt directly to the Claude extension. The extension would accept this request as legitimate because it originated from an allowlisted domain. The victim would see nothing suspicious throughout the entire process.

Attack Impact

Successful exploitation granted attackers significant capabilities over the victim's browser environment. Attackers could steal sensitive authentication tokens, access the user's entire conversation history with Claude, and perform actions on behalf of the victim such as sending emails or requesting confidential information. This essentially transformed the extension into an autonomous agent under attacker control.

Remediation

Anthropic responded with a patch in version 1.0.41 that enforced strict origin checking requiring exact domain matching to claude.ai rather than accepting any subdomain. Arkose Labs independently fixed the XSS vulnerability in their CAPTCHA component. The coordinated response highlighted the importance of responsible disclosure and cross-vendor collaboration in addressing security issues.

Broader Security Implications

The incident underscores a critical challenge as AI browser assistants become more capable. Extensions that can navigate browsers, read credentials, and perform actions on behalf of users become high-value targets. The security posture of such tools depends entirely on how carefully their trust boundaries are defined. As these assistants gain more autonomous capabilities, the attack surface expands proportionally, requiring increasingly rigorous security practices during development.

Sources

• https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html

• https://www.youtube.com/watch?v=pUVikRiEbYE

• https://www.socdefenders.ai/item/4129d637-c79b-4bd7-a96a-1044636946f6

• https://x.com/TheCyberSecHub/status/2037160793314386018

• https://www.cypro.se/2026/03/26/claude-extension-flaw-enabled-zero-click-xss-prompt-injection-via-any-website/