Cybersecurity researchers have revealed a vulnerability in Anthropic’s Claude Google Chrome extension that could be exploited to display a malicious prompt simply by visiting a web page.
The flaw “allowed any website to silently insert a prompt into its assistant, as if the user had written the prompt,” Koi Security researcher Oren Yomtov said in a report shared with The Hacker News. “There are no clicks, no permission prompts. Just visit the page and the attacker takes full control of your browser.”
This issue, codenamed “ShadowPrompt”, is a combination of two fundamental flaws:
The origin whitelist in the extension was overly permissive, allowing subdomains matching the pattern (*.claude.ai) to send execution prompts to Claude. Document Object Model (DOM)-based cross-site scripting (XSS) vulnerability in Arkose Labs CAPTCHA component hosted on ‘a-cdn.claude'[.]love. ”
Specifically, an XSS vulnerability allows execution of arbitrary JavaScript code in the context of ‘a-cdn.claude’.[.]A threat actor could take advantage of this behavior to inject JavaScript that prompts the Claude extension.
With this extension, your prompts will appear in Claude’s sidebar as if they were legitimate user requests, just because they come from an allowlisted domain.
“The attacker’s page hides a vulnerable Arkose component, sends an XSS payload via postMessage, and the injected script launches a prompt to the extension,” Yomtov explained. “The victim can’t see anything.”
Successful exploitation of this vulnerability could allow the attacker to steal sensitive data (e.g., access tokens), access conversation history with the AI agent, and even perform actions on behalf of the victim (e.g., send an email impersonating the victim, request sensitive data, etc.).
Following a responsible disclosure on December 27, 2025, Anthropic has deployed a patch to its Chrome extension (version 1.0.41) that enforces strict origin checks that require an exact match with the domain “Claude.”[.]Arkose Labs subsequently fixed the XSS flaw as of February 19, 2026.
“The more capable the AI browser assistant is, the more valuable it becomes as an attack target,” Coy said. “An autonomous agent is an extension that can manipulate the browser, read credentials, and send email on behalf of the user. And that agent is only as secure as the weakest origin within its trust boundary.”
Source link
