A significant security vulnerability has been uncovered in Anthropic's Claude Google Chrome Extension, dubbed "ShadowPrompt." This flaw enabled malicious websites to inject prompts into the AI assistant without any user interaction, effectively allowing attackers to control the user's browser context.

Key Takeaways

• A zero-click vulnerability in the Claude Chrome Extension allowed any website to inject prompts into the AI assistant.

• The exploit chained an overly permissive origin allowlist with a DOM-based XSS flaw in an Arkose Labs CAPTCHA component.

• Successful exploitation could lead to data theft, access of conversation history, and unauthorized actions on behalf of the user.

• Anthropic has released a patch, and Arkose Labs has fixed the underlying XSS issue.

The ShadowPrompt Vulnerability

Researchers from Koi Security revealed that the ShadowPrompt vulnerability could have allowed any website to silently inject prompts into the Claude assistant as if the user had typed them. This meant no clicks or permission prompts were necessary; simply visiting a compromised webpage could grant an attacker control over the user's browser session with Claude.

Technical Details of the Exploit

The vulnerability was a result of chaining two distinct security weaknesses:

1. Overly Permissive Origin Allowlist: The Claude extension initially had a broad allowlist pattern (*.claude.ai) that permitted any subdomain to send prompts for execution. This created a wide attack surface.

2. DOM-Based XSS in CAPTCHA Component: A cross-site scripting (XSS) vulnerability was discovered within an Arkose Labs CAPTCHA component hosted on a subdomain of claude.ai (specifically, "a-cdn.claude[.]ai"). This XSS flaw allowed arbitrary JavaScript code execution within the context of that specific subdomain.

An attacker could exploit this by embedding the vulnerable Arkose component in a hidden iframe on their malicious website. Using the API, they could then send an XSS payload to the component. This injected script would then trigger a prompt to the Claude extension, which, due to the permissive allowlist, would accept it as a legitimate user request.

Potential Impact

The consequences of a successful ShadowPrompt attack could be severe. Threat actors could potentially:

• Steal sensitive information, such as access tokens.

• Gain access to the user's past conversation history with the AI.

• Perform actions on behalf of the victim, including sending emails, requesting confidential data, or impersonating the user.

Resolution and Mitigation

Following responsible disclosure on December 27, 2025, Anthropic promptly addressed the issue. They released a patch for the Claude Chrome Extension (version 1.0.41), which now enforces a strict origin check, requiring an exact domain match to "claude[.]ai." Arkose Labs also fixed the underlying XSS vulnerability on their end by February 19, 2026.

This incident highlights the growing security concerns surrounding AI-powered browser assistants. As these tools become more capable and integrated into user workflows, securing their trust boundaries and the origins they interact with becomes increasingly critical.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website, The Hacker News.