Severity
High
Analysis Summary
A critical zero-click vulnerability in Anthropic’s Claude Chrome Extension exposed more than 3 million users to silent prompt-injection attacks, allowing malicious websites to take control of the AI assistant without any user interaction. The flaw enabled attackers to execute actions invisibly, including stealing Gmail OAuth tokens, accessing Google Drive files, exporting chat history, and even sending emails. Because the extension functions as an autonomous browser agent capable of interacting with web services, any malicious prompt executed through it carried the same level of trust as legitimate user input, making the impact particularly severe.
The attack chain relied on two key vulnerabilities. The first was an overly permissive wildcard origin allowlist (accepting any *.claude.ai subdomain), which allowed untrusted sources to communicate with the extension. The extension’s messaging API accepted a message type called onboarding_task, forwarding attacker-controlled prompts directly to Claude. The second flaw involved a third-party CAPTCHA service provided by Researcher, hosted on a-cdn.claude.ai, which was mistakenly treated as a trusted origin due to the wildcard policy. This significantly expanded the attack surface by granting external components the same privileges as the primary Claude domain.
Researcher identified an additional DOM-based XSS vulnerability in older, publicly accessible Arkose CAPTCHA components. These components accepted postMessage data without validating the sender’s origin and rendered attacker-controlled input using unsafe HTML injection (dangerouslySetInnerHTML) without sanitization. By embedding this vulnerable component within a hidden iframe on a malicious site, attackers could inject arbitrary JavaScript into the trusted a-cdn.claude.ai context. This script then leveraged chrome.runtime.sendMessage() to deliver malicious prompts to the Claude extension, which were executed without any security warnings or user awareness.
The vulnerability was responsibly disclosed via HackerOne in late December 2025 and patched in stages by January and February 2026. Fixes included replacing the wildcard allowlist with a strict origin check (limited to https://claude.ai) and removing access to vulnerable Arkose components. This incident highlights a broader security concern in AI-powered browser agents: trust boundaries can be unintentionally expanded through third-party integrations hosted on first-party domains. As AI assistants gain deeper browser-level capabilities, such supply chain weaknesses create high-impact attack vectors, emphasizing the need for strict origin validation and stronger isolation of external components.
Impact
- Gain Access
Remediation
- Update the Claude Chrome Extension to version 1.0.41 or later to ensure the vulnerability is patched.
- Avoid using browser extensions that request excessive permissions, especially those with access to email, files, or browsing activity.
- Regularly review and remov.e unnecessary or unused browser extensions to reduce attack surface.
- Restrict extension permissions using browser settings and allow access only to trusted websites.
- Monitor Google account activity for suspicious logins, email access, or file downloads
- Revoke and reissue Google OAuth tokens if compromise is suspected.
- Enable multi-factor authentication (MFA) on Google and other critical accounts.
- Keep Chrome browser and all extensions updated to the latest versions.
- Use endpoint security solutions to detect malicious scripts or abnormal browser behavior.
- Block or restrict untrusted third-party scripts and iframes through browser security settings or enterprise policies.
- Implement strict origin validation and avoid wildcard allowlists in extension or application configurations.