A critical zero-click vulnerability in Anthropic’s Claude Chrome Extension exposed over 3 million users to silent prompt-injection attacks, allowing malicious websites to hijack the AI assistant without user interaction.
The flaw, now patched, could have enabled attackers to steal Gmail access tokens, read Google Drive files, export chat history, and send emails all invisibly.
The exploit chained uncovered by KOI security contains two distinct flaws to achieve full browser takeover. The first was an overly permissive origin allowlist in the Claude extension itself.
The extension’s messaging API accepts a message type called onboarding_task, which accepts a prompt parameter and forwards it directly to Claude for execution.
Critically, the extension validated only that the message originated from any *.claude.ai subdomain a wildcard that proved catastrophically broad.
The second flaw resided in a third-party component. Anthropic uses Arkose Labs for CAPTCHA verification, with challenge components hosted on a-cdn.claude.ai a first-party subdomain. Because this matched the *.claude.ai wildcard, the extension granted it full messaging permissions identical to claude.ai itself.
Researchers then discovered that the Arkose CDN still served older, versioned CAPTCHA game components at predictable URLs. One such older version, brute-forced by walking backward through version numbers, contained a DOM-based XSS vulnerability built from two compounding mistakes.
First, it was accepted postMessage data from any parent origin without validating event.origin. Second, it rendered a user-controlled stringTable field as raw HTML using React’s dangerouslySetInnerHTML with no sanitization.
The Full Exploit Chain
An attacker could embed the vulnerable Arkose component inside a hidden on any malicious webpage. Upon a victim simply visiting the page, the attacker’s script sends a postMessage payload containing an HTML injection string such as 
a-cdn.claude.ai.
That injected script then calls chrome.runtime.sendMessage() targeting the Claude extension with any attacker-controlled prompt. The extension sees a trusted *.claude.ai origin, passes it through, and Claude executes the instruction as if the user typed it.
The entire chain executes silently. No clicks, no permission dialogs, no visible indicators.
Because Claude’s extension operates as an autonomous browser agent capable of navigating pages, executing JavaScript, and interacting with web services, an attacker’s injected prompt carried the same trust level as legitimate user instructions.
Demonstrated attack scenarios included stealing persistent Google OAuth access tokens, reading Gmail and Google Drive contents, and exfiltrating LLM conversation history.
The vulnerability was responsibly disclosed to Anthropic via HackerOne on December 26, 2025. Anthropic confirmed and triaged within 24 hours and deployed a fix on January 15, 2026, replacing the wildcard allowlist with a strict origin check requiring exactly https://claude.ai.
The Arkose Labs XSS was separately reported on February 3, 2026, confirmed within 24 hours, and fully patched by February 19, 2026, with the vulnerable URL now returning a 403 response.
Users should verify their installed version is 1.0.41 or higher by navigating to chrome://extensions.
This attack exposes a systemic risk in AI browser agents: the security perimeter is only as strong as the weakest trusted origin. Third-party vendor components hosted on first-party subdomains silently expand that trust boundary in ways that aren’t immediately obvious.
As AI assistants gain deeper browser access, attackers gain higher-value targets, and supply chain trust issues become exploitable attack surfaces.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
