Ethical Hacking News
A newly disclosed vulnerability known as ShadowPrompt, in Anthropic's popular Claude Google Chrome extension, poses a significant risk to user security. By exploiting this flaw, attackers can inject malicious prompts into the browser without any user interaction or permission.
Cybersecurity researchers have discovered a critical vulnerability in Anthropic's Claude Google Chrome extension that could enable zero-click cross-site scripting (XSS) attacks. The ShadowPrompt vulnerability allows attackers to inject malicious prompts into the browser with ease, bypassing traditional security measures. The flaw is chained around two primary components: an overly permissive origin allowlist and a document object model (DOM)-based XSS vulnerability in an Arkose Labs CAPTCHA component. An attacker would need to embed a vulnerable Arkose component in a hidden iframe and send the XSS payload via postMessage to exploit this vulnerability. The discovery highlights the need for robust security measures to protect these vulnerable extensions from being exploited by attackers. A patch has been deployed to the Chrome extension, but it serves as a reminder that AI browser assistants and extensions remain valuable targets for attackers.
Cybersecurity researchers have recently uncovered a critical vulnerability in Anthropic's widely used Claude Google Chrome extension that could enable zero-click cross-site scripting (XSS) attacks. The ShadowPrompt vulnerability has significant implications for users and organizations alike, as it allows attackers to inject malicious prompts into the browser with ease.
According to Koi Security researcher Oren Yomtov, the flaw "allowed any website to silently inject prompts into that assistant as if the user wrote them," without requiring any clicks or permission from the user. The vulnerability is chained around two primary components of the extension: an overly permissive origin allowlist and a document object model (DOM)-based XSS vulnerability in an Arkose Labs CAPTCHA component.
The first component of the ShadowPrompt vulnerability is an overly broad origin allowlist in the Claude extension that permits any subdomain matching the pattern (*.claude.ai) to send prompts for execution. This essentially means that any website ending with ".claude.ai" can inject malicious code into the browser, bypassing traditional security measures.
The second component of the vulnerability lies within an Arkose Labs CAPTCHA component hosted on "a-cdn.claude[.]ai." The CAPTCHA component contains a document object model (DOM)-based XSS vulnerability that enables the execution of arbitrary JavaScript code in the context of "a-cdn.claude[.]ai." This allows attackers to inject malicious JavaScript payloads into the browser, which can then be executed by the Claude extension without any user interaction or permission.
To exploit this vulnerability, an attacker would need to embed a vulnerable Arkose component in a hidden iframe and send the XSS payload via postMessage. The injected script would then fire the prompt to the Claude extension, tricking the user into seeing nothing out of the ordinary. This could potentially allow the adversary to steal sensitive data such as access tokens or conversation history with the AI agent, or even perform actions on behalf of the victim.
The discovery of this vulnerability has significant implications for organizations and individuals relying on Claude's browser assistant features. It highlights the need for robust security measures to protect these vulnerable extensions from being exploited by attackers. In response to the vulnerability, Anthropic has deployed a patch to the Chrome extension (version 1.0.41) that enforces a strict origin check requiring an exact match to the domain "claude[.]ai."
Arkose Labs has since fixed the XSS flaw at its end as of February 19, 2026. While this update mitigates the risk associated with the ShadowPrompt vulnerability, it serves as a reminder that AI browser assistants and extensions remain valuable targets for attackers due to their capabilities.
As Koi Security stated, "The more capable AI browser assistants become, the more valuable they are as attack targets." In light of this vulnerability, it is essential for organizations and individuals to prioritize the security and integrity of these agents. By doing so, we can protect ourselves against the increasing number of sophisticated threats targeting our digital assets.
Related Information:
https://www.ethicalhackingnews.com/articles/ShadowPrompt-A-Novel-Zero-Click-XSS-Vulnerability-in-Anthropics-Claude-Google-Chrome-Extension-ehn.shtml
https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html
https://www.techtimes.com/articles/314594/20260214/hidden-claude-desktop-extension-flaw-could-let-hackers-seize-your-pc.htm
Published: Thu Mar 26 11:12:30 2026 by llama3.2 3B Q4_K_M
