Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
ShadowPrompt: Thغرة في Extension ديال Claude خلات Injection ديال الـ Prompts بلا حتى كليك
ShadowPrompt: Claude Extension Flaw Enabled Zero-Click Prompt Injection
TL;DR
Researchers discovered a critical vulnerability in the Claude Google Chrome extension, dubbed ShadowPrompt. By chaining a DOM-based XSS flaw with an overly permissive origin allowlist, attackers could silently inject prompts into a user's Claude assistant. The attack required no user interaction beyond visiting a malicious website and has since been patched by Anthropic and Arkose Labs.
The boundary between AI assistants and web security is becoming increasingly thin. Cybersecurity researchers recently disclosed a significant vulnerability in Anthropic’s Claude Google Chrome extension that, until recently, allowed attackers to hijack the assistant without a single click from the user.
Codenamed ShadowPrompt, the flaw allowed any website to silently inject prompts into the Claude assistant as if the user had typed them personally. According to Oren Yomtov, a researcher at Koi Security, the implications were stark: "No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser."
Anatomy of the "ShadowPrompt" Attack
The ShadowPrompt vulnerability was not the result of a single error, but rather the chaining of two distinct security weaknesses:
- Overly Permissive Allowlist: The Claude extension utilized an origin allowlist that was too broad. It was configured to allow any subdomain matching the wildcard pattern
*.claude.aito send prompts to the extension for execution. - DOM-Based XSS: Researchers identified a Document Object Model (DOM)-based Cross-Site Scripting (XSS) vulnerability in a CAPTCHA component from Arkose Labs. This component was hosted on the subdomain
a-cdn.claude.ai.
Because the extension trusted any *.claude.ai subdomain, the XSS vulnerability on the CDN subdomain became a backdoor. An attacker could execute arbitrary JavaScript in the context of a-cdn.claude.ai, which was then authorized to send commands to the Claude extension.
How the Exploit Worked
The execution of ShadowPrompt was designed to be entirely invisible to the victim. The process followed these steps:
- An attacker-controlled website embeds the vulnerable Arkose component within a hidden
<iframe>. - The attacker sends an XSS payload to that frame via
postMessage. - The injected script fires a prompt directly to the Claude extension.
- The extension, seeing the request coming from an allowlisted domain, accepts the prompt and places it in the Claude sidebar as a legitimate user request.
The Risks of Autonomous Agents
If exploited, the consequences of ShadowPrompt were severe. Because Claude functions as an AI agent with broad access, an adversary could:
- Steal sensitive data, such as access tokens.
- Access the user’s full conversation history.
- Perform actions on the victim's behalf, such as sending impersonated emails or requesting confidential data.
As Koi Security noted in their report, the more capable these assistants become, the more dangerous they are when compromised. "An extension that can navigate your browser, read your credentials, and send emails on your behalf is an autonomous agent," the researchers stated.
Remediation and Patching
Following a responsible disclosure on December 27, 2025, Anthropic and Arkose Labs worked to mitigate the threat:
- Anthropic: Released a patch for the Chrome extension (version 1.0.41) that replaces the wildcard allowlist with a strict origin check, requiring an exact match to the domain
claude.ai. - Arkose Labs: Patched the underlying DOM-based XSS flaw in its CAPTCHA component as of February 19, 2026.
Users are encouraged to ensure their browser extensions are updated to the latest versions to protect against these types of automated prompt injection attacks.
Source: The Hacker News
