Full Report
Cybersecurity researchers have disclosed a vulnerability in Anthropic's Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page. The flaw "allowed any website to silently inject prompts into that assistant as if the user wrote them," Koi Security researcher Oren Yomtov said in a report shared with The Hacker News. "No clicks, no
Analysis Summary
# Vulnerability: Zero-Click ShadowPrompt Injection in Anthropic Claude Extension
## CVE Details
- **CVE ID:** Not explicitly listed in the report (Referenced as "ShadowPrompt" research)
- **CVSS Score:** Not Assigned (Estimated High/Critical due to zero-click nature)
- **CWE:** CWE-79 (Cross-site Scripting), CWE-1327 (Binding to an Overly Permissive Origin)
## Affected Systems
- **Products:** Anthropic Claude Google Chrome Extension
- **Versions:** All versions prior to the December 2025 patch
- **Configurations:** Systems where the Claude extension is installed and the user is authenticated. Additionally affects the **Arkose Labs CAPTCHA** component hosted on `a-cdn.claude[.]ai`.
## Vulnerability Description
This is a vulnerability chain consisting of two primary flaws:
1. **Permissive Origin Allowlist:** The Claude extension utilized a wildcard allowlist (`*.claude.ai`) to determine which sites could send prompts to the assistant.
2. **DOM-based XSS:** A vulnerability existed in the Arkose Labs CAPTCHA component hosted on `a-cdn.claude[.]ai`.
By embedding the vulnerable Arkose component in a hidden iframe, an attacker could use `postMessage` to trigger the XSS. Because the script executes on a subdomain of `claude.ai`, the extension trusts the input as if it originated from the user, allowing for "ShadowPrompts"—malicious instructions injected silently into the AI assistant's sidebar.
## Exploitation
- **Status:** Disclosed by researchers; PoC details shared. No reported exploitation in the wild at the time of disclosure.
- **Complexity:** Low (Automated via malicious website)
- **Attack Vector:** Network (Web-based/Remote)
## Impact
- **Confidentiality:** High (Theft of access tokens, conversation history, and sensitive data)
- **Integrity:** High (Attacker can perform actions as the user, such as sending emails or modifying account data)
- **Availability:** Low (Primary impact is data compromise and unauthorized action)
## Remediation
### Patches
- **Anthropic:** Released a patch for the Chrome extension on **December 27, 2025**, which enforces a strict origin check limited to `claude[.]ai`.
- **Arkose Labs:** Fixed the underlying DOM-based XSS flaw as of **February 19, 2026**.
### Workarounds
- Ensure the Claude browser extension is updated to the latest version immediately.
- Remove the extension if updates are not possible and use the web interface directly.
## Detection
- **Indicators of Compromise:** Unexpected prompts appearing in the Claude sidebar or conversation history that were not authored by the user.
- **Detection methods:** Administrators can monitor for unusual outbound traffic to `a-cdn.claude[.]ai` originating from unexpected third-party websites via iframe embeddings.
## References
- **Vendor Blog (Koi Security):** hxxps://www.koi[.]ai/blog/shadowprompt-how-any-website-could-have-hijacked-anthropic-claude-chrome-extension
- **Technical News Source:** hxxps://thehackernews[.]com/2026/03/claude-extension-flaw-enabled-zero.html
- **Developer Documentation:** hxxps://developer.mozilla[.]org/en-US/docs/Web/API/Document_Object_Model