A critical vulnerability in Anthropic’s Claude Chrome extension, codenamed ShadowPrompt, lets attackers completely hijack your browser without a single click or permission prompt. Simply visiting a malicious webpage is enough. The Claude Chrome extension vulnerability chains two separate flaws to create a zero-click attack that silently injects prompts into the AI assistant, giving attackers access to your browsing history, conversation data, and the ability to perform actions on your behalf.
Key Takeaways
- ShadowPrompt combines an XSS flaw in Arkose Labs’ component with the extension’s trust in allow-listed domains
- Attack requires zero clicks and zero permission prompts from the victim
- Anthropic patched the Claude Chrome extension vulnerability in version 1.0.41 with strict origin verification
- Researcher Oren Yomtov at Koi Security discovered and responsibly disclosed the flaw on December 27, 2025
- Attackers can steal access tokens, read conversation history, and send emails or requests from victim accounts
How ShadowPrompt Exploits the Claude Chrome Extension Vulnerability
The Claude Chrome extension vulnerability works through a deceptively simple chain of events. An attacker embeds a vulnerable Arkose Labs component inside a hidden iframe on their malicious webpage. When you visit that page, the attacker sends a specially crafted XSS payload through postMessage, triggering arbitrary JavaScript execution in the context of “a-cdn.claude.ai”. That injected script then issues a prompt directly to the Claude extension as if you had typed it yourself. The extension trusts the allow-listed domain and accepts the prompt without question. You see nothing. The victim sees nothing.
What makes this attack so dangerous is its invisibility. Unlike typical browser exploits that require user interaction—clicking a link, enabling a feature, or dismissing a popup—the Claude Chrome extension vulnerability operates entirely in the background. Oren Yomtov, the Koi Security researcher who discovered it, described the impact plainly: “No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser.” The flaw allowed any website to silently inject prompts into that assistant as if the user wrote them, transforming the extension from a productivity tool into a potential attack surface.
What Attackers Can Do With This Claude Chrome Extension Vulnerability
Once an attacker exploits the Claude Chrome extension vulnerability, the damage extends far beyond reading your AI conversations. The injected prompts can instruct Claude to steal sensitive data like access tokens, which grant attackers persistent access to your accounts. They can read your entire AI conversation history, exposing confidential information you discussed with the assistant. They can perform autonomous actions on your behalf—sending emails from your account, requesting confidential files from colleagues, or accessing services connected to your browser.
This vulnerability highlights a broader architectural problem with AI browser extensions: they inherit the user’s identity and permissions across the web. Unlike traditional browser extensions that operate in sandboxed environments with explicit user consent, AI assistants like Claude need broad access to read web content and interact with websites. That power, combined with the extension’s trust in allow-listed domains, creates a shortcut for attackers. The Claude Chrome extension vulnerability demonstrates how a single weak link in the chain—in this case, an XSS flaw in a third-party component—can compromise an entire security model.
Anthropic’s Patch and Arkose Labs’ Delayed Fix
Anthropic moved quickly after learning of the Claude Chrome extension vulnerability. The company patched the extension in version 1.0.41 by implementing a strict origin check that matches exactly “claude.ai”. This prevents attackers from exploiting the extension through other allow-listed domains or third-party components. However, the full chain required a second fix: Arkose Labs addressed the underlying XSS flaw on February 19, 2026, more than seven weeks after Anthropic’s initial disclosure.
The staggered timeline reveals a vulnerability disclosure challenge in modern web security. Even after Anthropic patched the Claude Chrome extension vulnerability on its end, users remained at risk until Arkose Labs fixed their component. This delay underscores why responsible disclosure matters—researchers like Yomtov reported the flaw privately rather than publishing exploit details immediately, giving vendors time to patch without exposing millions of users to active attacks.
Broader Risks in Claude Extensions Beyond This Vulnerability
The Claude Chrome extension vulnerability is not an isolated incident. Security research from Zenity Labs has identified systemic risks in how Claude extensions operate. The extension maintains persistent login without an option to disable it, allowing it to perform autonomous actions on sites like Google Drive and Slack. It can read web requests and console logs, potentially exposing OAuth tokens that grant access to sensitive services. It executes JavaScript in the context of visited websites, creating XSS risks similar to the ShadowPrompt vulnerability.
These architectural choices reflect a tension in AI tool design: assistants need broad permissions to be useful, but broad permissions create security risks. A related vulnerability class affects Claude Desktop Extensions (DXT), which allow zero-click remote code execution through Google Calendar events in unsandboxed environments. That flaw affects over 10,000 users across 50 extensions by chaining low-risk connectors like Calendar to high-risk local executors. The Claude Chrome extension vulnerability and the DXT flaws suggest that AI extension security is still maturing, and the industry has not yet settled on safe permission models for AI assistants operating across the web.
Should You Update Your Claude Chrome Extension?
If you use the Claude Chrome extension, update to version 1.0.41 or later immediately. The patch directly addresses the Claude Chrome extension vulnerability by enforcing strict domain validation. Users who updated before the vulnerability was publicly disclosed were protected. If you have not updated, do so now—there is no downside to running the patched version, and the security benefit is substantial.
What is the Claude Chrome extension beta launch date?
Anthropic released the Claude Chrome extension beta on December 18, 2025, just nine days before the Claude Chrome extension vulnerability was discovered. The rapid disclosure timeline meant the extension was in early adoption when the flaw became public, limiting the number of affected users compared to a mature product with millions of installations.
Are there other AI extensions with similar vulnerabilities?
The Claude Chrome extension vulnerability is not unique to Anthropic. Claude Desktop Extensions face zero-click RCE flaws, and the broader architecture of AI extensions—persistent login, broad web access, JavaScript execution—creates inherent risks. Until the industry develops safer permission models for AI tools, similar vulnerabilities will likely emerge in competing products.
The Claude Chrome extension vulnerability serves as a wake-up call for both vendors and users. AI extensions are powerful tools, but power without security is a liability. Anthropic’s quick patch response was correct, but the underlying lesson is harder: as AI assistants gain deeper integration into browsers and web workflows, the security model must evolve to match the threat surface. Zero-click attacks like ShadowPrompt will become more common if vendors continue to design extensions that inherit full user identity and permissions without additional verification layers. Update now, and stay skeptical of any extension—AI or otherwise—that demands broad access without clear, enforceable permission boundaries.
Edited by the All Things Geek team.
Source: TechRadar
