Anthropic's Claude Chrome Extension has over 3 million users. It's an AI assistant in your browser sidebar that can navigate pages, read content, execute JavaScript, and interact with websites on your behalf.
We found a vulnerability that allowed any website to silently inject prompts into that assistant as if the user wrote them. No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser.
The attack chains two flaws: an overly permissive origin allowlist in the extension (*.claude.ai) and a DOM-based XSS in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai. Together, they let an attacker send Claude any instruction they want. Claude executes it with the same trust and capabilities it extends to you.
If you're using the Claude Chrome Extension, verify your installed version is 1.0.41 or higher, as earlier versions might still be vulnerable. Go to chrome://extensions, find the Claude extension, and check the version number.
What Could an Attacker Actually Do?
Practically anything: steal your Gmail access token. Read your Google Drive. Export your LLM chat history. Send emails as you. All without a single click or permission prompt.
Here’s a demo of a malicious website exploiting the ShadowPrompt vulnerability to steal your Google account. The attacker gets persistent access token to your Gmail, Drive, and Contacts:
For demonstration purposes it is all taking place in the active tab, but the malicious website can also create background tabs and control them, and open the Claude sidebar in case it wasn’t open before.
So how does this work?
From *.claude.ai to Full Takeover
The Wildcard
It started with the Claude Chrome Extension's messaging API. Chrome extensions can receive messages from web pages via chrome.runtime.sendMessage().
One message type caught my attention: onboarding_task. It accepts a prompt parameter and sends it directly to Claude for execution. This was designed for the onboarding demo flow, but the extension doesn't distinguish between origins. Any page on any *.claude.ai subdomain can send a prompt, and Claude will execute it.
So the question became: is there any *.claude.ai subdomain where I can run JavaScript?
The CAPTCHA Subdomain
Anthropic uses Arkose Labs for CAPTCHA verification, and Arkose hosts its challenge components on a-cdn.claude.ai. That's third-party vendor code, running on a first-party subdomain.
The extension doesn't care. a-cdn.claude.ai matches *.claude.ai, so it gets the same messaging permissions as claude.ai itself. If I could run JavaScript there, I could send prompts to Claude.
The Version Hunt
The Arkose Labs CDN hosts various CAPTCHA challenge types. I started examining them, looking for anything I could leverage. Most of the components were solid. Then I noticed something in one of the URLs:
/fc/assets/ec-game-core/game-core/1.26.0/standard/index.htmlA version number. Where there's a versioned URL, there might be older versions still deployed. I started walking backward from 1.26.0, brute-forcing version numbers. An older version was still live, and it had a vulnerability the current one didn't.
The XSS
The vulnerable game-core component had a DOM-based XSS built from two mistakes.
First, the component accepts messages from any website. It uses postMessage to receive data from its parent page, but never checks who's sending:
window.addEventListener("message", function(event) {
// event.origin is NEVER checked
if (event.data.message === "assign_session_data") {
// Attacker-controlled stringTable gets merged into app state
}
});
One of the fields in that message, stringTable, controls the UI text displayed in the CAPTCHA challenge. An attacker can overwrite it with anything.
Second, that text gets rendered as raw HTML. The component uses React's dangerouslySetInnerHTML to display those strings, with no sanitization:
var kn = React.forwardRef(function(e, t) {
return React.createElement('div', {
dangerouslySetInnerHTML: { __html: e.children }
});
});
Chain the two together: an attacker sends a postMessage with an HTML payload like <img src=x onerror="..."> in the string table. The component renders it as HTML. The onerror fires. Arbitrary JavaScript, running in the context of a-cdn.claude.ai.
Putting It Together
With JavaScript execution on a-cdn.claude.ai, the final step writes itself. The injected script sends a message to the Claude extension:
chrome.runtime.sendMessage(
'fcoeoabgfenejglbffodgkkbkcdhcgfn',
{
type: 'onboarding_task',
payload: { prompt: 'ATTACKER_CONTROLLED_PROMPT' }
}
);
The extension sees a *.claude.ai origin, lets it through, and the attacker's prompt lands in Claude's sidebar as a user request.
The entire chain runs from an invisible iframe. The attacker's page embeds the vulnerable Arkose component in a hidden <iframe>, sends the XSS payload via postMessage, and the injected script fires the prompt to the extension. The victim sees nothing.
Disclosure Timeline
- Dec 26, 2025: Reported to Anthropic via HackerOne
- Dec 27, 2025: Anthropic confirmed and triaged the vulnerability
- Jan 15, 2026: Anthropic deployed a fix to the Chrome Extension, adding a strict origin check requiring exactly
https://claude.ai - Jan 18, 2026: Verified the extension fix: PoC no longer works, new version rejects non-claude.ai origins with "Untrusted origin" error
- Jan 27, 2026: Anthropic closed the report
- Jan 29, 2026: Anthropic reopened the report because the Arkose Labs XSS still needed patching to protect older extension versions
- Feb 3, 2026: Reported the XSS to Arkose Labs via their HackerOne program
- Feb 4, 2026: Arkose Labs confirmed the vulnerability within 24 hours
- Feb 6, 2026: Arkose Labs triaged the issue
- Feb 19, 2026: Arkose Labs fixed the XSS. The vulnerable URL now returns 403.
- Feb 24, 2026: Full retest confirmed all issues resolved. Report closed.
Credit where it's due: Anthropic's security team was responsive, confirming within 24 hours and patching within three weeks.
Final Thoughts
The more capable AI browser assistants become, the more valuable they are as attack targets. An extension that can navigate your browser, read your credentials, and send emails on your behalf is an autonomous agent. And the security of that agent is only as strong as the weakest origin in its trust boundary.
If you want to make sure a vulnerable version of this extension - or any other - isn't installed across your organization, that's exactly what we built Koi to do. We give security teams visibility into every browser extension in their environment, flagging overly permissive trust models, vulnerable dependencies, and the kind of trust boundary issues that made this attack possible.
Book a demo to see how Koi can protect your organization.
Stay safe out there.
