{"id":397,"date":"2026-03-26T14:25:42","date_gmt":"2026-03-26T14:25:42","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=397"},"modified":"2026-03-26T14:25:42","modified_gmt":"2026-03-26T14:25:42","slug":"claude-extension-flaw-enabled-zero-click-xss-prompt-injection-via-any-website","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=397","title":{"rendered":"Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 26, 2026<\/span><\/span><span class=\"p-tags\">Browser Security \/ Vulnerability<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvKbsVkCFVvziyQ564TDmmBjGzy6lzKUcC_rmt-GZWOiCshA_YGAhsMjib7OhvNS_8OX6micW6hWSY4lWh6IoGcyy_tCywr9Tr-qhyI4Wau32zV80zS3OJRVnbSZtHQqWO-RvoznJ34HjG6M5CDlKIXXTyAuZvVS235fZ9juweln5KS77w1w80Jk113rAW\/s1700-e365\/claude.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have disclosed a vulnerability in Anthropic&#8217;s Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page.<\/p>\n<p>The flaw \u00aballowed any website to silently inject prompts into that assistant as if the user wrote them,\u00bb Koi Security researcher Oren Yomtov <a href=\"https:\/\/www.koi.ai\/blog\/shadowprompt-how-any-website-could-have-hijacked-anthropic-claude-chrome-extension\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report shared with The Hacker News. \u00abNo clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser.\u00bb<\/p>\n<p>The issue chains two underlying flaws &#8211;<\/p>\n<ul>\n<li>An overly permissive origin allowlist in the extension that allowed any subdomain matching the pattern (*.claude.ai) to send a prompt to Claude for execution.<\/li>\n<li>A document object model (<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Document_Object_Model\" rel=\"noopener\" target=\"_blank\">DOM<\/a>)-based cross-site scripting (<a href=\"https:\/\/owasp.org\/www-community\/attacks\/xss\/\" rel=\"noopener\" target=\"_blank\">XSS<\/a>) vulnerability in an Arkose Labs CAPTCHA component hosted on \u00aba-cdn.claude[.]ai.\u00bb<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ciso-risk-comm-cert-li-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjoqpwvMkmQTpI6oFBcM5sjZJ4sJ2YplYYhb-ceY5aPYSXjkfcX-xHTDS-SMK3wzNy_kFuH4yN1umKPloMnloAmmRc5nXo64laMkM5neZzco95ZJXnRH-iV-6vAXRDv8vCSgWdcloM_rsNLykF6rlZbcXQ2n2fT-No23La_8rS67S8terJhozZU9JPmB9kO\/s728-e100\/ciso-light-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Specifically, the XSS vulnerability enables the execution of arbitrary JavaScript code in the context of \u00aba-cdn.claude[.]ai.\u00bb A threat actor could leverage this behavior to inject JavaScript that issues a prompt to the Claude extension.<\/p>\n<p>The extension, for its part, allows the prompt to land in Claude&#8217;s sidebar as if it&#8217;s a legitimate user request simply because it comes from an allow-listed domain.<\/p>\n<p>\u00abThe attacker&#8217;s page embeds the vulnerable Arkose component in a hidden <iframe>, sends the XSS payload via postMessage, and the injected script fires the prompt to the extension,\u00bb Yomtov explained. \u00abThe victim sees nothing.\u00bb<\/iframe><\/p>\n<p><iframe loading=\"lazy\" title=\"Claude Chrome Demo Shadowprompt\" width=\"500\" height=\"375\" src=\"https:\/\/www.youtube.com\/embed\/5EPnC9SzhOw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>Successful exploitation of this vulnerability could allow the adversary to steal sensitive data (e.g., access tokens), access conversation history with the AI agent, and even perform actions on behalf of the victim (e.g., sending emails impersonating them, asking for confidential data).<\/p>\n<p>Following responsible disclosure on December 27, 2025, Anthropic deployed a patch to the Chrome extension that enforces a strict origin check requiring an exact match to the domain \u00abclaude[.]ai.\u00bb Arkose Labs has since fixed the XSS flaw at its end as of February 19, 2026.<\/p>\n<p>\u00abThe more capable AI browser assistants become, the more valuable they are as attack targets,\u00bb Koi said. \u00abAn extension that can navigate your browser, read your credentials, and send emails on your behalf is an autonomous agent. And the security of that agent is only as strong as the weakest origin in its trust boundary.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 26, 2026Browser Security \/ Vulnerability Cybersecurity researchers have disclosed a vulnerability in Anthropic&#8217;s Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by&hellip;<\/p>\n","protected":false},"author":1,"featured_media":398,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[9,73,520,70,525,684,903,902,901],"class_list":["post-397","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-claude","tag-enabled","tag-extension","tag-flaw","tag-injection","tag-prompt","tag-website","tag-xss","tag-zeroclick"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=397"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/397\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/398"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}