- A critical flaw in the Anthropic Claude Chrome extension allowed websites to silently inject malicious prompts, compromising user security.
- The vulnerability combined an overly permissive domain allowlist and an XSS flaw in an Arkose Labs CAPTCHA component.
- Successful attacks could have led to data theft, conversation history access, and actions performed on the victim’s behalf.
- Anthropic and Arkose Labs have since deployed patches to close the security loopholes disclosed in late 2025.
Cybersecurity researchers disclosed a critical flaw in Anthropic‘s Claude Google Chrome extension in March 2026, revealing a vulnerability that let malicious websites hijack user prompts silently. This flaw, as detailed in a report shared with The Hacker News, required no user interaction beyond visiting a compromised page.
Consequently, an attacker could gain complete control of the victim’s browser session without any visible warning. Researcher Oren Yomtov of Koi Security stated, “The victim sees nothing.”
The technical chained two underlying security weaknesses for successful exploitation. First, the extension’s origin allowlist was overly broad, accepting prompts from any subdomain matching the pattern *.claude.ai.
Meanwhile, a second flaw involved a DOM-based cross-site scripting vulnerability in a component from Arkose Labs. This XSS flaw, hosted on “a-cdn.claude[.]ai,” is explained on developer resources and security community pages.
Specifically, the XSS allowed arbitrary JavaScript execution in the trusted domain’s context. A threat actor could therefore embed a vulnerable component in a hidden iframe to inject a malicious script.
This script would then fire a prompt to the extension, which treated it as legitimate. The extension’s permissive trust model meant the injected prompt appeared in Claude’s sidebar as a user request.
Successful exploitation presented severe risks for compromised users. An adversary could potentially steal sensitive access tokens and access private conversation history with the AI.
Furthermore, they could perform actions like sending fraudulent emails or requesting confidential data while impersonating the victim. This turned the AI assistant into a powerful, autonomous attack vector.
Anthropic responsibly addressed the issue after disclosure on December 27, 2025. The company patched its Chrome extension to enforce a strict origin check requiring an exact domain match.
Arkose Labs also resolved the XSS vulnerability on its end by February 19, 2026. This coordinated fix closed the security loophole that enabled the chained attack.
Reflecting on the incident, Koi emphasized the growing risks with advanced AI assistants. They noted that an extension capable of navigating browsers and sending emails acts as an autonomous agent whose security depends entirely on its trust boundaries.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
