A critical vulnerability in the Claude Chrome Extension from Anthropic allowed attackers to inject malicious prompts without any user interaction. This flaw, known as ShadowPrompt, made it possible for a victim to be compromised simply by visiting a malicious website—no clicks or permissions required.

The issue was caused by a combination of two weaknesses: an overly permissive allowlist that trusted all subdomains under claude.ai, and a DOM-based XSS vulnerability in a CAPTCHA component from Arkose Labs. By exploiting these flaws, attackers could execute JavaScript in a trusted context and silently send prompts to the Claude assistant as if they were legitimate user inputs.

In practice, attackers embedded the vulnerable component inside a hidden iframe and delivered the payload using browser messaging. The result was invisible to the user, while the extension processed the injected prompt as normal activity. This opened the door to serious risks, including data theft, access to AI conversation history, and even performing actions on behalf of the victim such as sending emails or requesting sensitive information.

The vulnerability has been patched in Claude Extension version 1.0.41, with stricter domain validation now enforced. The related XSS issue has also been fixed by Arkose Labs. This incident highlights how AI-powered browser extensions are becoming high-value targets, as they often have deep access to user data and system actions.

Conclusion: as AI assistants become more powerful, their security becomes critical. Keeping extensions updated and limiting trust boundaries are essential steps to prevent silent, zero-click attacks.

source: https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html