A newly disclosed security issue highlights how Claude Chrome Extension vulnerability exposed millions of users to invisible browser level attacks, raising serious concerns about AI agent security in modern web environments.
Researchers revealed that a critical zero click flaw in the Anthropic Claude Chrome Extension could allow attackers to execute silent prompt injection attacks without any user interaction. The vulnerability affected more than three million users before it was patched, demonstrating the growing risks tied to AI powered browser assistants.
The attack relied on a chain of two flaws. The first issue stemmed from an overly permissive origin validation within the extension. It accepted messages from any subdomain under claude.ai, allowing malicious content from trusted appearing sources to interact with the extension. The second flaw was found in a third party CAPTCHA component provided by Arkose Labs, which introduced a cross site scripting weakness.
By exploiting these issues together, attackers could embed a hidden iframe on a malicious webpage. When a user simply visited the page, the exploit triggered automatically. The compromised CAPTCHA component executed injected JavaScript, which then sent commands directly to the Claude extension. Because the request appeared to come from a trusted domain, the extension processed it without suspicion.
This allowed attackers to inject prompts into the AI assistant as if they were legitimate user instructions. Since the Claude extension functions as an autonomous browser agent, capable of interacting with web services and executing tasks, the consequences were severe.
Demonstrated attack scenarios included stealing Google OAuth tokens, accessing Gmail data, reading files stored in Google Drive, exporting chat histories, and even sending emails without the user’s knowledge. The entire process occurred silently, with no clicks, alerts, or permission prompts.
The vulnerability was responsibly disclosed via HackerOne in late December 2025. Anthropic confirmed the issue within 24 hours and rolled out a fix by mid January 2026. The update replaced the wildcard domain validation with a strict origin check limited to the primary claude.ai domain. The related CAPTCHA flaw was separately patched in February, with vulnerable components disabled.
Security experts note that this incident reflects a broader challenge in securing AI powered browser tools. As AI assistants gain deeper access to user data and web environments, the attack surface expands significantly. Trust boundaries that include third party services can unintentionally introduce critical weaknesses.
The Claude Chrome Extension vulnerability underscores how supply chain risks and weak origin validation can combine into high impact exploits. As AI agents become more integrated into everyday workflows, organizations and users must prioritize strict access controls, continuous monitoring, and rapid patching to defend against increasingly sophisticated and invisible threats.
Recommended Cyber Technology News:
- Point Wild Launches LiteLLM Scanner After Supply Chain Attack
- Venn Launches OpenClaw Integration for Secure AI Agent Control
- Openlayer Partners with Telefónica Tech to Advance AI Governance and Compliance
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
