Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

The rapid adoption of AI assistants embedded in browsers has created a new class of software that can read pages, fill forms and even dispatch emails on a user’s behalf. While these capabilities boost productivity, they also expand the attack surface, as extensions inherit the privileges of the host browser. Security teams are now tasked with evaluating not just traditional code paths but also the trust relationships that AI agents maintain with external services.

ShadowPrompt exploited a two‑step flaw: a lax origin allow‑list in the Claude extension permitted any subdomain matching *.claude.ai to issue prompts, and a separate cross‑site scripting weakness in an Arkose Labs CAPTCHA allowed malicious JavaScript to run in the context of a‑cdn.claude.ai. By embedding the vulnerable CAPTCHA in a hidden iframe and using postMessage, an attacker could silently fire a prompt that appeared in the Claude sidebar, granting full control over the assistant without any clicks. The chain could be leveraged to harvest authentication tokens, scrape conversation histories, or initiate actions such as sending fraudulent emails.

The incident underscores a broader industry lesson: as AI agents become more autonomous, their security models must evolve beyond simple permission prompts. Vendors need strict origin validation, sandboxed execution environments, and rapid vulnerability disclosure pipelines. Anthropic’s swift patch—tightening the allow‑list to an exact domain—and Arkose’s remediation demonstrate effective coordination, but the episode serves as a cautionary tale that even cutting‑edge AI tools can harbor classic web security flaws. Organizations deploying AI extensions should conduct regular security audits and enforce least‑privilege principles to mitigate similar risks.