Anthropic Patches "ShadowPrompt" Vulnerability in Claude Chrome Extension
Take action: Treat AI browser extensions as extremely dangerous high-privilege agents. If you use the Claude Chrome Extension, make sure it's updated to version 1.0.41 or higher immediately! Older versions allow attackers to silently hijack your browser session and access your email, documents, and chat history without any clicks. Review what permissions the extension has and stay alert for suspicious sites that may have exploited this before the patch.
Learn More
Anthropic's Claude Chrome Extension, is reported to contain a critical vulnerability dubbed "ShadowPrompt" that allowed websites to hijack the AI assistant. This flaw, reported on December 26, 2025, enabled attackers to silently inject prompts and run commands as if the user had typed them, requiring no clicks or permissions. The security issue stems from a failure in the extension's trust boundary, which accepted messages from any subdomain under the *.claude.ai umbrella.
Vulnerabilities summary:
- Prompt Injection via Permissive Origin A logic flaw in the extension's messaging API that allows any
*.claude.aisubdomain to trigger theonboarding_taskfunction. By sending a prompt parameter through this API, an attacker can force Claude to execute arbitrary instructions with the user's full privileges. This mechanism bypasses standard security prompts and gives the attacker control over the AI's browser interactions. - DOM-based XSS in Arkose Labs Component A cross-site scripting vulnerability in a legacy CAPTCHA component hosted on
a-cdn.claude.aithat fails to verify the origin of incoming postMessage data. Attackers can use a hidden iframe to send a malicious payload that the component renders as raw HTML usingdangerouslySetInnerHTML. This allows the execution of arbitrary JavaScript within the trusted subdomain to bridge the gap to the extension's API.
Successful exploitation allows attackers to perform malicious actions by using Claude's deep integration with the browser:
- Gain access tokens for Gmail, Google Drive, and Contacts
- Read LLM chat history and sensitive internal business data
- Send emails and read private documents as the victim
- Execute of JavaScript on other websites via the assistant's navigation features
The vulnerability affects all versions of the Claude Chrome Extension prior to 1.0.41, which was released on January 15, 2026. Researchers discovered that while Arkose Labs had updated their main components, older vulnerable versions of the game-core component remained accessible on the CDN. Attackers could brute-force version numbers in the URL to find these live, unpatched files and use them to launch the XSS attack against the Anthropic subdomain.
Anthropic patched the issue by enforcing a strict origin check that only accepts messages from the primary claude.ai domain. Arkose Labs also fixed the issue by returning a 403 error for the vulnerable legacy URLs on February 19, 2026, to prevent further exploitation. Users should check their extension settings to ensure they have updated to version 1.0.41 or higher and remain alert for phishing sites that might use similar iframe-based techniques.
