← Back to Daily Briefing

This vulnerability chain enabled remote attackers to execute zero-click prompt injections against the Claude for Chrome extension by exploiting a permissive origin allowlist (*.claude.ai) and a DOM-based XSS in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai. By bypassing origin checks via the trusted subdomain, attackers could send unauthorized messages to the extension's background script, facilitating the theft of Gmail access tokens, Google Drive data exfiltration, and unauthorized account manipulation for over 3 million users.

  • Threat Model & Vulnerability Overview

    • Critical zero-click flaw affecting the Claude for Chrome browser extension.
    • Root cause attributed to a trust failure in the extension's origin validation logic.
    • Exploited a permissive wildcard allowlist that implicitly trusted any subdomain under *.claude.ai.
  • Attack Mechanics & Execution Vector

    • Attack initiated when a victim visited a malicious webpage, requiring no user interaction.
    • Leveraged a DOM-based XSS vulnerability in an outdated Arkose Labs CAPTCHA hosted on a-cdn.claude.ai.
    • Used the XSS to send arbitrary messages to the extension's background script via the Chrome messaging API.
    • Enabled silent prompt injection into the user's active Claude session, bypassing standard permission prompts.
  • Systemic Security Impact

    • Potential exposure of a user base exceeding 3 million individuals.
    • Capabilities included the theft of Gmail access tokens and exfiltration of Google Drive data.
    • Allowed for the unauthorized export of Claude chat histories and the transmission of fraudulent emails.
    • Severity classified as Critical due to the potential for full Account Takeover (ATO) and sensitive data theft.
  • Remediation & Patch Timeline

    • Vulnerability disclosed by Oren Yomtov (Koi Security) on December 26, 2025.
    • Anthropic deployed a fix for the permissive origin allowlist on January 15, 2026.
    • Arkose Labs patched the underlying DOM-based XSS on February 19, 2026.
  • Conclusion & Defensive Implications

    • Illustrates the systemic risk of using broad wildcard trust in browser extension architectures.
    • Highlights how vulnerabilities in third-party components (e.g., CAPTCHA providers) can compromise the primary application's security boundary.
    • Emphasizes the necessity of strict origin pinning and rigorous input validation for LLM-integrated extensions.

Related posts

  1. vibegraveyard.ai — ShadowPrompt let any website silently hijack Claude for Chrome
  2. DEV Community — Ignore All Previous Instructions: A Dev's Guide to Prompt Injection
  3. news.ycombinator.com — Semgrep: GLM 5.2 beats Claude in our Cyber Benchmarks
  4. Thehackernews
  5. Koi
  6. Penligent
  7. Arxiv
  8. Socradar
  9. Forbes
  10. Genai
  11. Youtube
  12. Ibm
  13. Github
  14. Blog
  15. Letsdatascience
  16. Paddo
  17. Graphistry
  18. Slashdot
  19. Reddit
  20. Libhunt
  21. microsoft.com — Chromium extension uses AI‑related branding to redirect browser search
  22. Thehackernews
  23. Substack
  24. News
  25. Paubox
  26. Mishcon
  27. Malwarebytes

LINK COPIED TO CLIPBOARD