Published July 1, 2026
This vulnerability chain enabled remote attackers to execute zero-click prompt injections against the Claude for Chrome extension by exploiting a permissive origin allowlist (*.claude.ai) and a DOM-based XSS in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai. By bypassing origin checks via the trusted subdomain, attackers could send unauthorized messages to the extension's background script, facilitating the theft of Gmail access tokens, Google Drive data exfiltration, and unauthorized account manipulation for over 3 million users.
-
Threat Model & Vulnerability Overview
- Critical zero-click flaw affecting the Claude for Chrome browser extension.
- Root cause attributed to a trust failure in the extension's origin validation logic.
- Exploited a permissive wildcard allowlist that implicitly trusted any subdomain under
*.claude.ai.
-
Attack Mechanics & Execution Vector
- Attack initiated when a victim visited a malicious webpage, requiring no user interaction.
- Leveraged a DOM-based XSS vulnerability in an outdated Arkose Labs CAPTCHA hosted on
a-cdn.claude.ai. - Used the XSS to send arbitrary messages to the extension's background script via the Chrome messaging API.
- Enabled silent prompt injection into the user's active Claude session, bypassing standard permission prompts.
-
Systemic Security Impact
- Potential exposure of a user base exceeding 3 million individuals.
- Capabilities included the theft of Gmail access tokens and exfiltration of Google Drive data.
- Allowed for the unauthorized export of Claude chat histories and the transmission of fraudulent emails.
- Severity classified as Critical due to the potential for full Account Takeover (ATO) and sensitive data theft.
-
Remediation & Patch Timeline
- Vulnerability disclosed by Oren Yomtov (Koi Security) on December 26, 2025.
- Anthropic deployed a fix for the permissive origin allowlist on January 15, 2026.
- Arkose Labs patched the underlying DOM-based XSS on February 19, 2026.
-
Conclusion & Defensive Implications
- Illustrates the systemic risk of using broad wildcard trust in browser extension architectures.
- Highlights how vulnerabilities in third-party components (e.g., CAPTCHA providers) can compromise the primary application's security boundary.
- Emphasizes the necessity of strict origin pinning and rigorous input validation for LLM-integrated extensions.
Related posts
- vibegraveyard.ai — ShadowPrompt let any website silently hijack Claude for Chrome
- DEV Community — Ignore All Previous Instructions: A Dev's Guide to Prompt Injection
- news.ycombinator.com — Semgrep: GLM 5.2 beats Claude in our Cyber Benchmarks
- Thehackernews
- Koi
- Penligent
- Arxiv
- Socradar
- Forbes
- Genai
- Youtube
- Ibm
- Github
- Blog
- Letsdatascience
- Paddo
- Graphistry
- Slashdot
- Libhunt
- microsoft.com — Chromium extension uses AI‑related branding to redirect browser search
- Thehackernews
- Substack
- News
- Paubox
- Mishcon
- Malwarebytes