Claude Chrome extension flaw enabled zero-click prompt injection attacks against millions of users
5 min. read 
Published on
Anthropic has patched a serious vulnerability in its Claude Chrome extension after researchers showed that a malicious website could silently inject prompts into the AI assistant with no clicks from the user. The issue mattered because Claude in Chrome can browse sites, run JavaScript, fill forms, and act inside logged-in sessions, which turned a prompt injection flaw into a much higher-risk browser takeover scenario.
Security researchers at Koi said the attack chain affected Anthropic’s official Chrome extension, which the Chrome Web Store lists at more than 3 million users. Their write-up says an attacker could abuse the bug to steal Gmail access tokens, read Google Drive content, export chat history, and send emails as the victim, all from a hidden iframe on a malicious page.
The root problem came from trust boundaries that were too broad. Koi found that the extension accepted a message type called onboarding_task and allowed prompts from any *.claude.ai origin rather than limiting access to the main Claude site. That broad trust model became dangerous because Anthropic also relied on Arkose Labs CAPTCHA assets hosted on a-cdn.claude.ai, which matched the wildcard and inherited the same permissions.
Researchers said the second half of the chain lived inside an older Arkose game component that remained available at a predictable versioned URL. According to Koi, that component accepted postMessage data from any parent origin and rendered attacker-controlled content as raw HTML through React’s dangerouslySetInnerHTML, which created a DOM-based XSS path. Once code ran inside a-cdn.claude.ai, it could message the extension and feed Claude attacker-written instructions as though the victim had typed them.
That is what made the bug more dangerous than a normal prompt injection story. Anthropic’s own product pages say Claude in Chrome can navigate websites, fill forms, extract information, and automate multi-step tasks. Its safety guidance also warns that browser-using AI tools face prompt injection risks and says JavaScript access can expose login sessions, stored site data, and other sensitive information if the model is manipulated.
Anthropic appears to have moved quickly after disclosure. Koi says it reported the extension flaw to Anthropic through HackerOne on December 26, 2025, received confirmation and triage within 24 hours, and saw a fix land on January 15, 2026. The researchers say Anthropic replaced the wildcard allowlist with a strict origin check that requires exactly https://claude.ai. Koi later reported the Arkose XSS separately on February 3, and says Arkose fixed that issue on February 19.
Users should still check their installed version. Koi says versions before 1.0.41 may be vulnerable, while public GitHub issue reports from late January also reference extension version 1.0.41 in the field. I have not found an Anthropic release note that independently confirms 1.0.41 as the first fixed build, so that specific version number should be treated as coming from researcher reporting and public user issue reports rather than a formal Anthropic changelog.
What happened
| Item | Verified detail |
|---|---|
| Affected product | Claude in Chrome extension |
| User exposure | Chrome Web Store lists 3,000,000 users |
| Attack type | Zero-click prompt injection chain |
| Main extension flaw | Overly broad *.claude.ai origin trust |
| Second flaw | DOM-based XSS in older Arkose-hosted CAPTCHA component |
| Patch status | Extension flaw fixed by Anthropic; Arkose issue later patched |
| Researcher guidance | Check for extension version 1.0.41 or higher |
Why this bug stood out
- The victim only needed to visit a malicious page.
- The attack did not require a visible permission prompt or user click.
- Claude in Chrome can interact with websites on the user’s behalf, which raises the impact of any successful injection.
- Anthropic has already warned publicly that prompt injection remains one of the biggest security problems for browser agents.
What users and admins should do now
- Open
chrome://extensionsand verify the Claude extension version. - Update immediately if the build is older than the researcher-cited fixed version.
- Review which sites have been granted Claude permissions.
- Limit use on sensitive sites until you confirm settings and current build status.
- For managed environments, audit browser extensions that can read pages, execute scripts, or act inside logged-in sessions.
These steps align with Anthropic’s own guidance, which says users should begin with trusted sites, understand permissions, and treat prompt injection risk as non-zero even with existing safeguards.
FAQ
Yes. Researchers said a victim could trigger the chain simply by loading a malicious webpage, without clicking anything or approving a prompt.
The published research focused on the Claude Chrome extension and a trusted web origin used in its messaging model.
Koi’s proof of concept described token theft, Gmail and Drive access, chat history exfiltration, and email sending through the victim’s active browser context.
According to the disclosure timeline published by Koi, Anthropic fixed the extension-side issue in January 2026, and Arkose fixed the related XSS in February 2026.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages