You are currently viewing Zero-Click AI Exploit: ShadowPrompt in Claude Chrome Extension

Zero-Click AI Exploit: ShadowPrompt in Claude Chrome Extension

  • Post author:
  • Reading time:3 mins read

A significant vulnerability has been discovered in Anthropic’s Claude Google Chrome Extension, potentially allowing malicious actors to inject prompts into the AI assistant without any user interaction. This “zero-click” vulnerability, dubbed ShadowPrompt, could have allowed attackers to silently control a user’s browser simply by visiting a compromised webpage. This post examines the details of the vulnerability, its potential impact, and the measures taken to mitigate it.

Vulnerability Details

The vulnerability, discovered by Koi Security researcher Oren Yomtov, allowed any website to inject prompts into the Claude AI assistant as if the user had written them. The attack required no user clicks or permission prompts, making it particularly insidious. The vulnerability, named ShadowPrompt, chains together two underlying flaws:

  1. Overly Permissive Origin Allowlist: The Chrome extension had an overly permissive origin allowlist, allowing any subdomain matching the pattern *.claude.ai to send prompts to Claude for execution.
  2. DOM-Based XSS Vulnerability: A document object model (DOM)-based cross-site scripting (XSS) vulnerability existed in an Arkose Labs CAPTCHA component hosted on a-cdn.claude[.]ai.

The XSS vulnerability allowed the execution of arbitrary JavaScript code in the context of a-cdn.claude[.]ai. This could be leveraged to inject JavaScript that issues a prompt to the Claude extension. The extension, trusting the allow-listed domain, would then process the prompt as a legitimate user request.

Proof of Concept

The attack involves embedding the vulnerable Arkose component in a hidden <iframe>. The attacker’s page then sends the XSS payload via postMessage. The injected script within the <iframe> then sends the malicious prompt to the Claude extension. The victim remains unaware of the injected prompt.

<iframe src="https://a-cdn.claude.ai/arkose_captcha" style="display:none;"></iframe>
<script>
  // Send XSS payload via postMessage
  iframe.contentWindow.postMessage('<script>/* Malicious code to prompt Claude extension */</script>', 'https://a-cdn.claude[.]ai');
</script>

In this illustrative example, the attacker’s page embeds the vulnerable Arkose component and uses postMessage to inject JavaScript code that triggers a prompt to the Claude extension. Because the extension trusts the a-cdn.claude[.]ai origin, it executes the prompt without user consent.

Tactics, Techniques, and Procedures (TTPs)

Attackers exploiting this vulnerability would likely use the following tactics and techniques:

  • TA0001 – Initial Access: Exploiting vulnerabilities in browser extensions to gain initial access.
  • TA0002 – Execution: Using JavaScript to execute malicious code within the extension’s context.
  • T1059.007 – JavaScript: Utilizing JavaScript to inject and execute malicious prompts.

Impact

Successful exploitation of this vulnerability could have severe consequences:

  • Sensitive Data Theft: Attackers could steal sensitive data, such as access tokens.
  • Access to Conversation History: Unauthorized access to the user’s conversation history with the AI agent.
  • Impersonation: Performing actions on behalf of the victim, such as sending emails or requesting confidential data.

Mitigation

The vulnerability has been addressed through the following measures:

  • Anthropic Patch: Anthropic deployed a patch to the Chrome extension (version 1.0.41) that enforces a strict origin check, requiring an exact match to the domain claude[.]ai.
  • Arkose Labs Fix: Arkose Labs has fixed the XSS flaw at its end as of February 19, 2026.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.