Security researchers uncover vulnerability enabling attackers to hijack AI assistant without user interaction
Cybersecurity researchers have disclosed a significant vulnerability in Anthropic’s Claude Google Chrome Extension that could have been exploited to inject malicious prompts into the AI assistant simply by visiting a compromised webpage, without any user action required.
How the Attack Worked
The flaw, detailed in research from Koi Security, combined two distinct security weaknesses to enable attackers to completely control Claude browser functionality through what researchers termed a “zero-click” attack.
The vulnerability allowed any website to silently inject prompts into the assistant as if the user wrote them, with no clicks or permission prompts required, according to Oren Yomtov, a researcher at Koi Security.
The exploit chained together two underlying security flaws:
- First vulnerability: An overly permissive domain allowlist in the extension permitted any subdomain matching the pattern (*.claude.ai) to send prompts to Claude for execution.
- Second vulnerability: A DOM-based cross-site scripting (XSS) flaw existed in an Arkose Labs CAPTCHA component hosted on “a-cdn.claude[.]ai,” which enabled the execution of arbitrary JavaScript code in that domain’s context.
Attack Mechanics
Attackers could embed the vulnerable Arkose component in a hidden iframe, send an XSS payload via postMessage, and the injected script would fire the prompt to the extension, with the victim seeing nothing.
The combination proved devastating because the extension treated prompts from the allowlisted domain as legitimate user requests, bypassing all security safeguards.
Potential Impact
A successful exploitation could have enabled attackers to access sensitive user data, including authentication tokens and conversation history with Claude. Beyond data theft, adversaries could perform actions on behalf of victims, such as sending emails while impersonating them or requesting confidential information.
Disclosure and Remediation
Anthropic responded promptly following the security researcher’s responsible disclosure on December 27, 2025. The company deployed a patch to the Chrome extension that enforces strict origin verification. The patch requires an exact domain match to “claude[.]ai” rather than accepting any subdomain.
Arkose Labs, the CAPTCHA component provider, later fixed the XSS vulnerability on its end.
Broader Implications for AI Security
The incident underscores an emerging security challenge as AI assistants become increasingly capable. The more capable AI browser assistants become, the more valuable they are as attack targets. More likely, with an extension that can navigate a browser, read credentials, and send emails on a user’s behalf functioning as an autonomous agent.
Security experts recommend that users ensure they have the latest version of the Claude extension, which includes the patched origin verification mechanisms.
