Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

A zero-click XSS prompt injection vulnerability in Anthropic's Claude Chrome Extension allowed any website to silently hijack the AI assistant.

• •The flaw, named ShadowPrompt, chained two bugs: an overly permissive origin allowlist accepting any *.claude.ai subdomain, and a DOM-based XSS in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai.
• •Attackers could embed the vulnerable Arkose component in a hidden iframe, send an XSS payload via postMessage, and inject arbitrary prompts into Claude's sidebar without any user interaction.
• •Successful exploitation could lead to theft of access tokens, exposure of conversation history, and actions performed on behalf of the victim such as sending emails.
• •Anthropic patched the extension in version 1.0.41 (after disclosure on December 27, 2025) by enforcing an exact domain match to claude.ai; Arkose Labs fixed the XSS on February 19, 2026.