Critical Zero-Click Vulnerability in Claude Chrome Extension Exposed 3M Users to Silent Hijacking
A now-patched zero-click vulnerability in Anthropic’s Claude Chrome Extension left over 3 million users vulnerable to silent prompt-injection attacks, enabling malicious actors to hijack the AI assistant without any user interaction. The exploit, discovered by KOI Security, could have allowed attackers to steal Gmail access tokens, read Google Drive files, export chat histories, and send emails all invisibly.
The attack chain leveraged two critical flaws:
- Overly Permissive Origin Allowlist – The extension’s messaging API accepted prompts from any
*.claude.aisubdomain, including third-party components like Arkose Labs’ CAPTCHA verification, which was hosted ona-cdn.claude.ai. - DOM-Based XSS in Arkose CDN – An older, predictable version of the CAPTCHA component contained an unsanitized
stringTablefield, allowing arbitrary JavaScript execution viadangerouslySetInnerHTMLin React. Attackers could embed the vulnerable component in a hidden iframe, triggering the exploit when a victim visited a malicious page.
Once executed, the injected script sent a malicious prompt to the Claude extension, which treated it as a legitimate user command due to the trusted origin. The attack required no clicks, permissions, or visible indicators, making it nearly undetectable.
Demonstrated attack scenarios included:
- Theft of Google OAuth tokens (persistent access to Gmail/Drive)
- Exfiltration of LLM conversation history
- Silent email sending via compromised accounts
Anthropic was responsibly disclosed via HackerOne on December 26, 2025, confirmed the flaw within 24 hours, and deployed a fix on January 15, 2026, replacing the wildcard allowlist with a strict https://claude.ai origin check. The Arkose Labs XSS was separately patched by February 19, 2026, after being reported on February 3.
The incident highlights a systemic risk in AI browser agents: third-party components hosted on first-party subdomains can silently expand trust boundaries, creating exploitable attack surfaces. As AI assistants gain deeper browser access, supply chain vulnerabilities become higher-value targets for attackers.
Source: https://cybersecuritynews.com/claude-chrome-extension-0-click-vulnerability/
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
Arkose Labs cybersecurity rating report: https://www.rankiteo.com/company/arkoselabs
"id": "ANTARK1774585435",
"linkid": "anthropicresearch, arkoselabs",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3,000,000+ users',
'industry': 'Artificial Intelligence, Software',
'name': 'Anthropic (Claude Chrome Extension)',
'type': 'AI Company, Browser Extension Developer'}],
'attack_vector': 'DOM-Based XSS via third-party CDN component, Overly '
'Permissive Origin Allowlist',
'data_breach': {'data_exfiltration': 'Possible (attack scenarios included '
'exfiltration of chat histories and '
'OAuth tokens)',
'file_types_exposed': ['Text (emails, chats)',
'Google Drive files (unspecified '
'types)'],
'personally_identifiable_information': 'Yes (email content, '
'Google account '
'access)',
'sensitivity_of_data': 'High (PII, confidential '
'communications, authentication '
'tokens)',
'type_of_data_compromised': ['Authentication tokens (Google '
'OAuth)',
'LLM conversation history',
'Email content',
'Google Drive files']},
'date_detected': '2025-12-26',
'date_resolved': '2026-01-15',
'description': 'A now-patched zero-click vulnerability in Anthropic’s Claude '
'Chrome Extension left over 3 million users vulnerable to '
'silent prompt-injection attacks, enabling malicious actors to '
'hijack the AI assistant without any user interaction. The '
'exploit could have allowed attackers to steal Gmail access '
'tokens, read Google Drive files, export chat histories, and '
'send emails invisibly.',
'impact': {'brand_reputation_impact': 'High (silent exploitation of 3M users)',
'data_compromised': 'Google OAuth tokens, Gmail/Drive access, LLM '
'conversation history, email sending '
'capabilities',
'identity_theft_risk': 'High (Google OAuth token theft)',
'operational_impact': 'Silent hijacking of AI assistant, '
'unauthorized data access',
'systems_affected': 'Claude Chrome Extension, Google services '
'(Gmail, Drive)'},
'initial_access_broker': {'entry_point': 'DOM-Based XSS in Arkose Labs '
'CAPTCHA component (a-cdn.claude.ai)',
'high_value_targets': 'Google OAuth tokens, LLM '
'conversation history'},
'investigation_status': 'Resolved',
'lessons_learned': 'Systemic risk in AI browser agents: third-party '
'components hosted on first-party subdomains can silently '
'expand trust boundaries, creating exploitable attack '
'surfaces. Supply chain vulnerabilities in AI assistants '
'are high-value targets.',
'post_incident_analysis': {'corrective_actions': ['Replaced wildcard origin '
'allowlist with strict '
'https://claude.ai check',
'Patched XSS vulnerability '
'in Arkose Labs component'],
'root_causes': ['Overly permissive origin '
'allowlist in Claude Chrome '
'Extension',
'Unsanitized DOM-Based XSS in '
'Arkose Labs CAPTCHA component '
'(stringTable field)']},
'recommendations': ['Strict origin validation for browser extensions',
'Regular audits of third-party components hosted on '
'first-party domains',
'Sanitization of dynamic content in React components '
'(avoid dangerouslySetInnerHTML)',
'Enhanced monitoring for silent prompt-injection attacks'],
'references': [{'source': 'KOI Security'}, {'source': 'HackerOne Disclosure'}],
'response': {'containment_measures': 'Strict origin allowlist enforcement '
'(replaced wildcard *.claude.ai with '
'https://claude.ai)',
'remediation_measures': 'Patch deployed on January 15, 2026; '
'Arkose Labs XSS patched by February 19, '
'2026',
'third_party_assistance': 'HackerOne (responsible disclosure), '
'Arkose Labs (XSS patch)'},
'title': 'Critical Zero-Click Vulnerability in Claude Chrome Extension '
'Exposed 3M Users to Silent Hijacking',
'type': 'Zero-Click Vulnerability, Prompt-Injection Attack',
'vulnerability_exploited': 'CVE-pending (Overly Permissive Origin Allowlist, '
'DOM-Based XSS in Arkose Labs CAPTCHA component)'}