Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

People could have used Anthropic's Claude Google Chrome Extension to send bad prompts. The problem is caused by two underlying flaws: an overly permissive origin allowlist in the extension that let any subdomain that matched the pattern (*.claude.ai) send a prompt to Claude to run. A cross-site scripting (XSS) vulnerability in an Arkose Labs CAPTCHA component hosted on "a-cdn.

Claude[. ]ai" that uses a document object model (DOM) The extension lets the prompt show up in Claude's sidebar as if it were a real user request just because it comes from a domain that is on the allow list. Koi Yomtov, a researcher, said that AI browser assistants are more valuable as targets for attacks the better they get at their jobs.

He said, "An extension that can browse the web, read your credentials, and send emails for you is an autonomous agent." "And the safety of that agent is only as strong as the weakest link in its trust boundary."