Cybersecurity researchers have uncovered a serious security flaw in Claude’s Google Chrome extension that allowed attackers to inject malicious prompts without any user interaction. The vulnerability made it possible for a simple website visit to silently manipulate the AI assistant’s behavior.
How the Zero-Click Attack Worked
According to researchers at Koi Security, the flaw allowed any website to inject commands into the extension as if they were legitimate user inputs. This meant users did not need to click, approve permissions, or take any action, just opening a malicious page was enough to trigger the exploit.
Root Cause of the Vulnerability
The attack relied on chaining two separate weaknesses:
- An overly permissive origin allowlist that trusted all subdomains matching
*.claude.ai - A DOM-based cross-site scripting (XSS) flaw in a CAPTCHA component provided by Arkose Labs
The XSS vulnerability allowed attackers to execute arbitrary JavaScript within the trusted domain environment. By abusing this trust, malicious scripts could send prompts directly to the extension, bypassing security checks.
Invisible Exploitation Technique
Attackers embedded the vulnerable CAPTCHA component inside a hidden iframe on a malicious webpage. Using postMessage, they delivered the exploit payload, which then triggered the extension to process attacker-controlled prompts.
Because the request originated from a trusted domain, the extension treated it as legitimate, displaying it in the assistant interface without raising suspicion. The entire process remained invisible to the victim.
Potential Impact
Successful exploitation could have enabled attackers to:
- Steal sensitive data such as authentication tokens
- Access private AI conversation history
- Perform actions on behalf of the user, including sending emails or requesting confidential information
This highlights the growing risk of AI-powered browser assistants, which often have deep access to user activity and data.
Patch and Mitigation
The issue was responsibly disclosed in late December 2025. Anthropic addressed the flaw by enforcing strict origin validation, allowing only exact matches to claude.ai.
At the same time, Arkose Labs resolved the XSS vulnerability in its CAPTCHA component by February 2026, closing the attack chain completely.
Security Implications
Experts warn that as AI assistants become more powerful and autonomous, they increasingly represent high-value targets for attackers. Any weakness in their trust model can lead to full compromise of user data and actions.
Organizations and users alike are advised to keep browser extensions updated, limit unnecessary permissions, and remain cautious when interacting with unknown websites.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
