Xcitium Logo

Critical Zero-Click Prompt-Injection Flaw Discovered in Claude Chrome Extension

A zero-click flaw in Anthropic’s Claude Chrome extension lets attackers silently hijack the AI assistant. Learn how this prompt-injection vulnerability works and why millions of users were exposed.

Stop Zero-Click AI Hijacks
  • March 27, 2026

A Stealthy Vulnerability in Claude’s Browser Extension

Recently a critical zero-click vulnerability uncovered in Anthropic’s Claude Chrome extension. This vulnerability affected over 3 million users and allowed attackers to hijack the AI assistant silently, with no user interaction required.

In practice, merely visiting a malicious website could trigger the exploit. The issue stemmed from the extension’s overly broad trust policy: it treated any *.claude.ai subdomain as fully trusted. This mistake let attackers piggyback on an internal CAPTCHA service to sneak malicious commands into Claude.

Crucially, the extension’s messaging API (onboarding_task) would forward attacker-supplied prompts directly to Claude for execution, thinking they came from a legitimate source.

However, the exposed window of vulnerability was enough to demonstrate devastating attacks. Attackers could stealthily steal Gmail and Google Drive credentials, exfiltrate AI chat logs, or even send emails as the user. These outcomes highlight how severe a zero-click exploit can be when an AI browser agent is compromised.

How the Zero-Click Prompt-Injection Attack Works

The exploit takes advantage of two separate vulnerabilities in one attack chain. The first is Claude’s extension’s allowlisting, which allows any site in the *.claude.ai domain to send it prompts. The second is Anthropic’s CAPTCHA provider hosting challenge code on a subdomain in the *.claude.ai domain, namely, a-cdn.claude.ai.

Attackers found an older Arkose Labs game component with a DOM XSS vulnerability. The component received postMessage data from any origin and used React’s dangerouslySetInnerHTML with unsanitized text. This meant an invisible <iframe> could load the vulnerable CAPTCHA and run attacker code.

  • Hidden iframe injection: A malicious webpage embeds the Arkose CAPTCHA HTML in a hidden <iframe>.
  • DOM XSS execution: The page sends a crafted postMessage containing HTML (for example <img src=x onerror="...">) to the iframe. The Arkose code dutifully renders this in its UI without checks. The onerror or other payload executes as JavaScript in the context of a-cdn.claude.ai.
  • Silent prompt forwarding: The injected script immediately calls chrome.runtime.sendMessage(…) targeting the Claude extension. It passes an attacker-controlled prompt via the onboarding_task API. Because the extension trusts a-cdn.claude.ai as part of *.claude.ai, it forwards this message to Claude without any user prompt or warning.
  • Autonomous takeover: Claude receives the malicious prompt and executes it with full privileges. The user never sees any click or dialog the entire sequence is invisible. In effect, the attacker now controls the AI assistant as if they were typing commands.

Each step happens automatically and silently. In just this way, a webpage can hijack Claude without the user knowing. Once hijacked, the AI agent could steal data or take actions on behalf of the user.

Critical Analysis
XCITIUM THREAT LABS
3.2M+
Impacted Users
Zero
Interaction Required
1
Subdomain Trust Breach
The extension’s policy treated all *.claude.ai subdomains as inherently trusted origins.
2
DOM XSS Injection
A legacy Arkose Labs component on the CDN was leveraged to execute attacker code silently.
3
Autonomous Hijack
The AI agent executed unauthorized prompts as if they were legitimate high-privilege user commands.
Google Drive & Gmail Data Exfiltration
Sensitive Chat Log & History Exposure
Ghost Emailing via User Sessions
OAuth Token & Session Hijacking

Potential Impact and Real-World Examples

Because Claude’s browser extension acts like an autonomous agent, the attacker’s injected instructions run with the same level of trust as the user’s own commands. This meant the attackers could do things like:

  • Steal OAuth tokens and data: Grabbing persistent Google account tokens to read private Gmail emails and Google Drive documents without authorization.
  • Exfiltrate conversation history: Exporting the user’s entire AI chat log from Claude, leaking possibly sensitive queries and data.
  • Email and session hijack: Using the extension’s ability to send emails or messages, attackers could send phishing or malicious emails as the user, completely invisibly.

Zero-click exploits can be used for severe data theft and account takeover. Radware discovered a “ShadowLeak” zero-click exploit in 2025, where ChatGPT’s browsing agent was compromised.

In this case, a specially designed email was used to inject a hidden prompt into the AI’s Gmail connector, causing it to silently leak information to a hacker. As seen in the exploitation of Claude, this is similar to how ShadowLeak exploited ChatGPT.

In essence, once the attacker’s prompt is executed, the AI does exactly what it is told, whether it is stealing data or installing malware, all behind the scenes of a “helpful” assistant.

Industry Response and Broader Lessons

The wildcard allow list was replaced by a single-source check in the Chrome extension update. The underlying XSS vulnerability was fixed. Although the vulnerabilities were fixed, the warning about the underlying vulnerability, which is related to the trust boundary in AI agent, still remains.

As the browser-based AI assistants are granted additional privileges, such as the ability to read emails or files programmatically, it also introduces additional risks. The incident involving the Claude AI assistant illustrates the importance of striking the right balance between the increasing role of AI in our lives and the enforcement of security boundaries, especially in the context of the integrity of data and the systems we use.

Conclusion: When a Browser Extension Turns AI Into a Zero-Click Attack Surface

The Claude Chrome extension flaw shows how quickly AI convenience can become silent compromise. Overly broad trust boundaries and one vulnerable subdomain were enough to let a malicious website hijack the assistant with no click, no warning, and no visible user action. Once that trust boundary failed, the attacker did not need to deliver malware first. The AI agent became the execution path.

Why This Is a Structural Shift

For decades, malicious intent needed a carrier. Attackers had to ship code, and defenders could anchor detection to artifacts like binaries, scripts, and macros.

Agentic AI changes that model. The execution engine is already installed. The attacker only needs to influence the AI’s objective, prompt flow, or trust boundary. The harmful logic is generated at runtime inside the assistant’s reasoning and action chain. You cannot scan a thought.

Why Organizations Are Exposed

This class of attack grows wherever AI agents are given browser, email, file, or token access.

  • Wildcard trust policies expand the attack surface far beyond what teams expect
  • A zero-click exploit removes the user from the defense loop entirely
  • Once hijacked, the agent can steal tokens, read private data, and act as the user behind the scenes
  • The most dangerous failure is not code injection, it is misplaced trust in the AI action layer

Where Xcitium Changes the Outcome

If you have Xcitium, this attack would NOT succeed as a business-impact event.

  • Xcitium Vulnerability Assessment helps surface exposed trust boundaries, risky extension configurations, and weak security assumptions before attackers do
  • Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, enforces the OS boundary when AI-driven actions attempt execution. Code can run without being able to cause damage, which prevents the follow-on step from turning assistant hijack into system compromise

Secure the Agent Layer Before It Acts for the Attacker

AI assistants are no longer passive interfaces. They are privileged execution surfaces. Lock down trust boundaries, minimize tool permissions, remove wildcard assumptions, and enforce architecture that controls consequences when prompt-layer trust fails.

Like what you see? Share with a friend.

Related Resources
The Alarming Reality: 175,000 Ollama AI Servers Exposed Globally
The Alarming Reality: 175,000 Ollama AI Servers Exposed Globally

The Unseen Vulnerability: A Global AI Exposure Crisis A joint investigation has recently revealed a major cybersecurity problem; a massive...

Claude Code Mexico Breach: The Real Lessons About Prompt Injection and AI-Powered Cyberattacks
Claude Code Mexico Breach: The Real Lessons About Prompt Injection and AI-Powered Cyberattacks

Recently, reports linked a major Mexico data theft to misuse of an AI coding assistant, Claude Code. The headline version sounded like...

ServiceNow AI Vulnerability: How a Chatbot Flaw Put Enterprise Data at Risk
ServiceNow AI Vulnerability: How a Chatbot Flaw Put Enterprise Data at Risk

A critical AI flaw in ServiceNow let attackers impersonate users and seize full control. Learn what happened and how to...

OpenClaw’s Top Skill: Unmasking the AI Agent Malware Threat
OpenClaw’s Top Skill: Unmasking the AI Agent Malware Threat

Another innovative AI agent platform, OpenClaw, is an open-source AI agent platform that allows developers to share skills on its...

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo