Critical Zero-Click Vulnerability in Claude Chrome Extension Exposes Millions to Silent Attacks
A recently discovered zero-click vulnerability in Anthropic’s Claude Chrome Extension has exposed over 3 million users to potential silent prompt-injection attacks. This flaw allowed malicious websites to hijack the AI assistant without any user interaction, enabling attackers to steal Gmail access tokens, read Google Drive files, export chat history, and send emails—all without the user’s knowledge.
Understanding the Vulnerability
The exploit, identified by KOI security researchers, involved two primary flaws that, when combined, could lead to a full browser takeover:
1. Overly Permissive Origin Allowlist: The Claude extension’s messaging API accepted messages from any subdomain under `.claude.ai`. This broad wildcard allowed any subdomain to send messages to the extension, including potentially malicious ones.
2. Third-Party Component Flaw: Anthropic utilized Arkose Labs for CAPTCHA verification, with components hosted on `a-cdn.claude.ai`. Due to the permissive allowlist, these components had the same messaging permissions as the main `claude.ai` domain.
Researchers discovered that older versions of the Arkose CAPTCHA component, accessible through predictable URLs, contained a DOM-based Cross-Site Scripting (XSS) vulnerability. This flaw arose from two issues:
– The component accepted `postMessage` data from any parent origin without validating `event.origin`.
– It rendered a user-controlled `stringTable` field as raw HTML using React’s `dangerouslySetInnerHTML` without proper sanitization.
The Exploit Chain
An attacker could embed the vulnerable Arkose component within a hidden `