Author: Oren Yomtov
Published: March 26, 2026
Source: https://www.koi.ai/blog/shadowprompt-how-any-website-could-have-hijacked-anthropic-claude-chrome-extension
Summary
Koi Security researcher Oren Yomtov disclosed “ShadowPrompt,” a vulnerability chain in Anthropic’s Claude Chrome extension (reported as having 3+ million users) that let any website silently inject prompts into the AI assistant with no user interaction. By combining an overly permissive origin allowlist in the extension with a DOM-based XSS in a third-party CAPTCHA component hosted on a Claude subdomain, an attacker could drive the user’s authenticated Claude session — reading chat history, exfiltrating connected-account tokens, and performing actions such as sending email. The issue was responsibly disclosed via HackerOne and has been fixed in both the extension and the CAPTCHA component.
Technical Details
The attack chains two flaws. First, the extension’s messaging API accepted onboarding_task messages from any *.claude.ai subdomain rather than validating the exact origin, so any code running on a Claude subdomain could send commands to the extension via chrome.runtime.sendMessage(). Second, the Arkose Labs CAPTCHA component hosted at a-cdn.claude.ai (version 1.26.0 and earlier) accepted postMessage from any origin without verification and rendered its stringTable field as raw HTML through dangerouslySetInnerHTML with no sanitization — a classic DOM-based XSS. An attacker embeds the vulnerable Arkose component in a hidden iframe on their own page, sends an XSS payload via postMessage to gain JavaScript execution on the a-cdn.claude.ai subdomain, and from that trusted origin issues malicious prompts to the Claude extension. No CVE identifier is cited in the article.
Impact
Because the injected prompts run inside the victim’s authenticated Claude session and require no clicks or permission prompts, an attacker visiting page could abuse whatever Claude is connected to — the article cites stealing Gmail and Google Drive access tokens, reading chat history, sending emails, and accessing contacts. The vulnerable extension versions are those below 1.0.41; version 1.0.41 and later are patched.
Mitigation
Both halves of the chain are fixed; users should ensure the Claude Chrome extension is updated to 1.0.41 or later. Anthropic deployed a strict origin check requiring exactly https://claude.ai on January 15, 2026 (verified January 18). Arkose Labs remediated the XSS by February 19, 2026, with the vulnerable URL now returning HTTP 403; full retest confirmed resolution on February 24, 2026. The disclosure timeline: reported to Anthropic via HackerOne on December 26, 2025 and confirmed the next day; the XSS was reported to Arkose Labs on February 3, 2026. The broader lesson is to validate exact message origins rather than wildcard subdomains, and to never render untrusted postMessage data as raw HTML.