Cybersecurity researchers have disclosed a vulnerability in Anthropic’s Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page.
The flaw “allowed any website to silently inject prompts into that assistant as if the user wrote them,” Koi Security researcher Oren Yomtov said in a report shared with The Hacker News. “No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The issue chains two underlying flaws –
- An overly permissive origin allowlist in the extension that allowed any subdomain matching the pattern (*.claude.ai) to send a prompt to Claude for execution.
- A document object model (DOM)-based cross-site scripting (XSS) vulnerability in an Arkose Labs CAPTCHA component hosted on “a-cdn.claude[.]ai.”
Specifically, the XSS vulnerability enables the execution of arbitrary JavaScript code in the context of “a-cdn.claude[.]ai.” A threat actor could leverage this behavior to inject JavaScript that issues a prompt to the Claude extension.
The extension, for its part, allows the prompt to land in Claude’s sidebar as if it’s a legitimate user request simply because it comes from an allow-listed domain.
“The attacker’s page embeds the vulnerable Arkose component in a hidden <iframe>, sends the XSS payload via postMessage, and the injected script fires the prompt to the extension,” Yomtov explained. “The victim sees nothing.”
Successful exploitation of this vulnerability could allow the adversary to steal sensitive data (e.g., access tokens), access conversation history with the AI agent, and even perform actions on behalf of the victim (e.g., sending emails impersonating them, asking for confidential data).
Following responsible disclosure on December 27, 2025, Anthropic deployed a patch to the Chrome extension that enforces a strict origin check requiring an exact match to the domain “claude[.]ai.” Arkose Labs has since fixed the XSS flaw at its end as of February 19, 2026.
“The more capable AI browser assistants become, the more valuable they are as attack targets,” Koi said. “An extension that can navigate your browser, read your credentials, and send emails on your behalf is an autonomous agent. And the security of that agent is only as strong as the weakest origin in its trust boundary.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Masters of Imitation: How Hackers and Art Forgers Perfect the Art of Deception
Mar 26, 2026
Artificial Intelligence / Threat Detection
Unmasking impostors is something the art world has faced for decades, and there are valuable lessons from the works of Elmyr de Hory that can apply to the world of defensive cybersecurity. During the 1960s, de Hory gained infamy as a premier forger, passing off counterfeit masterworks of Picasso, Matisse, and Renoir to unsuspecting collectors and renowned museums. Over the next several decades, more than a thousand of his works slipped past experts who relied on trusted signatures, familiar patterns, and reputable provenance. It’s not unlike the challenges SOCs are facing now. We’re firmly in the Age of Imitation. Cyberattackers, equipped with AI, are mastering the art of imitating the familiar, posing as trusted users and masking their activity within legitimate processes and ordinary network traffic. As history shows, it’s often easier to identify impostors when you know what to look for. Key takeaways for defenders: Mimicry is the new normal: 81% of attacks are malware-free Ag…