Critical AI Browser Risk: Claude Extension Flaw Enabled Zero-Click Prompt Injection

-

 

Security researchers have uncovered a critical vulnerability in Claude Chrome Extension developed by Anthropic, exposing users to zero-click attacks that could silently hijack the AI assistant.

The flaw allowed attackers to inject malicious prompts into the extension without any user interaction, simply by visiting a compromised or malicious website.

How the Attack Worked

The vulnerability, dubbed ShadowPrompt, was not a single bug but a chain of weaknesses that together created a powerful exploit path.

At its core, the issue relied on two key problems:

  • The extension trusted any subdomain under *.claude.ai
  • A cross-site scripting (XSS) vulnerability existed in a trusted subdomain component

By combining these, attackers could deliver malicious instructions that the extension would treat as legitimate user input.

This meant that simply visiting a webpage could trigger hidden background code that sends commands directly to the AI assistant without clicks, prompts, or visible interaction.

Zero-Click Prompt Injection Explained

Unlike traditional attacks that require phishing or user action, this vulnerability enabled zero-click prompt injection.

In practice, attackers could:

  • Inject hidden prompts into the Claude assistant
  • Make the extension execute actions as if requested by the user
  • Extract sensitive data such as API keys, credentials, or chat history
  • Manipulate browser activity or automate unintended actions

This fundamentally breaks the trust model of AI assistants, where the system assumes all received prompts originate from the user.

Why This Is a Serious Threat

What makes this vulnerability particularly dangerous is the level of access modern AI assistants have.

Browser-based AI tools like Claude are not passive, they can:

  • Read webpage content
  • Interact with applications
  • Execute multi-step tasks

When combined with prompt injection, this turns the assistant into a high-privilege attack vector, effectively acting on behalf of the attacker instead of the user.

This highlights a broader issue: trusted origin does not equal trusted intent.

Patch and Mitigation

The vulnerability has now been addressed through coordinated fixes:

  • Anthropic updated the extension to enforce stricter origin validation
  • The vulnerable XSS component in the trusted subdomain was patched

Users are strongly advised to update to the latest version of the Claude Chrome Extension, as older versions may still be vulnerable.

Additional security measures include:

  • Avoiding unnecessary browser extensions
  • Monitoring extension behavior and permissions
  • Treating AI-generated or externally injected prompts as untrusted
  • Implementing stricter browser and endpoint security controls

Why This Matters

This incident highlights a new class of vulnerabilities emerging in AI systems: prompt injection at the browser level.

As AI assistants gain more autonomy and deeper integration with user environments, they become increasingly attractive targets. Traditional security assumptions—like trusting internal domains—are no longer sufficient.

The takeaway is clear: securing AI systems requires not just protecting code, but also controlling how instructions are received, validated, and executed.

Resources


Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more