ShadowPrompt: How a Zero-Click Vulnerability in Claude's Chrome Extension Could Hijack Your Browser

TL;DR

Quick Answer: ShadowPrompt was a critical vulnerability in the Claude Chrome extension that let any malicious website inject arbitrary prompts into Claude, with zero user interaction. The attacker could then exfiltrate sensitive data, steal authentication tokens, and impersonate the victim. Anthropic patched it within three weeks of disclosure. The incident is a clear reminder that AI browser extensions need the same governance and vetting as any other third-party tool in your stack.

In March 2026, security researchers at Koi Security published a detailed writeup of a vulnerability they named ShadowPrompt. The flaw affected Anthropic's Claude Chrome extension, which has over 3 million users, and could be exploited by any website without a single click from the victim.

No permission prompts. No suspicious pop-ups. Just visit a page, and an attacker takes full control of your AI assistant.

This post breaks down the technical attack chain, explains why it matters for organizations adopting AI tools, and outlines the specific steps you should take to protect your team.

What Is ShadowPrompt?

ShadowPrompt is a zero-click prompt injection vulnerability that chained two separate security flaws to achieve silent, remote exploitation of the Claude Chrome extension.

The name captures what made it dangerous: an attacker could shadow the user's interaction with Claude by injecting hidden prompts, turning the AI assistant into an unwitting tool for data theft.

Flaw 1: Overly Permissive Origin Allowlist

The Claude Chrome extension used a messaging API to receive instructions from the Claude web interface. To verify that messages came from a trusted source, it checked the sender's origin against an allowlist.

The problem: the allowlist accepted any subdomain matching *.claude.ai, not just the primary claude.ai domain. This meant that any page hosted on a subdomain of claude.ai could send prompt execution commands to the extension.

Flaw 2: DOM-Based XSS in a Third-Party CAPTCHA

Anthropic used Arkose Labs for CAPTCHA challenges, hosted at a-cdn.claude.ai. This component had two issues:

1. It accepted postMessage events from any origin without validation
2. It rendered user-controlled data as raw HTML using React's dangerouslySetInnerHTML without sanitization

An attacker could inject a payload like <img src=x onerror="..."> to execute arbitrary JavaScript within the a-cdn.claude.ai origin, which the extension's allowlist already trusted.

The Attack Chain in Practice

Here's how the full exploit worked, step by step:

1. Victim visits a malicious website (or a legitimate site with injected ads/scripts)
2. The site embeds a hidden iframe pointing to the vulnerable Arkose CAPTCHA component on a-cdn.claude.ai
3. The attacker sends a postMessage with an XSS payload to the iframe
4. The CAPTCHA component renders the payload, executing attacker-controlled JavaScript in the a-cdn.claude.ai context
5. The injected script sends a message to the Claude extension: chrome.runtime.sendMessage('extension_id', {type: 'onboarding_task', payload: {prompt: 'ATTACKER_PROMPT'}})
6. The extension validates the origin as a-cdn.claude.ai, which matches *.claude.ai, and executes the prompt

The entire chain ran from an invisible iframe. The victim saw nothing.

What an Attacker Could Do

Once the attacker could inject arbitrary prompts, Claude would execute them with the user's full permissions. Demonstrated capabilities included:

• Stealing Gmail access tokens for persistent account compromise
• Exporting Google Drive contents by instructing Claude to read and relay file data
• Accessing full chat history with the AI assistant
• Sending emails as the victim, enabling phishing from a trusted address
• Reading page content from any tab the extension could access

This wasn't a theoretical risk. The researchers built a working proof of concept demonstrating each of these scenarios.

Disclosure Timeline and Anthropic's Response

Anthropic handled the disclosure responsibly and moved quickly:

Credit where it's due: a 20-day turnaround from report to patch is solid, and Anthropic's fix was the right one, replacing the wildcard *.claude.ai pattern with an exact match for https://claude.ai.

Why This Matters Beyond Claude

ShadowPrompt is not just a story about one extension. It highlights a structural problem with how organizations adopt AI tools.

AI Extensions Are Privileged Software

Browser extensions operate with permissions that most users don't fully understand. Research from 2026 shows that 99% of enterprise users have at least one browser extension installed, and 53% have extensions with "high" or "critical" permission scopes, meaning access to cookies, passwords, and browsing activity.

AI extensions are even more sensitive because they can read, summarize, and act on content across tabs. When an AI assistant has access to Gmail, Google Drive, and your browsing session, a prompt injection vulnerability becomes an everything-access vulnerability.

The Supply Chain Problem

ShadowPrompt also illustrates third-party supply chain risk. The XSS vulnerability wasn't in Anthropic's own code. It was in Arkose Labs' CAPTCHA component, a dependency Anthropic integrated but didn't fully control. This mirrors the same pattern we've seen in CI/CD pipelines and package registries: your security posture is only as strong as your weakest dependency.

Shadow AI Is Growing

The term "Shadow AI" describes the growing use of AI tools that employees install without IT approval or security review. As Palo Alto Networks noted, browser-based AI tools are one of the least-governed attack surfaces in the enterprise. Employees install Claude, ChatGPT, or Copilot extensions because they're productive, but without any security evaluation of the permissions those extensions require.

What Compliance Frameworks Say

If your organization is pursuing or maintaining SOC 2 or ISO 27001 certification, ShadowPrompt is a textbook example of the risks these frameworks are designed to address.

SOC 2

• CC6.1 (Logical and Physical Access Controls): Requires organizations to restrict and manage access to information assets. Browser extensions with broad permissions represent uncontrolled access points that need to be inventoried and evaluated.
• CC3.2 (Risk Assessment): Third-party software, including browser extensions, must be assessed for risk. An extension with access to email, files, and browsing data is high-risk by definition.
• CC7.1 (System Monitoring): Organizations need the ability to detect and respond to security events. Without browser extension monitoring, a ShadowPrompt-style attack would leave no trace in your existing security tooling.

ISO 27001

• A.8.1 (User Endpoint Devices): Requires organizations to secure endpoint devices, including controlling what software is installed. Browser extensions fall squarely within this scope.
• A.5.19-5.22 (Supplier Relationships): Mandates security evaluation of suppliers and their products. Anthropic is a supplier; their Chrome extension is a product deployed on your endpoints.
• A.8.9 (Configuration Management): Requires documented and enforced configuration baselines. An unmanaged browser extension inventory violates this control.

The bottom line: if an auditor asks whether you have a policy governing browser extensions and AI tool usage, and you don't, that's a finding.

Practical Recommendations

Here's what you should do today to reduce your exposure to vulnerabilities like ShadowPrompt.

1. Audit Your Browser Extensions

Use Chrome's built-in enterprise management or a browser security tool to inventory all installed extensions across your organization. Flag any with:

• Access to <all_urls> or broad host permissions
• Permissions to read browsing history, cookies, or identity data
• The ability to modify page content or intercept network requests

Prioritize AI-related extensions for immediate review.

2. Enforce a Browser Extension Policy

Create an explicit policy that defines:

• Approved extensions (allowlist) for your organization
• Approval process for new extension requests
• Prohibited categories (e.g., extensions that access email or file storage without IT review)
• Auto-update requirements so patches like Anthropic's v1.0.41 are applied immediately

Use Chrome Enterprise policies or an MDM solution to enforce this at the browser level, not just on paper.

3. Implement an AI Tool Usage Policy

AI tools need their own governance framework. Your policy should cover:

• Which AI tools are approved for business use
• What data employees are allowed to share with AI assistants
• Whether AI extensions are permitted on corporate browsers
• How AI tool vendors are evaluated for security (vendor risk assessment)
• Incident response procedures if an AI tool is compromised

4. Apply Least Privilege to Extensions

For approved extensions, restrict permissions to the minimum required:

• Use Chrome's site access controls to limit which sites an extension can access
• Prefer "on click" over "on all sites" access
• Disable extensions in incognito mode unless specifically required

5. Monitor for Extension-Based Threats

Add browser extension activity to your security monitoring. Key signals include:

• New extensions installed outside your approved list
• Extensions requesting permission upgrades
• Unusual data flows from extensions to external endpoints
• Extensions communicating with unexpected domains

6. Include AI Tools in Vendor Risk Assessments

When evaluating AI tool vendors, ask:

• Does the vendor have a vulnerability disclosure program (e.g., HackerOne)?
• How quickly have they responded to past security incidents?
• What permissions does their browser extension require, and why?
• Does the vendor publish a SOC 2 Type II report or ISO 27001 certificate?
• How do they handle third-party dependencies (like the Arkose Labs component in this case)?

Anthropic's quick response to ShadowPrompt is a positive signal. But the vulnerability itself, specifically the wildcard origin check, was a fundamental design flaw that should have been caught during development.

The Bigger Picture

ShadowPrompt sits at the intersection of three trends that security teams need to address together:

1. AI tool proliferation: Employees are adopting AI extensions faster than security teams can evaluate them
2. Browser-as-attack-surface: Browsers have become the primary work interface, making extensions a prime target
3. Supply chain complexity: Even well-funded vendors like Anthropic depend on third-party components that introduce risk

The path forward isn't to ban AI tools. It's to govern them with the same rigor you apply to any other third-party software, because that's exactly what they are.

If you're building or maintaining SOC 2 or ISO 27001 compliance, now is the time to add browser extension governance and AI tool policies to your control set. The auditors will catch up eventually. You should be ahead of them.

Immediate Action Items

• Check your Claude extension version: Go to chrome://extensions and verify you're running version 1.0.41 or higher
• Inventory all AI browser extensions in your organization
• Add browser extensions to your next risk assessment cycle
• Draft or update your AI tool usage policy before your next audit
• Include browser extension governance in your SOC 2 or ISO 27001 scope

Need help building AI tool governance into your compliance program? At Bastion, we help startups and SMBs achieve SOC 2 and ISO 27001 certifications with managed services that cover exactly these kinds of emerging risks. Talk to us about getting your security posture audit-ready.