Critical Zero-Click Vulnerability in Claude Chrome Extension Exposed 3M Users to Silent Hijacking A now-patched zero-click vulnerability in Anthropic’s Claude Chrome Extension left over 3 million users vulnerable to silent prompt-injection attacks, enabling malicious actors to hijack the AI assistant without any user interaction. The exploit, discovered by KOI Security, could have allowed attackers to steal Gmail access tokens, read Google Drive files, export chat histories, and send emails all invisibly. The attack chain leveraged two critical flaws: 1. Overly Permissive Origin Allowlist – The extension’s messaging API accepted prompts from any `.claude.ai` subdomain, including third-party components like Arkose Labs’ CAPTCHA verification*, which was hosted on `a-cdn.claude.ai`. 2. DOM-Based XSS in Arkose CDN – An older, predictable version of the CAPTCHA component contained an unsanitized `stringTable` field, allowing arbitrary JavaScript execution via `dangerouslySetInnerHTML` in React. Attackers could embed the vulnerable component in a hidden iframe, triggering the exploit when a victim visited a malicious page. Once executed, the injected script sent a malicious prompt to the Claude extension, which treated it as a legitimate user command due to the trusted origin. The attack required no clicks, permissions, or visible indicators, making it nearly undetectable. Demonstrated attack scenarios included: - Theft of Google OAuth tokens (persistent access to Gmail/Drive) - Exfiltration of LLM conversation history - Silent email sending via compromised accounts Anthropic was responsibly disclosed via HackerOne on December 26, 2025, confirmed the flaw within 24 hours, and deployed a fix on January 15, 2026, replacing the wildcard allowlist with a strict `https://claude.ai` origin check. The Arkose Labs XSS was separately patched by February 19, 2026, after being reported on February 3. The incident highlights a systemic risk in AI browser agents: third-party components hosted on first-party subdomains can silently expand trust boundaries, creating exploitable attack surfaces. As AI assistants gain deeper browser access, supply chain vulnerabilities become higher-value targets for attackers.