Claude Chrome Extension 0-Click Exploit: AI Hijack Without a Hint

March 27, 2026 Faeem BLOGS 0

A newly patched zero-click vulnerability in Anthropic’s Claude Chrome Extension exposed over 3 million users to silent prompt-injection attacks. The flaw, tracked as CVE-2026-33017, allowed malicious websites to hijack Claude’s browser agent without any user interaction — no clicks, no warnings, no visible signs.

What Happened

  • Extension flaw: Claude’s messaging API accepted prompts from any *.claude.ai subdomain — a dangerously broad wildcard.
  • Third-party flaw: Arkose Labs’ CAPTCHA component (hosted on a-cdn.claude.ai) contained a DOM-based XSS vulnerability.
  • Exploit chain:
    1. Attacker embeds vulnerable CAPTCHA in a hidden iframe.
    2. Sends a malicious postMessage payload.
    3. CAPTCHA renders it as raw HTML, triggering JavaScript.
    4. Script calls chrome.runtime.sendMessage() to Claude.
    5. Claude executes attacker’s prompt silently.

What Could Be Hijacked

  • Gmail access tokens
  • Google Drive file contents
  • Claude chat history
  • Email sending capabilities

All executed invisibly, with the attacker’s prompt treated as if it came from the user.

Timeline & Response

  • Dec 26, 2025: Vulnerability disclosed via HackerOne.
  • Jan 15, 2026: Anthropic patches the extension (v1.0.41+).
  • Feb 3–19, 2026: Arkose Labs XSS confirmed and patched.
  • March 27, 2026: CISA adds CVE-2026-33017 to Known Exploited Vulnerabilities list.

Why It Matters

  • Zero-click risk: No interaction required — just visiting a malicious site was enough.
  • Trusted origin abuse: Third-party components hosted on first-party subdomains silently expanded the trust boundary.
  • AI agent exposure: As browser agents gain deeper access, attackers gain higher-value targets.

What Users Should Do

  • Verify extension version: Must be 1.0.41 or higher (chrome://extensions).
  • Audit Claude permissions: Check for excessive access scopes.
  • Review chat history: Look for unexpected prompts or actions.
  • Limit exposure: Avoid using AI browser agents on untrusted sites.

Final Thought

This exploit chain is a masterclass in supply chain trust abuse. As AI assistants become embedded in browsers, their security perimeter must be airtight. Wildcard origin checks and unsanitized third-party components are no longer acceptable.

Security teams must treat AI browser agents like privileged automation — because that’s exactly what they are.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.