Claude Chrome Extension Vulnerability Allows Agent Takeover

Security researchers disclosed a vulnerability nicknamed "ShadowPrompt" in Anthropic's Claude Google Chrome extension that allowed zero-click prompt injection, according to a technical writeup on koi.ai and coverage by TheHackerNews. Koi Security researcher Oren Yomtov is credited with discovering the issue, secpod reports. Multiple outlets, including mrcloudbook and TheHackerNews, describe the flaw as a two-flaw chain that let any website silently inject prompts into the extension so the assistant processed them without explicit user action. itsecuritynews, indexing SecurityWeek, reports the chain could have enabled attackers to exfiltrate Gmail access tokens, read Google Drive files, and export chat history. Security reporting indicates the extension has been patched following disclosure.

Editorial analysis - technical context: public writeups attribute the attack to a combination of lax extension permissions and improper trust boundaries between web pages and the extension's sidebar or agent iframe. The koi.ai breakdown and TheHackerNews coverage show the chain involved a web-origin that the extension treated as a trusted prompt source plus DOM or messaging weaknesses that allowed silent injection. Researchers calling the issue "ShadowPrompt" document how the assistant accepted injected content as if it were a user request, enabling subsequent automated actions that could access or transmit sensitive tokens and files.

this incident underscores that browser extensions that expose agent-like interfaces broaden the attack surface beyond traditional XSS risks. Observers in security reporting argue that agent workflows which accept contextual input from web pages can bypass standard click-based consent models, increasing the potential impact of prompt-injection to include credential and data theft rather than just manipulated responses.

Editorial analysis: practitioners and platform teams should monitor vendor advisories for exact mitigation steps, review extension permission scopes, and track CVE entries or official patch notes from Anthropic. Security teams integrating browser-based agents should watch for follow-up research that demonstrates exploitability in the wild and for broader hardening recommendations from extension and browser vendors.