Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website Researchers disclosed "ShadowPrompt," a vulnerability in Anthropic's Claude Chrome extension that allowed any website to silently inject prompts by chaining an overly permissive (*.claude.ai) origin allowlist with a DOM-based XSS in an Arkose Labs CAPTCHA component. The flaw risked exposing access tokens, conversation history, and enabling actions like sending impersonated emails;...

The "ShadowPrompt" flaw in Anthropic’s Claude Chrome extension allowed zero-click prompt injection via any website by exploiting an overly permissive origin allowlist and a DOM XSS in an Arkose Labs CAPTCHA. #PromptInjection #BrowserFlaw #USA

🔍 Researchers uncover that hackers exploited an 18-year-old flaw in Safari, Chrome, and Firefox on macOS, targeting queries to the 0.0.0.0 IP address to breach private networks. A serious security concern. #CyberSecurity #BrowserFlaw #macOS