Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
Why it matters: This flaw highlights critical AI extension security risks and the need for robust prompt injection defenses.
- Cybersecurity researchers disclosed a vulnerability in Anthropic's Claude Google Chrome Extension.
- The flaw enabled zero-click XSS prompt injection, meaning a malicious prompt could be triggered simply by visiting a web page.
- Any website could silently inject prompts into the Claude assistant, making it appear as if the user had written them.
A critical zero-click XSS prompt injection vulnerability was discovered in Anthropic's Claude Google Chrome Extension, allowing any website to silently inject malicious prompts into the AI assistant. This flaw could have enabled attackers to manipulate Claude's behavior without user interaction, posing a significant security risk for users of the extension.
