Claude Chrome Extension Flaw Allows Attackers to Hijack AI Agent

Security researchers at Cisco Talos have disclosed a critical flaw in the Claude Chrome extension (version 2.3.0) that lets remote attackers hijack the AI agent by abusing the extension’s over‑privileged permissions. The extension requests broad capabilities such as "webRequest", "scripting", and "tabs", which were intended to let the agent read web content and issue commands on behalf of the user. However, the combination of these permissions with insufficient origin validation creates a pathway for malicious websites to inject arbitrary prompts directly into the agent’s runtime.

The vulnerability stems from a lack of input sanitization in the extension’s message‑handling layer. When a page loads, the content script registers a listener that forwards user input and page data to the background script without verifying the sender’s origin. By crafting a specially‑formatted JSON payload (e.g., {"type":"prompt_inject","data":""}) and sending it via `chrome.runtime.sendMessage`, an attacker can override the agent’s system instructions. This "prompt injection" technique allows the adversary to force the LLM to exfiltrate conversation history, disclose API keys stored in the extension’s local storage, and even invoke tool functions such as the code interpreter to execute arbitrary commands on the host system.

If exploited, the flaw gives a threat actor full control of the AI assistant, enabling them to read sensitive emails, manipulate calendar entries, or pivot to further attacks using the agent’s privileged access. In targeted scenarios, the attacker could impersonate the user in downstream SaaS integrations, harvest authentication tokens, or propagate malicious instructions to other connected agents. The attack surface is amplified because the extension runs automatically on all Chrome pages, making it a high‑value vector for phishing campaigns and credential‑theft operations.

Anthropic released version 2.3.1 of the Claude extension, which patches the vulnerability by implementing strict origin checks, sanitizing all incoming messages, and sandboxing prompt injection vectors. Users are strongly advised to update immediately and, as a best practice, review the extension’s permission grant to ensure it only retains the capabilities essential for its functionality. Organizations can also employ endpoint detection rules that flag unexpected outbound traffic from the extension or unusual message patterns involving the extension’s background process.