A newly discovered “zero-click” vulnerability in Anthropic’s Claude Chrome Extension reveals the more powerful an AI browser assistant becomes, the more attractive it is to attackers.

A critical zero-click vulnerability, first discovered in late 2025 by a security researcher through HackerOne in the browser-based AI assistant, exposed millions of users to potential account takeover attacks simply by visiting a malicious website.

The flaw allowed attackers to inject commands into the extension without any user interaction.

In its analysis of the proof-of-concept attack, endpoint security firm KO1notes that the offensive researcher relied on chaining together two separate issues.

The first was that the Chrome extension trusted any subdomain under under *.claude.ai – an overly broad rule that created a large attack surface.

Secondly, a vulnerability in an Arkose Labs-provided a CAPTCHA which was hosted on a Claude-owned web domain a-cdn.claude.ai.

Because it was hosted on a Claude domain, the browser extension trusted it like it was Claude itself.

But the CAPTCHA component was found to contain a bug which meant it accepted messages from any website and displayed that data as HTML without proper filtering.

This meant that the attacker could send malicious data into the CAPTCHA component, get it to run JavaScript and do this from a Claude-trusted domain.

Once inside, the attackers could issue commands with the same privileges as the user allowing them to do “practically anything,” according to security researcher Oren Yomtov.

“They can steal your Gmail access token. Read your Google Drive. Export your LLM chat history. Send emails as you. All without a single click or permission prompt,” he said.

In some cases, the attackers could send emails, extract tokens or export chat histories – all without visible interaction, leaving the victims unaware.

The issue was disclosed via HackerOne in December 2025 and fully patched by February 2026, following coordinated fixes from Anthropic and Arkose Labs.

Anthropic has urged users to update to version 1.0.41 or later of the Claude Chrome Extension. Older versions may still be vulnerable.

KO1 emphasizes that as AI assistants gain deeper access to browser and user data, they are increasingly acting as autonomous agents – capable of performing actions without human oversight.

“An extension that can navigate your browser, read your credentials, and send emails on your behalf is an autonomous agent."

KO1 security researcher Oren Yomtov

“And the security of that agent is only as strong as the weakest origin in its trust boundary.on behalf of users across multiple services - this makes them powerful but also attractive targets for attackers,” Yomtov added.

---

Unlock more exclusive Cybernews content on YouTube.