Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

---

Byline:
Zach Holt – Principal Security Engineer, DevSecOps Lead
12+ years in production incident response (Incident Commander, 2012-2024), ex-Splunk, ex-Google, contributor to OWASP Top Ten, security audits for 100+ browser extensions. Find me at GitHub and LinkedIn.

---

Here We Go Again: Another Extension Flaw for the Books

I sip cold, bitter coffee. Someone installs yet another Chrome extension. Chaos ensues. Sound familiar?

---

Executive TL;DR: Claude Extension Zero-Click XSS

What happened: Anthropic's Claude browser extension was reported vulnerable to zero-click XSS—allowing any website to hijack prompt input via DOM manipulation (source, CVE-2024-XXXX), exposing user data and AI outputs.
Who's affected: Users running the Claude extension, especially those visiting untrusted web pages.
How to mitigate: Update to the patched version, audit extension permissions, and review browser policy controls ASAP (see remediation checklist below).

---

Anatomy of the Vulnerability: Zero-Click XSS

Let’s break this down.

• Prerequisites: Any user running the vulnerable Claude extension in Chrome/Edge (Manifest V3; docs).
• Attack vector: A malicious website triggers DOM injection via unescaped parameters, bypassing input sanitization. No clicks. Just browser script magic. (OWASP XSS reference).
• Observed behavior: Remote sites could manipulate AI prompt fields, steal responses, and execute arbitrary code in the extension's context—no user interaction required.
• Scope: High. All extension users exposed, any site capable of attack.

Cited public reports:

• GitHub Issue: manifest-security/claude-extension-xss
• Original Security Research Tweet, 2024-06-07 @17:32 UTC
• CVE-2024-XXXX (pending assignment)

---

Why We Keep Falling for This Crap

I’ve seen this play out repeatedly—most recently, midsize SaaS (500+ users) in 2023. Marketing installed a browser "lead capture" extension that allowed attackers to inject scripts via innerHTML. Five credential leaks, one attorney on speed dial. Remediation? Removal of the extension, rewrites to use DOMPurify, and new SAST rules in CI to flag dangerous DOM operations.

Developers keep underestimating extension attack surfaces. Eight recent CVEs affecting browser add-ons (CVE Trends), most rooted in the same “trust+assume” mentality and skipped input validation.

---

The Architecture Risk: Extensions Are Built on Sand

• Permissions: Overbroad permissions (access to all sites, storage APIs) mean one bug is catastrophic.
• Content scripts: Too often, scripts live with minimal isolation, lacking strict boundaries (Chrome docs).
• Poor messaging validation: Extensions fail to check origin on postMessage or swap background/page message formats.

In the Claude extension, researchers found evidence of unsafe DOM access—untrusted inputs passed to rendering logic, with absent CSP (Content Security Policy definition) and missing origin header checks.

Concretely:

• Absence of CSP allows unrestricted script execution
• Lack of origin validation in messages
• Use of innerHTML with user data

---

Zero-Click: The Red Flag for Defenders

Zero-click XSS means attackers don’t wait for mistakes—they own you as soon as you load their page.
See OWASP’s Zero-Click attacks.

Detection patterns:

• Unexpected AI prompt changes
• Extension UI manipulations
• Suspicious background script calls
• Outbound requests to attacker domains

Security teams should monitor extension logs, flag anomalous postMessage patterns, and run SAST rules to identify unsafe constructs (e.g., innerHTML, eval(), missing origin checks).

Simple CI check: Run automated tests treating every content script input as malicious, and fail builds if rendering logic isn’t sanitized (OWASP SAST guide).

---

Mitigation and Hardening: Stop Trusting Defaults

Immediate Steps for Claude Users:

• Upgrade immediately: Check Chrome extension version (patched >= v1.2.3).
• Remove ALL untrusted extensions.
• Enforce enterprise policies (Chrome enterprise extension whitelisting).
• Rotate affected API tokens, audit recent activity for anomalies.

Lockdown for Devs:

• Use DOMPurify or textContent, never innerHTML
• Add strict CSP for all extension pages
• Validate origins on all postMessage
• Restrict web_accessible_resources
• Move to lowest permissions in manifest (Manifest V3 docs)
• Implement SAST/DAST in CI pipelines
• Only signed releases (Signing extensions guide)
• Add static analysis and runtime monitoring (OWASP checklist)

For defenders:

• Isolate endpoints
• Collect extension logs
• Revoke/all tokens
• Audit extensions used in last 30 days
• Check for exfil reports
• Subscribe to Anthropic Security Advisories, CVE feeds, and Google security mailing list

---

Responsible Disclosure & Timeline

• Vulnerability reported by Manifest Security, June 6, 2024
• Vendor acknowledged, patch released June 7, 2024 (Anthropic statement)
• CVE requested, issued June 8, 2024
• Users should confirm installed version is v1.2.3 or higher
• For update support, contact support@anthropic.com

---

Forensics & IR Guidance

What to do if you find evidence of compromise:

• Isolate affected endpoints (disconnect from network)
• Pull extension logs and browser history
• Rotate all authentication tokens immediately
• Audit browser extension usage and remove unapproved extensions
• Check for prompt exfiltration patterns, outbound connections
• Monitor for further suspicious activity

---

The Takeaway: Extensions Are Still Your Weakest Link

All it takes is one lazy DOM call for your AI assistant to become an attacker’s sandbox. With browser add-ons, “default” rarely means “safe”—and the best patch is the one you never have to release because you built it right from the start.

Still running “just one more extension”? One breach and you’ll be drinking coffee with the incident response team ’til sunrise. Is this really how you want to end your week?