Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

Claude's Browser Extension Had a Zero-Click XSS Prompt Injection Problem

A security flaw discovered in the Claude browser extension allowed attackers to execute cross-site scripting (XSS) combined with prompt injection - without requiring any user interaction. Any website a user visited could trigger the attack, turning passive browsing into an active threat vector.

What Happened

The vulnerability resided in how the Claude extension processed and rendered content from web pages. The extension would read page content to assist users with AI-powered tasks, but failed to properly sanitize that content before passing it into the AI pipeline.

Here is what made this dangerous:

• Zero-click exploitation - visiting a malicious or compromised page was enough. No clicks, no form submissions, no downloads required.
• XSS as the entry point - unsanitized content injected into the extension's DOM allowed arbitrary script execution within the extension's privileged context.
• Prompt injection as the payload - attackers embedded crafted instructions inside page content that the AI model would interpret and act on as if they came from the user.
• Any website as a launchpad - the attack surface was every single webpage the user visited while the extension was active.

The combination of XSS and prompt injection in an AI-assisted context is a particularly nasty pairing. Traditional XSS steals sessions and redirects users. Prompt injection hijacks the AI layer to exfiltrate data, manipulate outputs, or perform unauthorized actions - all silently.

How Developers Can Avoid Building This

If you are building browser extensions that interact with AI models or process arbitrary web content, treat every external input as hostile:

• Sanitize all page-scraped content before rendering or passing it to any downstream processor - use libraries like DOMPurify for DOM-level sanitization.
• Separate user context from page content at the prompt construction layer. Never let raw webpage text sit in the same context window as trusted user instructions without clear delimiters and validation.
• Implement a strict Content Security Policy (CSP) in your extension's manifest to limit script execution contexts.
• Apply input validation at the extension boundary - treat content from content_scripts the same way you would treat data from an untrusted API.
• Audit prompt templates regularly for injection vectors - anywhere external data enters a prompt is an attack surface.

The lesson here is blunt: AI extensions that consume web content inherit the entire threat model of the web. Build accordingly.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.