ChainCatcher report, according to GoPlus citing Koi’s findings, Anthropic’s Claude Chrome extension contains a critical prompt injection vulnerability affecting all versions below 1.41. Attackers can craft malicious web pages to silently load an iframe containing an XSS vulnerability in the background, executing malicious payloads within the a-cdn.claude.ai subdomain. Since this subdomain is whitelisted as trusted by the extension, attackers can directly inject and automatically execute malicious prompts without requiring any user authorization or interaction, leaving victims unaware. This vulnerability enables attackers to manipulate the Claude extension to read users’ Google Drive documents, steal business access tokens, export chat histories, and even take over the current browser session to perform sensitive actions—such as sending emails—on behalf of the victim. GoPlus recommends users immediately update the Claude extension to version 1.41 or higher and remain vigilant against phishing links.
Claude Chrome Extension versions below 1.41 are vulnerable to a prompt injection flaw.
ChaincatcherShare
Summary
A new vulnerability report reveals that Claude Chrome extensions below version 1.41 are susceptible to prompt injection attacks. Attackers can exploit malicious iframes to execute payloads on the whitelisted a-cdn.claude.ai subdomain. This vulnerability could result in data theft, including unauthorized access to Google Drive and session hijacking. GoPlus recommends updating to version 1.41 or higher. The issue underscores the importance of remaining vigilant against DeFi exploit risks and other security threats. Users are advised to avoid suspicious links and ensure their extensions are kept up to date.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.