Rewards Hub A critical prompt injection vulnerability has been identified in Anthropic's Claude Chrome extension, affecting all versions below 1.41. According to ChainCatcher, citing findings from Koi and GoPlus, the flaw allows attackers to craft malicious web pages that silently load an iframe with an XSS vulnerability. This enables the execution of malicious payloads within the trusted a-cdn.claude.ai subdomain, allowing attackers to inject and execute prompts without user interaction.
The vulnerability poses significant risks, including the ability for attackers to read Google Drive documents, steal business access tokens, export chat histories, and take over browser sessions to perform actions like sending emails on behalf of victims. Users are urged to update to version 1.41 or higher immediately and exercise caution against phishing links.
Critical Vulnerability Found in Claude Chrome Extension Versions Below 1.41
Disclaimer: The content provided on Phemex News is for informational purposes only. We do not guarantee the quality, accuracy, or completeness of the information sourced from third-party articles. The content on this page does not constitute financial or investment advice. We strongly encourage you to conduct you own research and consult with a qualified financial advisor before making any investment decisions.