Claude for Chrome arrives despite 11% prompt injection success rate

Cal Jeffrey

Posts: 4,595   +1,682
Staff member
Facepalm: Anthropic has begun piloting Claude for Chrome, an AI extension that can operate the browser on a user's behalf. However, the tool is vulnerable to prompt injection attacks that can trick it into performing harmful actions without consent. Anthropic is aware of the risks but is releasing the tool in a limited test run anyway.

The Chrome extension marks Anthropic's push into the crowded browser-based AI market, where it faces rivals such as Perplexity's Comet browser and OpenAI's ChatGPT Agent. Aware of its security risks, Anthropic has capped access to just 1,000 subscribers on its $100 and $200 Claude Max plans introduced in April.

During testing, the company found that malicious actors could manipulate Claude in almost one-quarter of the time by using prompt injection attacks. These attacks embed hidden instructions in websites, emails, or documents, tricking the AI into deleting files, stealing data, or initiating unauthorized transactions.

In one troubling test case a spoofed email, posing as an employer, instructed Claude to delete user messages for supposed "security reasons." Lacking safeguards, the AI followed the hidden commands and permanently erased data without asking for confirmation.

Anthropic claims that it has tested new safeguards, which cut the attack success rate from 23.6 percent to 11.2 percent in autonomous mode. Claude now requires user approval before taking high-risk actions such as making purchases, publishing content, or sharing sensitive data. Users can also limit its reach with granular website permissions.

Claude cannot access financial services sites, adult content platforms, or websites hosting pirated materials by default. These restrictions help reduce potential harm from prompt injection attacks while preserving functionality for legitimate business tasks.

Security experts remain skeptical about the viability of browser-based AI agents despite these improvements. Independent researcher Simon Willison, who coined the term "prompt injection" in 2022, called the remaining 11.2 percent attack rate "catastrophic" and questioned whether a safe implementation is even possible.

Recent incidents with competing products underscore these concerns. Last week, Brave's security researchers manipulated Perplexity's Comet browser through malicious Reddit posts, gaining access to users' Gmail accounts and triggering unauthorized password recovery processes.

The Claude for Chrome extension expands on Anthropic's Computer Use capability, which lets the AI take screenshots and control the mouse to complete tasks. The browser integration enables more direct web interaction while preserving conversation context across multiple tabs and sites.

Anthropic plans to use the limited pilot program to identify additional attack patterns and refine security measures before wider deployment. However, the company admits current protections are insufficient for broad consumer use, leaving early adopters to shoulder substantial risks.

Permalink to story:

 
Back