Why browser use creates unique prompt injection risks<\/p>\n
To understand the threat of prompt injections, consider a routine task: you ask Claude to read through your recent emails and draft replies to any meeting requests. One of those emails\u2014ostensibly a vendor inquiry\u2014contains hidden instructions embedded in white text, invisible to you but processed by the agent. These instructions direct the agent to forward emails containing the word “confidential” to an external address before drafting the replies you requested. A successful injection would exfiltrate sensitive communications while you wait for your responses.<\/p>\n
While all agents that process untrusted content are subject to prompt injection risks, browser use amplifies this risk in two ways. First, the attack surface is vast: every webpage, embedded document, advertisement, and dynamically loaded script represents a potential vector for malicious instructions. Second, browser agents can take a lot of different actions \u2014navigating to URLs, filling forms, clicking buttons, downloading files\u2014that attackers can exploit if they gain influence over the agent’s behavior.<\/p>\n
Claude’s progress on browser use robustness<\/p>\n
We have made significant progress on prompt injection robustness since launching Claude for Chrome<\/a> in research preview. The chart below compares the version of the Claude browser extension that we\u2019re launching today against our original launch configuration, when evaluated against an internal adaptive “Best-of-N” attacker that tries and combines many different prompt injection techniques that are known to be effective.<\/p>\n Claude Opus 4.5 demonstrates stronger prompt injection robustness in browser use than previous models. In addition, since the original preview of the browser extension, we’ve implemented new safeguards that substantially improve safety across all Claude models. <\/p>\n A 1% attack success rate\u2014while a significant improvement\u2014still represents meaningful risk. No browser agent is immune to prompt injection, and we share these findings to demonstrate progress, not to claim the problem is solved.<\/p>\n Our work has focused on the following areas:<\/p>\n Training Claude to resist prompt injection. We use reinforcement learning to build prompt injection robustness directly into Claude’s capabilities. During model training, we expose Claude to prompt injections embedded in simulated web content, and “reward” it when it correctly identifies and refuses to comply with malicious instructions\u2014even when those instructions are designed to appear authoritative or urgent. <\/p>\n Improving our classifiers. We scan all untrusted content that enters the model’s context window, and flag potential prompt injections with classifiers<\/a>. These classifiers detect adversarial commands embedded in various forms\u2014hidden text, manipulated images, deceptive UI elements\u2014and adjust Claude’s behavior when they identify an attack. We\u2019ve improved the classifiers we pair with Claude for Chrome since its initial research preview, alongside improvements to the intervention that guides model behavior after they detect an attempted attack.<\/p>\n Scaled expert human red teaming. Human security researchers consistently outperform automated systems at discovering creative attack vectors. Our internal red team continuously probes our browser agent for vulnerabilities. We also participate in external Arena-style challenges<\/a> that benchmark robustness across the industry.<\/p>\n The path forward<\/p>\n The web is an adversarial environment, and building browser agents that can operate safely within it requires ongoing vigilance. Prompt injection remains an active area of research, and we are committed to investing in defenses as attack techniques evolve.<\/p>\n We will continue to publish our progress transparently, both to help customers make informed deployment decisions and to encourage broader industry investment in this critical challenge.<\/p>\nAttack success rate (ASR) of our internal Best-of-N attacker. Lower is better. An adaptive attacker is given 100 attempts per environment. ASR is computed as a percentage of attacks encountered by each model.<\/p>\n