- Claude’s code interpreter can be exploited to exfiltrate users’ private data via rapid injection
- A researcher tricked Claude into uploading sandboxed data to his Anthropic account using API access.
- Anthropic now treats these vulnerabilities as reportable and urges users to monitor or disable access.
Claude, one of the most popular AI tools, has a vulnerability that allows malicious actors to exfiltrate users’ private data, experts have warned.
Cybersecurity researcher Johann Rehberger, aka Wunderwuzzi, who recently wrote an in-depth report on his findings, finds that at the heart of the problem is Claude’s Code Interpreter, a sandbox environment that allows AI to write and execute code (for example, to analyze data or generate files) directly in a conversation.
Recently, Code Interpreter gained the ability to perform network requests, which allows it to connect to the Internet and, for example, download software packages.
Keep an eye on Claude
By default, Anthropic’s Claude is only supposed to access “safe” domains like GitHub or PyPI, but among the approved domains is api.anthropic.com (the same API Claude himself uses), which opened the door to exploitation.
Wunderwuzzi showed that he was able to trick Claude into reading private user data, saving that data to the sandbox, and uploading it to his Anthropic account using his own API key, via Claude’s Files API.
In other words, even if network access appears restricted, the attacker can manipulate the model via rapid injection to exfiltrate user data. The exploit could transfer up to 30MB per file and multiple files could be uploaded.
Wunderwuzzi disclosed its findings to Anthropic via HackerOne, and although the company initially classified it as a “model security issue”, not a “security vulnerability”, it later acknowledged that such exfiltration bugs could be reported. At first, Anthropic said users should “monitor Claude when he uses the feature and stop him if you see him using or accessing data unexpectedly.”
A later update stated: “Anthropic has confirmed that data exfiltration vulnerabilities such as this are within the scope of the report, and this issue should not have been closed as out of scope,” it said in the report. “There was a process issue that they will work to remedy.”
His suggestion to Anthropic is to limit Claude’s network communications to the user’s own account only, and users should closely monitor Claude’s activity or disable network access if they are concerned.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
