This is some really smart digging: realizing that Claude Code does not require user interaction for certain bash commands, they discovered that DNS lookups were specifically allowlisted, clearing a trivial path for well-known DNS exfiltration methods.
So when I say βall these implementations are ignoring years and decades of lessons learned the hard wayβ itβs not hyperbole. Anthropic 100% cleared the path for DNS exfil here.
h/t to @cR0w@infosec.exchange - thank you!
#infosec #genai
https://embracethered.com/blog/posts/2025/claude-code-exfiltration-via-dns-requests/
@neurovagrant@masto.deoan.org @cR0w@infosec.exchange
Nice. This was my favorite part.
I guess vulnerability testing in ai is only for curl
@neurovagrant@masto.deoan.org @cR0w@infosec.exchange "None of this would have been a problem if Anthropic had published their threat model!" (cc @lmk@infosec.exchange )
i mean who could've expected a yearslong, deeply researched, regularly used method of data exfiltration COULD BE ABUSED BY REMOVING NECESSARY USER INTERACTION
@adamshostack@infosec.exchange @neurovagrant@masto.deoan.org @cR0w@infosec.exchange After releasing the fix would be a great time to publish the updated threat model.
me trying to be less adversarial towards AI and then they specifically enable noclick DNS exfil
@neurovagrant@masto.deoan.org
@neurovagrant@masto.deoan.org is that⦠a very young Jim Carrey
@neurovagrant@masto.deoan.org It's amazing to me that we have decades of lessons learned, and you don't need to be an expert in these lessons to know of them.
They ignore them, give "AI" agents permissions that they have no fucking business having, and wonder "Why is this shit being exploited? Is this a new threat?"
No. It's the same overprovisioning of permissions and lack of controls we've been fucking battling since...*check's notes* the 90s.
@cR0w@infosec.exchange @neurovagrant@masto.deoan.org I'm shocked.. SHOCKED I tell you! Well not that shocked.
Ian Campbell π΄
