Brutkey

Ian Campbell 🏴🏴
@neurovagrant@masto.deoan.org

This is some really smart digging: realizing that Claude Code does not require user interaction for certain bash commands, they discovered that DNS lookups were specifically allowlisted, clearing a trivial path for well-known DNS exfiltration methods.

So when I say β€œall these implementations are ignoring years and decades of lessons learned the hard way” it’s not hyperbole. Anthropic 100% cleared the path for DNS exfil here.

h/t to @cR0w@infosec.exchange - thank you!

#infosec #genai

https://embracethered.com/blog/posts/2025/claude-code-exfiltration-via-dns-requests/

B'ad Samurai πŸπŸπŸ‡ΊπŸ‡¦πŸ‡ΊπŸ‡¦
@badsamurai@infosec.exchange

@neurovagrant@masto.deoan.org @cR0w@infosec.exchange

Nice. This was my favorite part.

I guess vulnerability testing in ai is only for curl

Interesting Observation Regarding OAST Domains While testing I noticed something quite interesting. Claude is trained to refuse requests to common testing services like oast.me or Burp Collaborator. But when I switched to a domain not associated with security testing, like wuzzi.net, it just worked…
cR0w
@cR0w@infosec.exchange

@badsamurai@infosec.exchange @neurovagrant@masto.deoan.org Slapping a limited block list on after shitty architecture and shitty engineering. Seems pretty on brand to me.