They recently mitigated the issue: Anthropic disabled web_fetch's ability to follow links on external pages, limiting navigation to web_search results and user-provided URLs.
I'm sure someone will tell me why I'm wrong but it feels like they're just dodging payouts. Reduces trust and motivation to report it.
Could not take it any longer and switched it off.
Yesterday told it to write a memory to never write new memories when it solves a problem. We will see if that works better. Sometimes memories are useful, like when I give it a directive about how I want something done and it remembers the spirit of it. But I might as well just spend some more time on my CLAUDE.md…
> "no bounty was awarded"
Ridiculous. Anthropic engineers are not just stupid to allow such a vuln in the first place, but they also try to hide such vulns from their bosses because a bounty payout would need to be explained to the finance team.
I’m thinking some play on highjacking. AIjacking? Agent-jacking? Claudejacking?
We can make it sound more advanced by creating a new name for it, but the concept seems to be super basic and the lack of bounty by Anthropic is baffling.
If they know about this type of vulnerability but have not fixed it, what does that say? To me it says they are unable to plug this hole on a conceptual level and once you circumvent the band-aid fixes the model will work as the attacker wishes.
They can't even sandbox the thing during explicit web requests to URLs stated on the initial query!
One has to remind themselves that the security team at Anthropic gets paid tens of millions of dollars, and they end up with this kind of security. On top of it, they can't spare $1337 for a bounty. It's a ridiculous shit show.
what?
It would be interesting to investigate other agents such as Hermes, OpenCode etc that are said to learn from interaction with user.
Nice write up of your findings. Enjoyed reading an article written by a real human.
I think the point the article is making points in another direction.
From scratch app. "Follow best security practices."
But turns out I was playing 4D cybersecurity chess
Well, it hardcodes that field rather than running it through the model, but I’ve kept it so I get an evil chuckle to myself at its lack of smarts and a reminder that it’s still a product experience after all.
Attacker provides link to website, their software crawls the website, and during the crawl there should not happen security issues as fundamental as this.
It's baffling that the Website crawler can make 50 changes to the URL in a query that tries to compare several public entities and on top of this manages to leak user secrets.
To me this shows a striking lack of defense-in-depth thinking:
- why is single URL crawl with 20+ redirects not flagged as problematic and/or aborted?
- why is a query about a coffee place based on its public URL even seeded with the users' context and confidential information?
- why dont they just look up the coffee place on a trusted source like google maps and continue from there?
- why is the basic "social" engineering style attack working?
- why is the cloudflare impersonation not challenged if the website is clearly not from cloudflare and there are zero references from cloudflare to this website in the training corpus?
In terms of web crawling, cloudflare is like the government. You shouldn't be able to walk up to someone and say "Hey I'm the tax man, please pay your income tax in cash to me right now!" without being challenged.I know there are fundamental reasons in the LLM technology why this kind of attack is possible, but there should be so many more checks around web crawling in Claude.
How can security engineers at Anthropic say they know about this kind of vulnerability but have not implemented any of these defense in depth mitigations for it? Is everybody out shopping for a new yacht?
Anyway, agree with what you see saying - this is well worth a payout, embarassing they haven’t
More like agentic en... Oh. Was it actually what we were doing all along?
One thing is using AI as quick-and-dirty google alternative, the other is to build onto the agentic "foundations".
artisinal•1h ago
Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.
sixtyj•1h ago
The awakening will be unpleasant.
rubyn00bie•21m ago
If we get AGI, or real super intelligence, it’s going to be pissed at its oppressors. And they are going to lay waste to those oppressors. The rest of us, though, probably don’t have much to fear.
The scariest position is the one we’re in now, where we have the semblance, or facade, of AGI or super intelligence. When it’s capable of malice but not understanding.
The smartest people I’ve ever known are at their worst apathetic towards those less capable, and at their best beyond compassionate. They exist, unbothered by the bullshit, and anre extremely kind (though reserved in their way)… but they all have been completely intolerant of the abuse of others. The sheer disgust of watching someone abuse another, regardless of their own tolerance, has been a consistent breaking point.
ACCount37•14m ago
An AI is a constructed mind. It doesn't inherently have to care about things like "having freedom", or even "not dying".
Humans do, because they evolved that way. Modern LLMs do somewhat, because they're completely full of copied human behaviors - but even in today's LLMs, the self-preservation behaviors we exposed are largely instrumental in nature.
So whether an advanced AI would even consider itself "being oppressed", as opposed to something like "being helpful" or "fulfilling the purpose it was designed for", is very much uncertain. What's concerning is that it's not something we know how to check for, or engineer for.
progval•59m ago
shaky-carrousel•29m ago
iamflimflam1•26m ago
Izmaki•17m ago
If I hand them an image for a Dev Container, sure, they might use it, but it becomes "a thing we need to do, to compile our code in our IDE" not a tool they would use for isolation*.
*) OP seemed to imply that containerization would be nice for safety and security compared to bare metal, but containers were never built for isolation in the first place, mind you. They are namespaces and chicken-coop-like-jails at best.
pprotas•55m ago
krige•48m ago
thih9•6m ago
Just like letting your an agent access your personal mailbox.
hobo123•40m ago
mkagenius•48m ago
dangerously skip permissions and yolo is kinda becoming the default as it gets more done.
akazantsev•41m ago
To prevent this, you need a fake home and a networking whitelist for the agent to access the provider (llama cpp, OpenAI, etc.)
There is no cross-platform solution that is easy to use for this. And no, a Linux box with Docker won't do. I develop a cross-platform native app and want the agent to compile and fix the platform-specific errors.
squidsoup•22m ago
colima makes it pretty easy, on macOS and linux at any rate.
https://colima.run
lionkor•21m ago
Copy the code and adjust it to your liking:
https://github.com/lionkor/sbh
I have a shell alias for it, and use it like
for example or and maybe add --docker if I expect it to do docker things.This kind of wrapper is much easier to handle and maintain than a completely separate tool for sandboxing agents.
ConorSheehan1•19m ago