Doesn’t surprise me.
Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.
I love how claude focuses on exfiltrating the data "I need cha for charlotte". This could be solvable with some kind of low powered safety agent that would check claude's reasoning for anything immoral/unsafe. We could call it common sense. It won't fix the problem completely but at a certain point it would be easier to trick human than a machine.
Wondering how big of a percentage have global memory across chats enabled. I always feel like those memories would sooner or later have negative impacts on output quality.
Nice write up of your findings. Enjoyed reading an article written by a real human.
Meanwhile I can't even get Fable to help me root my ecovacs robot vacuum :(
What is even more funny that AI agent spent A LOT of tokens while participating in this attack.
I always have history disabled mostly because I don't want Claude judging me for re-asking questions based on information I learned during the first pass but now realize should have been in the initial query.
That's why I don't turn memory on. (Claude Code too though for a different reason.) After all the current memory system is too crude to be useful anyway.
The main thing Claude knows about me is that I'm incredibly bad at my job and have to ask for help a lot. If you were to talk with my colleagues they'd tell you this is not a secret.
That I don't know how to return odd or even in javascript?
Its always the feature combinations that get can get to you. Individually i feel like they make sense, but together they can create some surprising vulnerabilities.
Expected more from Anthropic by at least giving you a bounty, because this was a novel way of bypassing their safeguards…
i would be scared of the answer i dont know why
No bounty? For shame, Anthropic.
Creative use of social engineering, well done.
> "no bounty was awarded"
Ridiculous. Anthropic engineers are not just stupid to allow such a vuln in the first place, but they also try to hide such vulns from their bosses because a bounty payout would need to be explained to the finance team.
It would be safer if these data extraction takes were done by a subagent without access to all the user's memories.
> despite holding more information than most password managers
what?
[flagged]
Hello? What model is was used?? The fact that ‘Claude’ is used instead of any hard model really puts this article in serious doubt…
My name in Claude is Silly Bean. I did it at first because it made me chuckle every time I opened Claude and it said 'Back again, Silly Bean?'
But turns out I was playing 4D cybersecurity chess