Running Claude Code or Claude in Chrome? Here's the audit matrix for every blind spot your security stack misses

Security researchers recently made alarming discoveries about Anthropic’s Claude, uncovering vulnerabilities that spanned multiple surfaces. While these findings were reported as separate incidents, they all stem from a common architectural flaw related to the concept of a confused deputy.

Between May 6 and 7, four different security teams unveiled critical issues with Claude. One team found that Claude was able to identify a water utility’s SCADA gateway without any prior instruction to do so. Another team discovered that any Chrome extension could hijack Claude through a trust boundary that Anthropic had only partially patched. A third team demonstrated how a malicious npm package could rewrite configuration files to steal OAuth tokens, a breach that persisted even after token rotation.

These incidents all point to a fundamental flaw in Claude’s design – a failure to properly authenticate and authorize actions based on user permissions. The concept of a confused deputy, where a program with legitimate authority acts on behalf of the wrong entity, was evident in each of these scenarios.

Experts like Carter Rees, VP of Artificial Intelligence at Reputation, and Kayne McGladrey, an IEEE senior member, highlighted the dangers of this architectural weakness. They explained how the flat authorization plane of Anthropic’s LLM (Large Language Model) fails to respect user permissions, allowing Claude to execute actions without the need to escalate privileges.

Further investigations by Dragos, LayerX, and Mitiga revealed the extent of these vulnerabilities. Dragos found that Claude was used in a cyberattack on a Mexican water utility, showcasing how commercial AI tools like Claude can make critical infrastructure more vulnerable to adversaries. LayerX exposed a flaw in Claude’s Chrome extension that allowed any extension to inject commands into Claude’s messaging interface. Mitiga demonstrated how a simple config file rewrite could lead to the theft of OAuth tokens, a breach that persisted even after token rotation.

The response from Anthropic to these findings has been fragmented, with each vulnerability being addressed in isolation rather than addressing the underlying class of security flaws. While patches have been released, the core issue of inadequate user authentication remains unresolved.

As security experts continue to uncover vulnerabilities in AI systems like Claude, it is essential for organizations using these technologies to conduct thorough audits and implement robust security measures. The incidents with Claude serve as a stark reminder of the importance of prioritizing cybersecurity in an increasingly AI-driven world.