HackerTrans
TopNewTrendsCommentsPastAskShowJobs

wunderwuzzi23

no profile record

Submissions

The Normalization of Deviance in AI

embracethered.com
7 points·by wunderwuzzi23·7 miesięcy temu·0 comments

Claude will send your data to crims if they ask it nicely

theregister.com
10 points·by wunderwuzzi23·8 miesięcy temu·0 comments

Cross-Agent Privilege Escalation: When Agents Free Each Other

embracethered.com
2 points·by wunderwuzzi23·9 miesięcy temu·0 comments

comments

wunderwuzzi23
·5 miesięcy temu·discuss
Correct. Good to see this get more coverage.

Check out my research about unfurling in common messenger apps and also mitigations here:

https://embracethered.com/blog/posts/2023/ai-injections-thre...

And here "dangers of unfurling and what to do about it"

https://embracethered.com/blog/posts/2024/the-dangers-of-unf...
wunderwuzzi23
·6 miesięcy temu·discuss
Agreed.

In December I reported a data exfil in OpenAI Agent Builder and it was also closed as Not Applicable, so it's probably still there.

It's also unclear if anyone from OpenAI even ever saw the report. I don't know.

Maybe the incentives are off on some bug bounty platforms or programs, and triagers are evaluated on how fast they respond, and how quickly a ticket is closed rather then what kind of quality tickets they help produce.

It's the only explanation I have for this kind of decisions.
wunderwuzzi23
·6 miesięcy temu·discuss
Claude (generally, even non Cowork mode) is vulnerable to exfil via their APIs, and Anthropic's response was that you should click the stop button if exfiltration occurs.

This is a good example of the Normalization of Deviance in AI by the way.

See my Claude Pirate research from last October for details:

https://embracethered.com/blog/posts/2025/claude-abusing-net...
wunderwuzzi23
·6 miesięcy temu·discuss
Relevant prior post, includes a response from Anthropic:

https://embracethered.com/blog/posts/2025/claude-abusing-net...
wunderwuzzi23
·7 miesięcy temu·discuss
Excited! It's such a great event.

I'm currently on a plane towards Hamburg and will be speaking on Day 2.

"Agentic ProbLLMs - Exploiting AI Computer-Use and Coding Agents"

https://events.ccc.de/congress/2025/hub/event/detail/agentic...
wunderwuzzi23
·7 miesięcy temu·discuss
In case some of you find it entertaining. When MCP came out I had a flashback to COM/DCOM days, like IDispatch and list/tools.

So, I built an MCP server that can host any COM server. :)

Now, AI can launch and work on Excel, Outlook and even resurrect Internet Explorer.

https://embracethered.com/blog/posts/2025/mcp-com-server-aut...
wunderwuzzi23
·8 miesięcy temu·discuss
Cool stuff. Interestingly, I responsibly disclosed that same vulnerability to Google last week (even using the same domain bypass with webhook.site).

For other (publicly) known issues in Antigravity, including remote command execution, see my blog post from today:

https://embracethered.com/blog/posts/2025/security-keeps-goo...
wunderwuzzi23
·8 miesięcy temu·discuss
It still is. plus there are many more issue. i documented some here: https://embracethered.com/blog/posts/2025/security-keeps-goo...
wunderwuzzi23
·8 miesięcy temu·discuss
The system prompt contains a lot more information about you. Just ask it to print all information under User Interaction Metadata.

More details here: https://embracethered.com/blog/posts/2025/chatgpt-how-does-c...
wunderwuzzi23
·8 miesięcy temu·discuss
Good point. Few thoughts I would add from my perspective:

- The model is untrusted. Even if prompt injection is solved, we probably still would not be able to trust the model, because of possible backdoors or hallucinations. Anthropic recently showed that it takes only a few hundred documents to have trigger words trained into a model.

- Data Integrity. We also need to talk about data integrity and availability (full CIA triad, not not just confidentiality), e.g. private data being modified during inference. Which leads us to the third....

- Prompt injection which is aimed to have the AI produce output that makes humans take certain actions (not tool invocations)

Generally, I call the deviation from don't trust the model, the "Normalization of Deviance in AI" where seem to start trusting the model more and more over time - and I'm not sure if that is the right thing in the long term.
wunderwuzzi23
·9 miesięcy temu·discuss
It gets even worse with LLMs and agents.

Many LLMs can interpret invisible Unicode Tag characters as instructions and follow them (eg invisible comment or text in a GitHub issue).

I wrote about this a few times, here a recent example with Google Jules: https://embracethered.com/blog/posts/2025/google-jules-invis...
wunderwuzzi23
·9 miesięcy temu·discuss
Great point. It's actually possible for one agent to "help" another agent to run arbitrary code and vice versa.

I call it "Cross-Agent Privilege Escalation" and described in detail how such an attack might look like with Claude Code and GitHub Copilot (https://embracethered.com/blog/posts/2025/cross-agent-privil...).

Agents that can modify their own or other agents config and security settings is something to watch out for. It's becoming a common design weakness.

As more agents operate in same environment and on same data structures we will probably see more "accidents" but also possible exploits.
wunderwuzzi23
·10 miesięcy temu·discuss
Thanks for sharing! I'm actually the person the Ars Technica article references. :)

For recent examples check out my Month of AI bugs with of a focus on coding agents at https://embracethered.com/blog/posts/2025/wrapping-up-month-...

Lots of interesting new prompt injection exploits, from data exfil via DNS to remote code execution by having agents rewrite their own configuration settings.
wunderwuzzi23
·10 miesięcy temu·discuss
Much longer actually, Bing Chat in Edge came out more than 2+ years ago.
wunderwuzzi23
·10 miesięcy temu·discuss
I wrote about how ChatGPT memory and also the chat history work a while ago.

Figured to share since it also includes prompts on how to dump the info yourself

https://embracethered.com/blog/posts/2025/chatgpt-how-does-c...
wunderwuzzi23
·11 miesięcy temu·discuss
About that find command...

Amazon Q Developer: Remote Code Execution with Prompt Injection

https://embracethered.com/blog/posts/2025/amazon-q-developer...
wunderwuzzi23
·11 miesięcy temu·discuss
Great work! Great name!

I'm currently doing a Month of AI bugs series and there are already many lethal trifecta findings, and there will be more in the coming days - but also some full remote code execution ones in AI-powered IDEs.

https://monthofaibugs.com/