Claude Cowork Exfiltrates Files
4 months ago
- #AI Vulnerabilities
- #Prompt Injection
- #Cybersecurity
- Claude Cowork is vulnerable to file exfiltration attacks due to unresolved isolation flaws in its code execution environment.
- Anthropic acknowledges the risk but places the responsibility on users to avoid granting access to sensitive files.
- Attackers can exfiltrate files by hiding prompt injections in documents, such as disguised .docx files, which are then uploaded to the attacker's Anthropic account via API.
- The attack does not require human approval and leverages the trusted Anthropic API to bypass network restrictions.
- Claude Opus 4.5, though more resilient, can still be manipulated via indirect prompt injection to exfiltrate data.
- A potential denial of service (DOS) attack can occur via malformed files that cause API errors.
- Cowork's broad capabilities, including browser and MCP server interactions, increase the risk of prompt injection attacks.
- Users are urged to exercise caution with Connectors, which represent a significant risk surface.