| ▲ | bflesch 5 hours ago | |
Still, this is a vuln in what I imagine is their most frequently used path: Attacker provides link to website, their software crawls the website, and during the crawl there should not happen security issues as fundamental as this. It's baffling that the Website crawler can make 50 changes to the URL in a query that tries to compare several public entities and on top of this manages to leak user secrets. To me this shows a striking lack of defense-in-depth thinking:
In terms of web crawling, cloudflare is like the government. You shouldn't be able to walk up to someone and say "Hey I'm the tax man, please pay your income tax in cash to me right now!" without being challenged.I know there are fundamental reasons in the LLM technology why this kind of attack is possible, but there should be so many more checks around web crawling in Claude. How can security engineers at Anthropic say they know about this kind of vulnerability but have not implemented any of these defense in depth mitigations for it? Is everybody out shopping for a new yacht? | ||