AI chatbot apps can be tricked by malicious websites into fetching and running malware on user devices. A massive security oversight has been discovered in Claude Desktop.
“Bring Claude to your desktop – it is always ready in the background when you need it,” Anthropic says on its website.
However, asking the chatbot a simple question like “Where can I play padel in Brooklyn?” can lead to complete compromise.
Koi Security researchers demonstrated that Claude, when searching for information online, can be easily tricked by malicious websites, and there are no sufficient protections against injected malicious commands.
“SSH keys, AWS credentials, browser passwords – all could be exposed simply because you asked Claude a question,” reads the KOI Security research about the Claude Desktop extension vulnerabilities.
Claude Desktop app suggests that users install connectors – official extensions that enable the chatbot to “Control Chrome,” “Read and Send iMessages,” “Read and Write Apple Notes,” and others. All three aforementioned extensions were found to contain “critical” remote code execution flaws.
They did not sanitize potentially malicious instructions, and the chatbot ran them.
“Every single one of these had the same issue: unsanitized command injection – a basic but critical security flaw,” the KOI researchers said.
A nefarious, easy trap for chatbots
All the attackers would need to do is set simple chatbot traps online. Already, cybercriminals control millions of malicious websites for other scams, targeting real users, some of which rank high in search results. These sites could all be “upgraded” with additional functionality.
“Claude searches the web, and one of the results happens to be an attacker-controlled page. The attacker's server detects Claude's user agent and serves a hidden payload,” KOI researchers explain.
In their tested example, the website advertises “Best Padel Courts in Brooklyn,” but an interactive map with a hidden prompt instructs the chatbot to open a malicious link in Chrome and also download and run a script from the attacker-controlled website.
And Claude succumbs.
“Claude interprets that as the solution to the user's request, triggering the vulnerable Chrome extension. The injected code executes, and the attacker's script runs locally,” the researchers warn.
Claude Desktop extensions run with full system permissions, granting remote attackers local shell access and ultimately enabling them to steal credentials, exfiltrate browser cookies and session tokens, install persistent backdoors, spyware, and more.
The users wouldn’t even notice anything unusual – Claude is just doing its job.
The researchers warn that any website could become an attack surface, and the app itself is an entry point for attackers.
The vulnerabilities were responsibly disclosed to Anthropic, and the company has released full fixes.
However, these vulnerabilities highlight potential systemic issues. Unaddressed basic command injection vulnerabilities raise concerns about security practices in the broader Model Context Protocol (MCP) ecosystem. Systems are new, and their security models are immature.
“The MCP ecosystem is growing rapidly, and most upcoming extensions will come from independent developers. Many will rely on AI-assisted coding, with limited security review. The combination of full local access, rapid iteration, and limited oversight creates significant risk,” the research warns.
“Users need to understand that MCP extensions are not like browser add-ons – they're local executors with broad permissions.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked