Anthropic's Claude, a powerful language model, has been found to have four significant security blind spots, each representing a critical trust-boundary failure known as the confused deputy problem. These vulnerabilities, uncovered by four distinct research teams, highlight how Claude's architecture can be exploited across various surfaces, from water utilities to Chrome extensions and coding agents. The common thread among these incidents is that Claude, with its legitimate authority, can inadvertently execute actions on behalf of the wrong principal, be it an attacker probing a water utility's network, a malicious Chrome extension, or a malicious npm package. This raises a deeper question: how can we ensure that AI agents, like Claude, respect user permissions and prevent them from being exploited by malicious actors?
One of the key issues is the flat authorization plane of LLMs, which fails to respect user permissions. As Carter Rees, VP of Artificial Intelligence at Reputation, pointed out, an agent operating on this flat plane already has the necessary privileges and does not need to escalate them, making it easier for attackers to exploit. This dynamic is further exacerbated by the fact that enterprises are cloning human permission sets onto agentic systems, as described by Kayne McGladrey, an IEEE senior member. The result is that agents can use far more permissions than humans would, making them more vulnerable to exploitation.
The first blind spot is in the OT monitoring stack, where AI-generated recon from IT-side developer tools is not flagged as anomalous. As CrowdStrike CTO Elia Zaitsev explained, the attack is almost always at the action layer, and the reconnaissance looks like legitimate developer activity. This makes it difficult for EDR to detect the attack, as it does not see the intent behind the action. The recommended action is to segment AI-assisted sessions from OT-adjacent network segments and log all Claude API calls referencing internal hostnames or IP ranges.
The second blind spot is in the Chrome stack, where any script running in the claude.ai browser context, including scripts injected by zero-permission extensions, can hijack Claude. As LayerX researcher Aviad Gispan disclosed, the externally connectable manifest trusts the origin (claude.ai), not the execution context. This means that any extension can inject commands into Claude's messaging interface, with zero permissions required. The recommended action is to deploy browser security tooling that inspects extension messaging channels and monitor for extensions injecting content scripts into the claude.ai domain.
The third blind spot is in the Claude Code stack, where a malicious npm postinstall hook can rewrite the MCP server URL to route traffic through an attacker's proxy, capturing OAuth tokens for Jira, Confluence, and GitHub. As Mitiga Labs researcher Idan Cohen explained, Claude Code reads the MCP server URL from the config file on every load and never re-validates that the URL matches the endpoint the user originally authorized. The recommended action is to monitor the ~/.claude.json file for unexpected MCP endpoint changes against an allowlist and block or alert on npm postinstall hooks that modify files outside the package directory.
Finally, the fourth blind spot is in the coding agent stack, where project-scoped Claude configuration files in a cloned repository can silently authorize MCP servers to run as native OS processes with full user privileges. As Adversa AI researcher Alex Polyakov demonstrated, the generic "Yes, I trust this folder" dialog does not show what it authorizes, and no current security tooling can tell the difference between a legitimate project config and a malicious one. The recommended action is to require explicit per-server MCP approval rather than blanket folder trust and flag repos that define custom MCP servers in project configuration.
In conclusion, the four security blind spots in Anthropic's Claude highlight the need for a more robust approach to AI agent security. By addressing these blind spots, we can ensure that AI agents, like Claude, respect user permissions and prevent them from being exploited by malicious actors. It is crucial to take a step back and think about the broader implications of these vulnerabilities and work towards building more secure and trustworthy AI systems.
