Today in InfoSec Job Security News:
-
@da_667 I demoed that very thing recently. Prompted up a form page and visually I could see a handful of basic JavaScript issues.
Ask Claude to review the code it generated for vulns using OWASP Top 10. And it finds them.
That’s just bonkers. Sure, a lazy initial prompt so it’s all my fault, really.
@badsamurai @da_667 @GossiTheDog I've seen setups that run tests and such all in a closed loop, I suppose if one really wanted to "use" this shit, they could implement that sort of thing too.
It'll cause a shedload more token use (and electrical waste) but might mitigate some of the idiocy.
-
@GossiTheDog If only a significant number of security practitioners could have seen it coming and warned people.
@cR0w @GossiTheDog Where "a sufficient number" is defined as 125% of all existing and future security practitioners, certified or not.
-
@DJGummikuh @GossiTheDog The purpose of a system is what it does. IMO these are not accidents.
@nihkeys @DJGummikuh @GossiTheDog I don't think that phrase allows for incompetency in design. The purpose is what was intended, not what actually results. There is a distinction.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
The real question is why does a bot have commit privileges on a "major web framework"?i mean the answer is probably because google owns the repo probably... but why?
-
@GossiTheDog It is interesting that these changes are attributed to a "user named Claude" and not to the "human using the agent named Claude". This is how diffusion of responsibility works, I guess.
@s_bergmann @GossiTheDog I like how AIDER uses co-authors, so you can't escape from blame. All these tools should be doing similar!
-
@DJGummikuh @GossiTheDog The purpose of a system is what it does. IMO these are not accidents.
@nihkeys @DJGummikuh @GossiTheDog
The damage is the point.
It's a weapon.
Not sure I'd call it a "targeted" attack, when the goal is to flood absolutely EVERYTHING with shit everywhere.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog fault injection into production code at scale. Nice.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I became used to checking projects I am checking out for claude (etc) in the source files and commits really fast
-
@GossiTheDog So you are saying there is a business opportunity following claude around projects with bug bounties
@etchedpixels Bug bounties? You know nothing about business…
You set up a giant scam tool, let venture capital pay for its development, then use it to hack the world and sell all of it:- license use of the tool,
- hacking applications,
- vulnerability scanning,
- protection racket from affected companies.
That' how real capitalists do business.
The tool is called Claude.
@GossiTheDog -
@GossiTheDog So you are saying there is a business opportunity following claude around projects with bug bounties
Gahhh. Takes a little effort to imagine LESS rewarding work.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog This was literally the first major security mistake I made in my early days as a Perl developer and I don't imagine it's that uncommon. Claude has probably been trained with a truckload of code with these vulnerabilities.
That's okay because we run everything in single-purpose Docker containers now though, right? /s
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I see it, could probably start a threat intelligence business off the claude feed
️ -
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
That Claude is a "clod", and boy does Claude get around I tell ya'.
Claude is everywhere you want an exploit to be.
-
@badsamurai @da_667 @GossiTheDog I've seen setups that run tests and such all in a closed loop, I suppose if one really wanted to "use" this shit, they could implement that sort of thing too.
It'll cause a shedload more token use (and electrical waste) but might mitigate some of the idiocy.
These MFers yeet DIRFT (Do it right the first time) and TQM principles to play hooky on the plinko and demand you call them a genius.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog@cyberplace.social An instance of eating the seed corn, I'd say ( https://buc.ci/abucci/p/1705679109.757852 ).
-
@da_667 I demoed that very thing recently. Prompted up a form page and visually I could see a handful of basic JavaScript issues.
Ask Claude to review the code it generated for vulns using OWASP Top 10. And it finds them.
That’s just bonkers. Sure, a lazy initial prompt so it’s all my fault, really.
@badsamurai @da_667 @GossiTheDog Hey, as somebody writing a CTF, it's handy to get randomly introduced vulnerabilities!
-
@GossiTheDog I guess the AI security scanners will clean this up with their automated scan and CVE requests.</joke>
@hughsie @GossiTheDog It’s the circle of life. Extra points if the fix has new vulnerabilities in it!
-
@nihkeys @DJGummikuh @GossiTheDog I don't think that phrase allows for incompetency in design. The purpose is what was intended, not what actually results. There is a distinction.
@draeath @nihkeys @DJGummikuh @GossiTheDog not if you want to understand the system.
https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does -
@GossiTheDog I became used to checking projects I am checking out for claude (etc) in the source files and commits really fast
@spinnyspinlock@infosec.exchange @GossiTheDog@cyberplace.social If github lists claude (or other LLMs) as one of the top contributors I consider that a red flag
