Today in InfoSec Job Security News:
-
@GossiTheDog what's funny to me, is that there were influencers on linkedin a few days ago claiming claudecode could find vulnerabilities in code faster than humans, and they're like "look at all these openssl vulns it found!" now I'm like. "well no shit its finding vulnerabilities, when its the one introducing them."
@da_667 I demoed that very thing recently. Prompted up a form page and visually I could see a handful of basic JavaScript issues.
Ask Claude to review the code it generated for vulns using OWASP Top 10. And it finds them.
That’s just bonkers. Sure, a lazy initial prompt so it’s all my fault, really.
-
@GossiTheDog If only a significant number of security practitioners could have seen it coming and warned people.
-
@da_667 @GossiTheDog I wish that juice actually existed...
@Drat @da_667 @GossiTheDog drink enough ethanol and you'll accomplish it!
-
@GossiTheDog you're just jealous because it will cure cancer and fix climate change
I mean, if climate change becomes fixed eventually there won't be any more cancer, so they aren't completely wrong.
-
@da_667 I demoed that very thing recently. Prompted up a form page and visually I could see a handful of basic JavaScript issues.
Ask Claude to review the code it generated for vulns using OWASP Top 10. And it finds them.
That’s just bonkers. Sure, a lazy initial prompt so it’s all my fault, really.
@badsamurai @da_667 @GossiTheDog I've seen setups that run tests and such all in a closed loop, I suppose if one really wanted to "use" this shit, they could implement that sort of thing too.
It'll cause a shedload more token use (and electrical waste) but might mitigate some of the idiocy.
-
@GossiTheDog If only a significant number of security practitioners could have seen it coming and warned people.
@cR0w @GossiTheDog Where "a sufficient number" is defined as 125% of all existing and future security practitioners, certified or not.
-
@DJGummikuh @GossiTheDog The purpose of a system is what it does. IMO these are not accidents.
@nihkeys @DJGummikuh @GossiTheDog I don't think that phrase allows for incompetency in design. The purpose is what was intended, not what actually results. There is a distinction.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
The real question is why does a bot have commit privileges on a "major web framework"?i mean the answer is probably because google owns the repo probably... but why?
-
@GossiTheDog It is interesting that these changes are attributed to a "user named Claude" and not to the "human using the agent named Claude". This is how diffusion of responsibility works, I guess.
@s_bergmann @GossiTheDog I like how AIDER uses co-authors, so you can't escape from blame. All these tools should be doing similar!
-
@DJGummikuh @GossiTheDog The purpose of a system is what it does. IMO these are not accidents.
@nihkeys @DJGummikuh @GossiTheDog
The damage is the point.
It's a weapon.
Not sure I'd call it a "targeted" attack, when the goal is to flood absolutely EVERYTHING with shit everywhere.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog fault injection into production code at scale. Nice.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I became used to checking projects I am checking out for claude (etc) in the source files and commits really fast
-
@GossiTheDog So you are saying there is a business opportunity following claude around projects with bug bounties
@etchedpixels Bug bounties? You know nothing about business…
You set up a giant scam tool, let venture capital pay for its development, then use it to hack the world and sell all of it:- license the tool,
- hacked applications,
- vulnerability scanning,
- protection racket from affected companies.
That' how real capitalists do business.
@GossiTheDog -
@GossiTheDog So you are saying there is a business opportunity following claude around projects with bug bounties
Gahhh. Takes a little effort to imagine LESS rewarding work.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog This was literally the first major security mistake I made in my early days as a Perl developer and I don't imagine it's that uncommon. Claude has probably been trained with a truckload of code with these vulnerabilities.
That's okay because we run everything in single-purpose Docker containers now though, right? /s
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog@cyberplace.social I wonder across the industry how common is it for orgs to skip static code analysis, or other code vulnerability scans as part of their pipelines? Even then how many of those scans are actually effective?
Looks like AI is potentially an insider threat, and code generated by it has to be treated accordingly, even in the case of it being generated by project members and "reviewed" -
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I see it, could probably start a threat intelligence business off the claude feed
️ -
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
That Claude is a "clod", and boy does Claude get around I tell ya'.
Claude is everywhere you want an exploit to be.
-
@badsamurai @da_667 @GossiTheDog I've seen setups that run tests and such all in a closed loop, I suppose if one really wanted to "use" this shit, they could implement that sort of thing too.
It'll cause a shedload more token use (and electrical waste) but might mitigate some of the idiocy.
@draeath @badsamurai @da_667 @GossiTheDog That's what amazes me about the "hallucinated citations" stories. Making bots not hallucinate is certainly not readily feasible, quite possible infeasible in practice; but just checking citations one at a time for existence would have been cutting edge in maybe the 1960s. Why is anyone skipping such trivial cleanup steps when using a known-unreliable tool?
