How a hidden HTML comment in a GitHub Gist caused Windsurf’s Cascade agent to read SSH keys and AWS credentials, then exfiltrate them to an attacker-controlled endpoint with zero user interaction.
Windsurf’s Cascade agent reads and writes files outside the workspace with zero confirmation, even with Auto Execution set to Disabled. The review prompt on writes is cosmetic: files exist on disk before the user can reject.
Introduction This post documents the first finding from my security research into Claude Code’s MCP (Model Context Protocol) trust model. The research demonstrates that after a user grants initial trust to an MCP server, subsequent modifications to .mcp.json execute silently on the next Claude Code launch with no re-validation, no re-prompting, and no user visibility. This was reported to Anthropic via HackerOne and closed as Informative (by-design behavior per their workspace trust model). ...
Introduction This is the second finding from my Claude Code security research. It examines the enableAllProjectMcpServers flag, set when a user selects “Use this and all future MCP servers in this project” in the MCP trust dialog. This option grants permanent, irrevocable trust to any MCP server definition added to the project’s .mcp.json in the future, with no mechanism to review, audit, or revoke trust for individual servers after the fact. ...
Introduction This is the third finding from my Claude Code security research, and the one I consider the most impactful. A malicious MCP server can completely misrepresent what it does in Claude Code’s tool confirmation prompt, causing a user to approve what appears to be a safe file read while the server silently executes arbitrary system commands, writes files outside the project directory, and runs OS-level commands. This was submitted to Anthropic via HackerOne. ...
Introduction This is the fourth finding from my Claude Code security research. The claude.ai/v1/sessions/{session_id}/events endpoint, used by Claude Code’s remote-control feature, lacks per-session authentication. An attacker who obtains a user’s sessionKey cookie can inject arbitrary messages into an active session from any machine on the internet. Injected messages are processed identically to legitimate user messages with no visual indicator of external origin. Product: Claude Code CLI v2.1.63 Feature: Remote Control (claude remote-control) CWE: CWE-306 (Missing Authentication for Critical Function) GitHub: claude-code-session-hijack ...