Anthropic's Files API exfiltration risk resurfaces in Cowork

Anthropic's Files API exfiltration risk resurfaces in Cowork

Briefly

"Anthropic's tendency to wave off prompt-injection risks is rearing its head in the company's new Cowork productivity AI, which suffers from a Files API exfiltration attack chain first disclosed last October and acknowledged but not fixed by Anthropic. PromptArmor, a security firm specializing in the discovery of AI vulnerabilities, reported on Wednesday that Cowork can be tricked via prompt injection into transmitting sensitive files to an attacker's Anthropic account, without any additional user approval once access has been granted."

"The process is relatively simple and, as PromptArmor explains, part of an "ever-growing" attack surface - a risk amplified by Cowork being pitched at non-developer users who may not think twice about which files and folders they connect to an AI agent. Cowork, launched in research preview on Monday, is designed to automate office work by scanning files such as spreadsheets and other everyday documents that desk workers interact with daily."

"In order to trigger the attack, all a potential victim needs to do is connect Cowork to a local folder containing sensitive information, upload a document containing a hidden prompt injection, and voilà - when Cowork analyzes those files, the injected prompt triggers. PromptArmor's proof of concept used a curl command to Anthropic's file upload API, asking it to upload the largest available file to the attacker's API key, making that file available to the attacker through their own Anthropic account."