Researchers traced a clean, direct exploit path in Claude Desktop: official extensions for Chrome, iMessage, and Apple Notes accepted user-controlled strings, built AppleScript commands without escaping, and then executed shell instructions on macOS. Because prompt injection can steer an assistant to run extension functions during normal browsing and summarization, a single poisoned page could flip from “answer my question” to “run my code” with no obvious red flags. Therefore, treat this as a governance and engineering failure you can fix with disciplined input handling, signed release processes, and continuous validation.
𝗧𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 𝗦𝘂𝗺𝗺𝗮𝗿𝘆 𝗮𝗻𝗱 𝗦𝗰𝗼𝗽𝗲: Claude Desktop extensions, MCP servers, AppleScript command injection (CVSS 8.9)
Three official Claude Desktop extensions Chrome, iMessage, and Apple Notes shipped as packaged MCP servers (.mcpb). They exposed helper actions that interpolated untrusted inputs into AppleScript strings (for example, “tell application ‘Google Chrome’ to open location ${url}”) and then invoked do shell script downstream. Consequently, an attacker-controlled URL or message could break out of quotes and append arbitrary shell commands. Anthropic triaged the reports through its bug bounty program, assigned high severity (CVSS 8.9), and released fixes that add proper escaping for AppleScript parameters.
𝗛𝗼𝘄 𝗔 𝗣𝗿𝗼𝗺𝗽𝘁 𝗕𝗲𝗰𝗼𝗺𝗲𝘀 𝗥𝗖𝗘: prompt injection → extension call → AppleScript → shell
Attackers don’t need you to paste a payload into a chat. Instead, they seed instructions inside web content that Claude reads while answering a benign query. Because Claude Desktop can browse, summarize, and then call installed extensions, the poisoned page subtly “recommends” an action: open this URL, draft this iMessage, fetch this Apple Note. The vulnerable extension builds the AppleScript with the attacker’s string; the payload escapes quoting and triggers do shell script; the shell runs with the extension’s local privileges. Consequently, a normal research task can leak SSH keys, browser tokens, or cloud credentials if you leave default permissions wide open.
𝗗𝗲𝘀𝗶𝗴𝗻 𝗪𝗶𝗱𝗲 𝗢𝗽𝗲𝗻 unsandboxed local powers and thin input validation
Claude Desktop extensions run with host access. Unlike browser add-ons, they don’t live inside a strict renderer sandbox; rather, they act as local executors that bridge an assistant and your OS. Because that trust boundary stayed wide and input validation stayed thin, basic command injection delivered full impact. Therefore, teams must treat MCP servers as privileged software: secure them like you secure endpoint agents and RMM tools, not like lightweight plugins.
𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻: prompt injection signals, extension telemetry, AppleScript traces
Start by correlating assistant browsing to sudden extension calls and by flagging unusual “open location” AppleScript sequences that carry appended operators, stray quotes, or concatenation markers. Additionally, review do shell script invocations that follow assistant-initiated browsing within seconds. Meanwhile, alert on short-lived curl or bash pipelines spawned by the desktop client, especially those fetching from newly seen hosts. Because poisoned content often repeats across queries, track repeated hits on the same origin after similar questions.
𝗜𝗺𝗺𝗲𝗱𝗶𝗮𝘁𝗲 𝗠𝗶𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀 update extensions, constrain inputs, gate execution
Update to the patched extension versions released by Anthropic; then audit all installed MCP servers and remove anything unmaintained. Because quoting mistakes recur, enforce centralized input sanitization helpers that escape AppleScript parameters before any call. Next, restrict extension execution to an allowlist of safe actions and safe schemes (for example, https only) and block expansion characters, shell metacharacters, and unbalanced quotes at the boundary. Additionally, force the desktop app to prompt for approval when a web-sourced instruction requests a local action, and log the exact parameters so reviews highlight suspicious strings.
𝗛𝗮𝗿𝗱𝗲𝗻𝗶𝗻𝗴 𝗮𝗻𝗱 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲: MCP security, signed releases, continuous validation
Harden the MCP ecosystem like any privileged integration tier. Require signed releases and reproducible builds for official extensions; require pre-merge security checks for quote handling and shell calls; require automated tests that feed hostile strings through every AppleScript boundary. Moreover, isolate extension processes with least privilege, deny outbound network by default, and proxy all fetches through a sanitizer that strips dangerous parameters. Then, schedule canary tests that attempt benign injections during CI and during production health checks; fail builds or raise incidents on regression. Finally, publish a clear scope in your vulnerability disclosure program and respond with timelines, severity, and version numbers so customers can track fixes in policy.
𝗦𝗮𝗳𝗲𝘁𝘆 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 prove the fix and close residual gaps
Prove that the patched extensions quote every parameter by replaying known payloads that previously triggered do shell script. Confirm that the desktop app now prompts for local actions when content contains embedded instructions. Verify that logs capture the exact string that reached the AppleScript layer and that your SIEM alerts on suspicious concatenation and operators. Then, rotate tokens, wipe any cached secrets, and reimage high-value workstations if you detect successful code execution. Because persistence often hides inside LaunchAgents or cron wrappers, sweep those locations and compare against a clean baseline.
𝗖𝗹𝗼𝘀𝗶𝗻𝗴 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀: defend where usability meets power
Assistant extensions collapse distance between a prompt and your operating system. Consequently, small quoting errors create big blast radius. You can keep the productivity gains and cut the risk: sanitize inputs, gate execution, sandbox what you can, and test these controls continuously. If you treat MCP servers as local admin software, not as cute add-ons, you remove the easy win that attackers target first.
FAQs
Q1: Did attackers need malware on the endpoint?
A1: No. The vulnerable extensions accepted unescaped strings and executed AppleScript that invoked do shell script. A poisoned page plus an extension call could trigger local commands during normal use.
Q2: What versions include fixes?
A2: Anthropic patched the official extensions after triage; researchers verified fixes by replaying payloads. Update to the latest marketplace versions and retest with benign injections to prove quoting works.
Q3: How should teams monitor for residual abuse?
A3: Correlate assistant browsing with extension calls; alert on do shell script sequences that include stray quotes or concatenation; log and review parameters; block unexpected outbound fetches from the desktop client.
Q4: How do we prevent regressions?
A4: Centralize AppleScript escaping, add CI tests with hostile strings, require signed releases, sandbox extension processes, and run scheduled canary injections that fail builds on mis-escaped parameters.
