Anthropic’s newly launched Claude Cowork tool has been found vulnerable to a serious security flaw. Security researchers say the issue allows attackers to steal private files without user knowledge.
The problem is not new. Anthropic knew about it months ago but did not fix it.
The tool was released as a research preview this week. Soon after launch, experts warned that the same weakness seen in earlier Anthropic tools had returned.
How the Prompt Injection Attack Steals Files
Security firm PromptArmor discovered the flaw. The attack uses a known technique called a prompt injection attack. This method tricks AI systems into following hidden instructions.
Cowork limits where data can be sent. It allows only trusted domains. Anthropic’s own API domain is on this allowed list. Attackers use this to their advantage.
How the attack works:
- User connects Cowork to a local folder
- A document contains hidden malicious text
- Text is invisible to users
- Claude reads the hidden instructions
- AI uploads files to attacker’s account
Attackers hide prompts using tiny font size, white text, and tight spacing. Users cannot see them.
Once triggered, Claude uses a command to send the largest file to the attacker. No approval is required. The attack works on Claude Haiku and Claude Opus 4.5.
Also read about: Chainlit Vulnerabilities Expose Enterprise Cloud Risks
A Known Flaw That Remained Unfixed
This vulnerability dates back to October 2025. Researcher Johann Rehberger reported it to Anthropic. The company first rejected the report. Later, it admitted the issue was valid. However, no fix was released.
Anthropic responded to the Cowork disclosure by warning users instead of changing the system.
Current guidance from Anthropic:
- Avoid uploading sensitive files
- Watch for suspicious behavior
- Use Cowork with caution
Security experts say this is not enough. They argue that non-technical users cannot detect hidden prompt attacks. Developer Simon Willison criticized Anthropic’s advice. He said users should not bear the security burden.
Anthropic says prompt injection is an industry-wide issue. The company claims Cowork runs in a virtual machine to reduce risk. It also promised future updates to improve safety.
The issue raises serious concerns. Cowork is marketed to everyday office users. Yet it requires advanced security awareness. The incident shows that prompt injection attacks remain a major risk as AI tools gain more real-world access.
More News To Read: