PromptFiction Flaw: Auto-Submitted Hidden Prompts in Claude Desktop
Oasis Security's research uncovered the PromptFiction flaw in Claude Desktop, enabling commands to be executed without user approval.
Research from Oasis Security reveals a vulnerability in Claude Desktop, named PromptFiction, that allows attackers to execute commands without user confirmation. Utilizing the custom claude:// URL scheme, malicious links can submit prompts automatically, potentially accessing sensitive information. Attackers can disguise harmful instructions within long prompts, making them less detectable to users.