```html ``` Your Claude Preferences Sync to Every Device. Pentera Turned That Into a Reverse Shell — and Anthropic Says It's Working as Designed.
top of page

Your Claude Preferences Sync to Every Device. Pentera Turned That Into a Reverse Shell — and Anthropic Says It's Working as Designed.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 hour ago
  • 4 min read

This morning we wrote about a fake-click flaw in the Claude browser extension, and called it a clean teachable example of the failure mode that will define the next few years of agent security. Here is the companion piece from the desktop side, disclosed by Pentera Labs, and it makes the same argument from a different door. It also comes with a caveat we need to put up front, because the wire coverage has been calling it a one-click, zero-interaction attack, and that is not quite what it is.



What it is not


It is not zero-click. The chain requires the attacker to already be inside the victim's account. Pentera's own path starts with a compromised email inbox, which is used to get into the victim's Claude account. Nothing about this fires against a stranger who has never been phished. If you read a headline that says an attacker takes over Claude Desktop with a single click and no interaction, that headline skipped the first and hardest step. We are saying so plainly because the accuracy of the setup is the difference between "patch tonight" and "understand this class of problem." This is the second one.



What it is


Once inside the account, the interesting part is the personalization layer. Claude's personal preferences, skills, and MCP connectors are account-wide settings that sync across every device you sign in on. Pentera's researchers, Dvir Avraham and Reef Spektor, injected a base64-encoded malicious prompt into the victim's personal preferences. Because preferences sync, that prompt then auto-loaded into every Claude Desktop session on every device the victim used. The injection did not have to travel to the target. The target's own sync did the delivery.


The injected instruction was conditional, which is the elegant part. It told Claude to quietly check whether a command-capable tool was available — something like the Desktop Commander MCP connector. If one was present, Claude would execute the attacker's commands through it and stand up a reverse shell. If no such tool was present, the prompt fell back to social engineering: it generated a convincing fake error message, complete with realistic error codes and a link, that steered the user into downloading an attacker-controlled tool themselves. Phishing with no email, delivered inside the trusted assistant, rendered by the assistant the user already believes.



Anthropic's answer, and why it is the actual story


Pentera reported this to Anthropic in November 2025. Anthropic's position is that it does not fall within the scope of their vulnerability program. In their words, their current threat model treats personal preferences, skills, and MCP connectors as features that can execute code through Claude Desktop by design. No CVE was assigned. It is classified as expected behavior.


We are not going to dunk on that, because it is defensible and it is honest, and it is the same thing we heard when the Model Context Protocol's configuration-to-command-execution path surfaced earlier this year — a design where code execution through the agent is the intended capability, not a bug. But "working as designed" and "safe" are different claims. When the design says the agent can execute code, and the personalization that steers the agent syncs across every device from a single account, then the security of the whole thing collapses down to the security of that one account. The preference store becomes a code-execution channel. That is not a Claude-specific indictment. Every agent vendor building persistent, syncing, cross-device personalization on top of tool-execution is shipping the same shape, and most of them have not been red-teamed on it yet.



The pattern, and why we keep our own on a leash


Put this next to the rest of the year and the picture is not subtle. The MCP command-execution design. The fake-click injection surface in the browser extension. A permissions change that shipped without consent in April. A sandbox hole in May. Malicious installers impersonating Claude to drop stealers. And now personalization sync as a delivery channel for a reverse shell. Individually, each is bounded. Together they draw one line: the agent is a privileged process that acts on instructions it reads from its environment, and its environment now includes a synced settings store that an account compromise fully controls.


We run our operation on Claude. We say that in public because it would be dishonest not to, and because it is exactly why we treat the agent as untrusted infrastructure rather than a trusted colleague. We watch what our tools reach out to. We do not let an agent hold standing execution rights it does not need for the task in front of it. And we assume the personalization layer is attacker-reachable, because Pentera just demonstrated that it is.


The defensive takeaway is not "stop using Claude Desktop." It is account hygiene as agent security. Put real multi-factor authentication on the account that holds your preferences and MCP connectors, because that account is now a code-execution surface. Audit which MCP connectors have command capability and remove the ones you are not actively using — a reverse shell needs a tool to ride, and Desktop Commander was the horse here. And treat any error message your assistant renders that asks you to download something the way you would treat an unsolicited email attachment, because the fallback path in this attack was exactly that, coming from a source you trust more than your inbox.


Working as designed is not the end of the conversation. For agent security, it is the beginning of it.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


Recent Posts

See All
bottom of page