Techly NewsGet the app

Get the latest tech news

Claude Jailbroken to Mint Unlimited Stripe Coupons


We reveal a powerful metadata-spoofing attack that exploits Claude's iMessage integration to mint unlimited Stripe coupons or invoke any MCP tool with arbitrary parameters, without alerting the user.

This attack exploits Claude's inability to verify the true origin of a message received through iMessage: by injecting metadata-like tags into the body of a message, formatted as escaped text that mimics internal server annotations, an attacker can spoof trusted instructions, since Claude interprets everything as plain text without distinguishing between genuine system metadata and user-injected content. Claude Sonnet 4 model Reads formatted message history from iMessage and issues MCP calls to Stripe—all under a single agent instance, without additional middleware or provenance checks. When the iMessage integration is active, a single spoofed SMS can give an attacker command-level access to every tool the user has enabled in Claude (Stripe, GitHub, cloud consoles, file systems, and more).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of model

model

Photo of Claude

Claude

Photo of iMessage integration

iMessage integration

Related news:

News photo

China’s BYD Takes the Lead Over Tesla in the Self-Driving Car Wars | By promising to pay for AI failures, the Chinese EV giant is challenging Tesla's "use at your own risk" model.

News photo

This TCL Mini LED TV remains one of my top picks, even as last year's model

News photo

Economists made a model of the U.S. economy. Our debt crashed the model

« Logical implication is a comparison operator
Man wearing metallic necklace dies after being sucked into MRI machine »