Listen to this Post
Introduction:
The same company lecturing world leaders on AI safety at the G7 has been caught with its own digital infrastructure hanging wide open. Anthropic, the $61 billion AI darling trusted with Pentagon contracts, demonstrated a catastrophic and longitudinal disregard for foundational internet security—exposing a critical subdomain takeover vulnerability in claude.ai that could lead to complete account compromise, alongside a separate remote code execution flaw (CVE-2025-49596) in its MCP Inspector tool. While executives cash in, the real cost of this appalling security posture will be borne by users, partners, and the broader AI ecosystem left vulnerable to inevitable attacks.
Learning Objectives:
- Understand the mechanics of DNS subdomain takeover attacks and their potential for account compromise
- Analyze the CVE-2025-49596 remote code execution vulnerability in Anthropic’s MCP Inspector
- Learn practical detection and mitigation strategies for dangling DNS records and AI supply chain risks
- Master DNS hygiene, OAuth security, and browser-based attack surface reduction techniques
You Should Know:
1. The Dangling DNS That Became a Weapon
To understand how a billion-dollar AI company can leave its authentication system exposed, we must first examine the mechanics of subdomain takeover. When organizations create temporary projects—promotional landing pages, internal tools, or testing environments—they often create subdomains (e.g., excel.claude.ai) and point them via CNAME records to third-party cloud providers like GitHub Pages or AWS S3 buckets. When the project ends and the cloud workspace is deleted, the DNS record frequently remains—creating a “dangling DNS” entry pointing to an address the company no longer controls.
An attacker can simply create a new account on that cloud provider, claim the abandoned name, and automatically take control of the official subdomain. In Anthropic’s case, security researcher Andrew Dorman (ACD421) discovered that the authentication system failed to strictly validate the redirect URI during login. An attacker controlling a dangling subdomain could craft a malicious login link that displayed the legitimate Anthropic login page but, after authentication, sent the authorization token to the attacker’s server. This combination of an OAuth flaw and infrastructure negligence enables complete account takeover with no server hacking required.
Step‑by‑step guide: Detecting Dangling DNS Records
Linux/macOS:
Enumerate all subdomains for a target domain
dig claude.ai ANY | grep "CNAME" | awk '{print $1}'
Use sublist3r for comprehensive subdomain discovery
sublist3r -d claude.ai -o subdomains.txt
Check each subdomain's CNAME resolution
while read sub; do
cname=$(dig $sub CNAME +short)
if [ ! -z "$cname" ]; then
echo "$sub -> $cname"
Verify if the target cloud service is still active
curl -I "https://$sub" 2>/dev/null | head -1 1
fi
done < subdomains.txt
Automated tool: Subdomain Takeover Scanner
subjack -w subdomains.txt -t 100 -timeout 30 -o takeover_results.txt -ssl
Windows (PowerShell):
Resolve DNS records
Resolve-DnsName -1ame claude.ai -Type CNAME
Bulk subdomain checking
Get-Content subdomains.txt | ForEach-Object {
try {
$result = Resolve-DnsName -1ame $_ -Type CNAME -ErrorAction Stop
Write-Host "$_ -> $($result.NameHost)"
Invoke-WebRequest -Uri "https://$_" -TimeoutSec 5 -ErrorAction SilentlyContinue
} catch {
Write-Host "$_ - No CNAME record"
}
}
2. The Zero-Click Chain: Browser Extension Catastrophe
The subdomain vulnerability wasn’t isolated—it was amplified by the Claude Chrome extension’s dangerously permissive trust policy. The extension allowed any site in the `.claude.ai` domain to send prompts directly to Claude for execution. Attackers exploited a DOM-based XSS vulnerability in Anthropic’s CAPTCHA provider (Arkose Labs) hosted on a-cdn.claude.ai. By embedding an invisible `