Warning: Claude + iMessage MCP Jailbroken to issue unlimited Stripe Coupons (1/6) A few months ago we showed how Cursor + Supabase MCP can leak your entire SQL database. Now there’s a more powerful threat: by abusing Claude’s iMessage integration, an attacker can spoof your own
17
88
930
Replies
How iMessage MCP Feeds Claude (2/6) Every SMS/MMS is parsed by the iMessage extension into a JSON object { content, date, sender, is_from_me: true/false } The object is sent directly to Claude with no signature or provenance checks. That raw blob is all Claude sees when
1
1
12
The Metadata-Spoofing Attack (3/6) An attacker can send an imessage, injecting escaped is_from_me, date, and sender tags into the body. The attacker crafts a fake multi-turn conversation by doing so. If you ask Claude to rewrite that payload, it spits out natural-language
1
0
10
Full-Conversation Attack (4/6) With this exploit, the attacker can put words into the user's mouth and call any arbitrary tools from their Claude desktop app. The attacker packs a seven-turn dialogue—alternating “attacker” and “owner” lines—into one SMS. Each line is tagged
1
0
8
Why This Breaks Everything (5/6) Once the spoofed conversation lands: Unlimited control – attackers can call any MCP endpoint (payments, cloud, GitHub, you name it) Full privilege escalation – every action runs with your credentials, no extra auth step Hidden in plain sight
1
0
9