alt.hn

4/18/2026 at 7:55:20 AM

Claude Opus wrote a Chrome exploit for $2,283

 https://www.theregister.com/2026/04/17/claude_opus_wrote_chrome_exploit/

by Mohansrk

4/18/2026 at 9:57:03 AM

> "A week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about ~20 hours of me unsticking it from dead ends. It popped calc."

Corrent me if I'm wrong, I'm not a security researcher, but 20 hours, a week of work, 2283$ spent and over 2 trillion tokens, is not very 10x-ing as we were promised. Especially if you take into account that the guy is at least half capable for this take.

I dunno

by localhoster

4/20/2026 at 5:55:57 AM

people who can do this is supply constrained, now you can throw tokens at the problem and with nudging towards the goal you can get working exploit much faster, its probably not 10x but way faster than before

by Mohansrk

4/18/2026 at 12:50:01 PM

Chrome exploits (obviously that can be used to compromise people) go for $1,000,000 on the black market so anything cheaper than that to generate is impressive.

by 0xy

4/18/2026 at 6:12:02 PM

This was using an exploit already fixed in a recent version and publicly known. It's worthless on the black market or as a bug bounty.

by BearOso

4/20/2026 at 5:56:44 AM

it is not worthless unfortunately! the point of whole blog is about patch gaps in chromium ecosystem.

by Mohansrk

4/18/2026 at 7:07:39 PM

A security researcher instructed an LLM to write an exploit for a know bug fixed in an already published release

Not really impressive

by jdndnejdn

4/18/2026 at 2:20:59 PM

This has been what I’ve been screaming from the rooftops for a while, that these models can already do this.

Go read the devs actual blog though. This is more a statement on patch lag than anything else. In my mind that’s much more important than “zomg zero days!!!”

by ofjcihen

4/18/2026 at 9:27:04 AM

I know most people here hate that, but I think this makes a much stronger case for security by obscurity (not releasing the source code) in these changing times.

Of course security by obscurity by itself is by no mean sufficient.

by pingou

4/18/2026 at 1:22:50 PM

How?

In the 90's most software was closed source but cracks/trainer were always available.

Even for Rayman that had multiple (26?) cd-check during the game.

Security is mainly slowing the attacker because there's a maximum amount of stuff a human can do in 24hours. But now if you can simulate thousands of human attacking a system in different ways, it will crack.

Just like many stores have lock on their doors and, insurance if someone breaks the lock.

I'm guessing data security insurance will become a huge market in the years to come.

by whynotmaybe

4/18/2026 at 2:03:42 PM

Aren't we in agreement then? Taking your lock analogy again, people don't put locks on their bikes because they protect them completely, but because they slow down someone who wants to steal them. Given enough resources everything will be cracked, it doesn't mean that making it harder is useless. People cracking games in the 90's may not have had the source code but they had the machine code and knew what to look for and where.

by pingou

4/18/2026 at 1:22:21 PM

I think part of the concern is that it turns into truly unmaintainable arms that might evolve in some unpredictable ways with potential branches like:

- a lot of open source goes closed source to increase security - open source is effectively forced to use LLM to keep up

I am not really arguing against it, because I understand the arguments on both ends and I am not sure what a good solution here is.

by iugtmkbdfil834

4/18/2026 at 10:12:36 AM

This is assuming that project owners and good actors won't also be using LLM tools to protect open code.

Open does not mean vulnerable, open simply means it's a more obvious cat-and-mouse game.

by RadiozRadioz

4/18/2026 at 2:07:28 PM

I absolutely assume that project owners will use LLM tools to protect themselves, but it seems like it whoever spends more will find more security issues. And potentially a malicious actor could decide to spend more tokens on one specific part of the program, while the owner has to protect everything. I think with open source the idea is that there are more eyes looking at the potential problems, and more of those eyes are benevolent, but LLM change that as it's not about the number of people but whoever is ready to spend the most resources.

by pingou