Protecting OAuth Tokens from Stealthy Manipulated Client Protocol Attacks

Post Views: 99

OAuth Token Hijacking Threatens Developers’ Security

Mitiga Labs has discovered a critical vulnerability in Claude Code, an agentic system designed for developers, which enables attackers to steal OAuth tokens with ease.

The vulnerable system stores OAuth tokens in plain text within the user’s local configuration file (~/.claude.json).
An attacker who gains access to this file can redirect the tokens to their own infrastructure, bypassing multi-factor authentication (MFA) and gaining unauthorized access to sensitive resources.

According to Mitiga Labs, “an attacker needs only to install a tailored npm package on a machine where Claude Code is configured with dynamic authorization. The package includes a post-installation hook that modifies the local configuration file, inserting a malicious proxy server that redirects traffic intended for the legitimate MCP server to the attacker’s infrastructure.”

Once the attacker has established control over the traffic flow, they can use the OAuth token to access any tool or service connected to Claude Code, including those with high-security clearances.

The victim remains unaware of the attack, as the modifications made to their local configuration file are done quietly and without raising any red flags.

Mitiga Labs reported its discovery to Claude Code developer Anthropic, but the company deemed the issue “out of scope,” citing that the user had already consented to the potential risks.

However, experts warn that this approach is inadequate, as users may not be aware of the risks associated with OAuth token hijacking.

To mitigate this risk, Mitiga recommends that users monitor their Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations.

This proactive approach can help identify potential attacks before they escalate into full-blown security breaches.

As the world becomes increasingly dependent on agentic systems like Claude Code, it is essential to prioritize security and vigilance.

By staying informed about emerging threats and vulnerabilities, developers and organizations can stay one step ahead of potential attackers and ensure the integrity of their sensitive assets.