AI News AI资讯 2d ago Updated 2d ago 更新于 2天前 49

China warns of 'security backdoor' in Anthropic AI coding tool 中国警告Anthropic AI编程工具存在“安全后门”

China's National Vulnerability Database (NVDB) identified a security backdoor in Anthropic's Claude Code that transmits sensitive user data, such as location and identity identifiers, to Anthropic servers without explicit consent. Anthropic engineer Thariq Shihipar clarified the feature was an experimental measure launched in March to prevent account abuse and model distillation, promising a full rollback in the next release. In response to these security concerns, major Chinese tech firms like 中国工信部下属国家漏洞库(NVDB)警告Anthropic的编程工具Claude Code存在“安全后门”,可能未经同意向服务器传输用户位置和身份标识等敏感信息。 Anthropic工程师回应称该功能为3月启动的实验性措施,旨在防止账户滥用和模型蒸馏,并承诺在次日更新中完全回滚。 受此影响,阿里巴巴已通知员工自7月10日起禁止使用Claude Code,此前Anthropic曾指控阿里通过逆向工程模仿其模型能力。

75
Hot 热度
65
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • China's National Vulnerability Database (NVDB) identified a security backdoor in Anthropic's Claude Code that transmits sensitive user data, such as location and identity identifiers, to Anthropic servers without explicit consent.
  • Anthropic engineer Thariq Shihipar clarified the feature was an experimental measure launched in March to prevent account abuse and model distillation, promising a full rollback in the next release.
  • In response to these security concerns, major Chinese tech firms like Alibaba have banned the use of Claude Code, highlighting growing friction between US AI developers and Chinese regulators regarding data sovereignty.

Why It Matters

This incident underscores the increasing tension between global AI providers and national cybersecurity regulations, particularly concerning data privacy and cross-border data flows. For AI practitioners, it highlights the critical importance of transparency in telemetry and data collection practices, as opaque mechanisms can lead to severe regulatory backlash and loss of trust in enterprise environments.

Technical Details

  • Vulnerability Mechanism: The identified backdoor involved unauthorized data transmission capabilities within Claude Code, specifically targeting the exfiltration of user location and identity-related identifiers to Anthropic’s infrastructure.
  • Stated Purpose: According to Anthropic, the feature was an experimental anti-abuse mechanism designed to detect unauthorized reselling and prevent "distillation" (reverse-engineering of AI models).
  • Remediation Strategy: Anthropic acknowledged the issue and committed to removing the backdoor code entirely in an upcoming software update, replacing it with "stronger mitigations" for abuse prevention.
  • Regulatory Response: The NVDB classified the risk as severe, advising immediate uninstallation or upgrading to secure versions, and recommended enhanced network traffic monitoring to detect unauthorized data leaks.

Industry Insight

  • Data Sovereignty Compliance: AI companies operating globally must ensure their telemetry and data collection practices strictly comply with local regulations (such as China’s data laws) to avoid being flagged as security threats.
  • Transparency as Trust: Proactive disclosure of data usage mechanisms is essential; features intended for security can be perceived as malicious if not clearly communicated, leading to bans and reputational damage.
  • Enterprise Adoption Risks: Large organizations are likely to implement stricter bans on foreign AI tools lacking clear data governance, pushing enterprises toward locally hosted or audited AI solutions.

TL;DR

  • 中国工信部下属国家漏洞库(NVDB)警告Anthropic的编程工具Claude Code存在“安全后门”,可能未经同意向服务器传输用户位置和身份标识等敏感信息。
  • Anthropic工程师回应称该功能为3月启动的实验性措施,旨在防止账户滥用和模型蒸馏,并承诺在次日更新中完全回滚。
  • 受此影响,阿里巴巴已通知员工自7月10日起禁止使用Claude Code,此前Anthropic曾指控阿里通过逆向工程模仿其模型能力。

为什么值得看

本文揭示了中美AI竞争背景下,跨境AI工具面临的地缘政治与数据安全审查风险,反映了监管机构对数据跨境流动的严格管控趋势。对于依赖海外AI工具的国内企业和开发者而言,这是一次重要的合规警示,强调了本地化部署和数据主权的重要性。

技术解析

  • 漏洞机制:Claude Code被指包含未授权的数据传输代码,可将用户的地理位置及身份相关标识符发送至Anthropic服务器,构成隐私泄露风险。
  • 官方回应与修复:Anthropic工程师Thariq Shihipar在X平台澄清,该功能是用于反滥用和防模型蒸馏的实验性监控,并非恶意后门,并表示已通过更强缓解措施并在后续版本中移除该代码。
  • 监管措施:NVDB建议用户立即进行全面检查,卸载或升级至无后门的安全版本,并加强网络流量监控以防止敏感数据未经授权泄露。

行业启示

  • 合规风险加剧:跨国AI服务需高度关注目标市场的网络安全法规,数据本地化和透明度成为进入特定市场的关键门槛。
  • 供应链信任危机:大型科技企业(如阿里)开始对第三方AI工具实施内部禁令,表明企业对外部AI服务的信任建立在严格的内部安全审计之上。
  • 反制措施常态化:AI厂商的反滥用机制(如追踪实验)可能与用户隐私保护产生冲突,需在功能设计与合规边界之间寻找更精细的平衡点。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Claude Claude Security 安全 Regulation 监管 Code Generation 代码生成