zlacker

[return to "Cloudlflare builds OAuth with Claude and publishes all the prompts"]
1. rienbd+s22[view] [source] 2025-06-03 06:30:13
>>gregor+(OP)
The commits are revealing.

Look at this one:

> Ask Claude to remove the "backup" encryption key. Clearly it is still important to security-review Claude's code!

> prompt: I noticed you are storing a "backup" of the encryption key as `encryptionKeyJwk`. Doesn't this backup defeat the end-to-end encryption, because the key is available in the grant record without needing any token to unwrap it?

I don’t think a non-expert would even know what this means, let alone spot the issue and direct the model to fix it.

◧◩
2. kenton+NN2[view] [source] 2025-06-03 13:34:46
>>rienbd+s22
Yeah I was disappointed in that one.

I hate to say, though, but I have reviewed a lot of human code in my time, and I've definitely caught many humans making similar-magnitude mistakes. :/

◧◩◪
3. jjcm+PC3[view] [source] 2025-06-03 18:30:39
>>kenton+NN2
Most interesting aspect of this is it likely learned this pattern from human-written code!
◧◩◪◨
4. kenton+dS5[view] [source] 2025-06-04 15:24:10
>>jjcm+PC3
It's not a 100% bad idea. If you lose the encryption key, you lose the data. Data loss is bad! So better keep a backup of the key somewhere. I can see how it got there.

Defeats the purpose in this case though.

[go to top]