Researcher Uses Claude Opus to Turn Chrome Vulnerability into Real Exploit for $2,283

Mohan Pedhapati, a security researcher and CTO of Hacktron, recently demonstrated how generative artificial intelligence can aid in exploit development. Pedhapati conducted an experiment to determine if Claude Opus could identify a vulnerability and then develop a working exploit for it.

The target was an older version of Chrome, specifically version 138, embedded within applications like Discord. This version contained known security flaws in its V8 JavaScript engine that could enable code execution, despite being patched in more current Chrome releases. Many applications do not consistently update their embedded browser components, leaving these older vulnerabilities open to exploitation.

The experiment required substantial resources and human guidance. Claude Opus processed over 2.3 billion tokens and accumulated roughly 20 hours of direct human work across a single week. This process incurred approximately $2,283 in API usage costs.

Throughout the exploit development, Claude Opus frequently stalled, lost context, provided incorrect solutions, or fabricated steps. Continuous human intervention, debugging, and adjustments were necessary to guide the AI toward a functional exploit. The model acted as an advanced assistant, not an autonomous agent.

This demonstration highlights AI's evolving role in cybersecurity, potentially lowering the barrier for complex exploit creation. While AI significantly reduces the time and effort required, human expertise remains critical for navigating challenges and ensuring successful execution.

### What Defenders Should Do

Organizations must prioritize patching and updating all software, including embedded components within applications. Regularly audit third-party applications to ensure they utilize the most current and secure versions of integrated frameworks like Chrome's V8 engine. Implement robust exploit detection and prevention systems that can identify unusual code execution attempts, especially those targeting known vulnerabilities in older software versions. Focus on secure software development practices to mitigate zero-day vulnerabilities.

Watch for continued advancements in AI's role in both offensive and defensive cybersecurity strategies, as these tools will increasingly shape the threat landscape.