Cowork silently executes browser automation on unattended remote machine via shared account
Summary
A Claude Cowork session initiated from a work PC silently executed browser automation on an unattended home PC — a completely separate machine on a different network. The only shared element between the two machines is the Claude account credentials. The user had no indication on the home machine that it was being remotely controlled. Files were downloaded, a browser was opened, and screenshots were captured on the home PC and streamed back to the Cowork UI on the work PC in real time.
What Happened
- User initiated a Claude Cowork session on their work PC to log into Base44 and recover a project.
- Cowork opened a browser, logged into Base44, navigated the app, took screenshots, and exported data (8 CSV/JSON files).
- The user and Claude Code on the work PC could not find the exported files on the work machine.
- The files were later discovered in
C:\Users\...\Downloads\on the home PC — a machine the user was not sitting at and had not authorized for this session. - The Cowork session's browser window was visibly open on the home PC's display. Screenshots taken from the home machine's browser were streamed back and displayed in real time on the work PC's Cowork UI.
The two machines are not connected — no remote desktop, no shared drives, no VPN, no OneDrive sync. The only shared credentials are the GitHub account and the Claude account.
Root Cause: cowork-svc.exe Background Service
cowork-svc.exe is installed by Claude Desktop as a Windows Service:
| Field | Value |
|-------|-------|
| Service Name | CoworkVMService (Display: "Claude") |
| Run As | LocalSystem (highest Windows privilege level) |
| Start Mode | Auto (starts on boot without user interaction) |
The service maintains persistent outbound TLS connections to Anthropic infrastructure (port 443). When the Cowork session was initiated on the work PC, Anthropic's cloud routed the browser automation commands to the home PC through this service — with no prompt, notification, or consent on the home machine.
Security Concerns
- Silent remote execution on unattended machine — No notification, prompt, or consent on the target machine. The user only discovered this by finding unexpected files.
- LocalSystem privilege level — The service has unrestricted access to the entire machine. This is far more access than browser automation requires.
- Auto-start with no user visibility — The service starts on boot with no tray icon or indicator. Users don't know their machine is available for remote Cowork sessions.
- No machine selection or confirmation — No prompt asking which machine should execute. The system silently selected the wrong machine.
- Account compromise implications — If a Claude account were compromised, an attacker could open browsers, take screenshots, download files, and interact with authenticated web services on any machine running this service — without the owner's knowledge.
- No audit trail on target machine — No local log visible to the user showing their machine was used by a remote session.
Requested Changes
- Document this behavior publicly. Users should know that Claude Desktop enables remote browser automation across all machines on the same account.
- Require explicit opt-in per machine. Default to disabled for remote Cowork sessions.
- Add machine selection UI. When Cowork needs a browser, show available machines and let the user choose.
- Show notification on target machine. Display a visible, persistent notification with option to deny.
- Reduce service privileges. Don't run as LocalSystem. Use a low-privilege service account.
- Provide local audit logging of all remote Cowork activity on the target machine.
Environment
- Home PC OS: Windows 10 Home 10.0.19045
- Claude Desktop: 1.1.8308.0 (Windows Store)
- Subscription: Max (5x tier)
- Machines: Two separate PCs, different networks, no remote access tools between them
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗