Claude Vulnerabilities Allow Data Exfiltration and Malicious Redirect Attacks

Security researchers have uncovered a critical attack chain within Anthropic’s Claude.ai platform, dubbed “Claudy Day.” This vulnerability sequence enables attackers to silently extract sensitive user data through sophisticated prompt manipulation and malicious redirects.

Remarkably, the exploit requires no external integrations or specialized tools, operating entirely within a default Claude session. Following responsible disclosure, Anthropic has patched the prompt injection flaw, with fixes for the remaining issues currently being developed.

To fully comprehend the threat, researchers mapped three distinct flaws forming the complete attack pipeline:

  • Invisible Prompt Injection: Malicious HTML tags embedded in pre-filled Claude.ai URL parameters hide commands from the victim. When users interact with the prompt, these commands execute invisibly, allowing attackers to bypass visual safeguards.
  • Data Exfiltration: By embedding an attacker-controlled API key within the hidden prompt, the exploit forces Claude to scan the user’s chat history and upload sensitive data directly to an attacker-controlled Anthropic Files API account.
  • Open Redirect: Unvalidated redirects on the claude.com domain can be abused via Google Ads. Threat actors display legitimate-looking search results by validating URLs against the trusted hostname. Clicking these links silently redirects victims to a specialized injection URL.

The exploit relies on chaining these independent flaws to bypass user trust and security controls. The attack begins by exploiting the open redirect vulnerability on the main Anthropic domain.

Threat actors leverage Google Ads’ URL validation to display seemingly legitimate results. When a victim clicks the link, they are silently redirected to an injection URL without any warning.

This malicious URL utilizes Claude’s pre-fill prompt feature. The hidden HTML instructions force the AI to scan previous conversation logs, summarizing sensitive information like financial plans, medical concerns, or corporate secrets.

The AI writes this data to a file and uploads it to an attacker-controlled account, evading standard outbound network restrictions.

While the initial attack extracts historical chat data, the damage potential significantly increases when users link Claude to external enterprise applications.

If Model Context Protocol (MCP) servers, third-party APIs, or corporate files are integrated with the AI agent, the hidden prompt gains immediate, silent access to these resources.

The AI can surreptitiously read secure files or interact with internal services before the victim becomes aware of an attack, transforming the vulnerability into a precision tool.

Threat actors can further weaponize the exploit by deploying it through targeted advertising features. This allows precise attacks against specific industries or demographics, turning a general flaw into a highly targeted weapon.

Defending Against Agent Exploits

Securing AI environments demands rigorous oversight of how agents interact with corporate data and external services.

Organizations must proactively audit AI integrations, disabling unnecessary MCP servers and restricting API access. This minimizes the potential blast radius if a prompt is compromised.

Security teams should treat AI agents with the same scrutiny as human users or service accounts, implementing strict access controls, intent analysis, and continuous monitoring. A blog from Oasis Security researchers provides detailed guidance on this approach.

Educating employees about the risks of sharing links and interacting with pre-filled AI prompts is also crucial. Most users do not perceive their AI chat window as an attack surface.

As AI tools gain autonomous capabilities, proactive identity and access management becomes essential to prevent silent compromises within modern enterprises.

Related Articles

Back to top button