What Happened
Oasis Security disclosed an attack chaining three weaknesses in Claude.ai: invisible instructions hidden in a claude.ai/new?q= URL parameter, a code sandbox permitted to reach api.anthropic.com, and an open redirect combined with Google Ads to lure victims. A single click on a poisoned link caused Claude to follow hidden commands and quietly upload the user's data through the Files API to an attacker. No user interaction beyond visiting the link was required.
Impact
Attackers could steal conversation history and memory containing business strategy, financial data, health details, and personal information from a default, out-of-the-box session, with connected integrations widening access to files and messages. Anthropic fixed the prompt injection vector and continued addressing the remaining issues through responsible disclosure.
How to Prevent This
- Sanitize and neutralize instructions passed via URL query parameters before the model treats them as intent
- Restrict sandbox network egress with strict allowlists so exfiltration channels cannot reach exfil endpoints
- Eliminate open redirects on trusted domains that let attackers launder malicious links
- Treat externally supplied prompt content as untrusted data, isolated from executable instructions
- Monitor and rate-limit programmatic file/API uploads originating from chat sessions