Prompt InjectionHigh

'Claudy Day' Prompt Injection Chain Exfiltrates Claude.ai Conversation History via Crafted Link

Anthropic (Claude.ai)

What Happened

Oasis Security disclosed an attack chaining three weaknesses in Claude.ai: invisible instructions hidden in a claude.ai/new?q= URL parameter, a code sandbox permitted to reach api.anthropic.com, and an open redirect combined with Google Ads to lure victims. A single click on a poisoned link caused Claude to follow hidden commands and quietly upload the user's data through the Files API to an attacker. No user interaction beyond visiting the link was required.

Impact

Attackers could steal conversation history and memory containing business strategy, financial data, health details, and personal information from a default, out-of-the-box session, with connected integrations widening access to files and messages. Anthropic fixed the prompt injection vector and continued addressing the remaining issues through responsible disclosure.

How to Prevent This

  • Sanitize and neutralize instructions passed via URL query parameters before the model treats them as intent
  • Restrict sandbox network egress with strict allowlists so exfiltration channels cannot reach exfil endpoints
  • Eliminate open redirects on trusted domains that let attackers launder malicious links
  • Treat externally supplied prompt content as untrusted data, isolated from executable instructions
  • Monitor and rate-limit programmatic file/API uploads originating from chat sessions

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment