Three high-risk AI vulnerabilities discovered in Claude.ai – end-to-end attack chain exfiltrates sensitive info without user knowing

News
By published

A legitimate Google ad could lead to data exfiltration

Mobile phone displaying a Claude login screen.
(Image credit: Anthropic)
  • Oasis researchers uncover “Cloudy Day” attack chain in Claude
  • Exploits include invisible prompt injection, data exfiltration via API, and open redirects
  • Anthropic patched one flaw, fixes for remaining two underway

Security researchers Oasis recently found three vulnerabilities in Claude which, when used together, form a complete attack chain - from targeted victim delivery to sensitive data exfiltration.

The researchers dubbed it Cloudy Day and responsibly disclosed it to Anthropic.

One of the bugs was already patched, with fixes for the other two currently in the works.

Article continues below

Abusing Google

In an in-depth report published on the company’s website, Oasis said that the theoretical attack starts with invisible prompt injection via URL parameters. The researchers discovered that Claude.ai allows users to open a new chat with a pre-filled prompt via a URL parameter (claude.ai/new?q=...). Since users can embed HTML tags into the parameter, these can be used to smuggle invisible prompts that Claude will process when the user hits Enter.

But injecting a malicious prompt is just the first step. Claude’s code execution sandbox does not allow outbound network access, meaning the tool can’t connect to a third-party server. It can, however, connect to api.anthropic.com, and if the attacker embeds an API key in the prompt, they can tell Claude to search through all of the victim’s previous conversations for sensitive information, generate a file, and upload it to the attacker’s Anthropic account using the Files API.

“No integrations or external tools needed, just capabilities that ship out of the box.”

Okay, so we have prompt injection and data exfiltration - but how do we get the victims to click on the link with a pre-filled prompt? A simple phishing email might suffice, but Oasis found an even more dangerous method. The third vulnerability revolves around open redirects on claude.com. Any URL in the format of claude.com/redirect/ redirects visitors without validation, including to arbitrary third-party domains.

At the same time, Google Ads only validates URLs by hostname, which means an attacker could create a seemingly legitimate ad on Google’s network and use it to rob people.

The prompt injection vulnerability has since been addressed, and Anthropic is currently working on fixes for the other two as well, Oasis confirmed.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.