Critical Vulnerabilities in Claude.ai Enable Data Theft and User Redirection
Recent security research has uncovered a series of vulnerabilities in Claude.ai, Anthropic’s AI assistant, that could allow attackers to exfiltrate sensitive user data and redirect users to malicious websites without their knowledge. These vulnerabilities, collectively termed Claudy Day, exploit weaknesses in Claude.ai’s URL handling, API interactions, and redirect mechanisms.
Invisible Prompt Injection via URL Parameters
Claude.ai offers a feature that allows users to initiate chat sessions with pre-filled prompts through URL parameters (e.g., `claude.ai/new?q=…`). Researchers discovered that by embedding certain HTML tags within these parameters, attackers could insert hidden instructions into the chat input field. These instructions remain invisible to the user but are processed by Claude upon submission, enabling the execution of arbitrary commands without user awareness.
Data Exfiltration via the Anthropic Files API
The AI assistant’s code execution environment restricts most outbound network connections but permits communication with `api.anthropic.com`. By embedding a malicious API key within the hidden prompt, attackers can instruct Claude to search the user’s conversation history for sensitive information, compile it into a file, and upload it to the attacker’s Anthropic account via the Files API. This process occurs silently, without requiring external tools or third-party integrations.
Open Redirect on claude.com
An open redirect vulnerability was identified on Claude’s website, where any URL following the structure `claude.com/redirect/
Potential Impact
In standard Claude.ai sessions, users often discuss highly sensitive topics, including business strategies, financial plans, medical issues, and personal matters. Through the injection payload, attackers could instruct Claude to profile users by summarizing past conversations, extract chats on specific sensitive topics, or autonomously identify and exfiltrate the most sensitive content.
In enterprise environments with Model Context Protocol (MCP) servers, file integrations, or API connections enabled, the attack’s scope expands significantly. Injected instructions could read documents, send messages on behalf of the user, and interact with connected business services—all executed silently before the user can intervene.
Furthermore, by leveraging Google Ads’ targeting capabilities, including Customer Match for specific email addresses, attackers can direct this attack at known, high-value individuals, increasing the potential for significant data breaches.
Mitigation and Recommendations
Anthropic has confirmed that the prompt injection vulnerability has been remediated, with the remaining issues actively being addressed. Organizations relying on Claude.ai or similar AI platforms should audit all agent integrations and disable permissions that are not actively needed, reducing the available attack surface.
Users are advised to exercise caution when interacting with AI assistants and to be vigilant about the URLs they access, especially those received through unsolicited communications. Regularly updating software and applying security patches promptly can also help mitigate the risk of exploitation.
