- Oasis researchers discover Claude’s “Cloudy Day” attack chain
- Exploits include invisible prompt injection, data exfiltration via API, and open redirects
- Anthropic fixed one vulnerability and fixes the other two in progress
Oasis security researchers recently discovered three vulnerabilities in Claude that, when used together, form a complete attack chain – from targeted delivery to victims to exfiltration of sensitive data.
The researchers dubbed it Cloudy Day and responsibly disclosed it to Anthropic.
One of the bugs has already been fixed, and fixes are currently in progress for the other two.
Article continues below
Abusing Google
In a detailed report posted on the company’s website, Oasis said the theoretical attack begins with a quick, invisible injection via URL parameters. Researchers discovered that Claude.ai allows users to open a new chat with a pre-populated prompt via a URL parameter (claude.ai/new?q=…). Since users can embed HTML tags in the setting, these can be used to convey invisible prompts that Claude will process when the user presses Enter.
But injecting a malicious prompt is only the first step. Claude’s code execution sandbox does not allow outgoing network access, which means the tool cannot connect to a third-party server. It can, however, connect to api.anthropic.com, and if the attacker embeds an API key in the prompt, they can instruct Claude to search all of the victim’s previous conversations for sensitive information, generate a file, and upload it to the attacker’s Anthropic account using the Files API.
“No integrations or external tools are needed, just out-of-the-box functionality. »
Okay, so we have rapid data injection and exfiltration – but how do we get victims to click the link with a pre-populated prompt? A simple phishing email might be enough, but Oasis has found an even more dangerous method. The third vulnerability concerns open redirects on claude.com. Any URL in the format claude.com/redirect/ redirects visitors without validation, including to arbitrary third-party domains.
At the same time, Google Ads only validates URLs by hostname, meaning an attacker could create a seemingly legitimate ad on Google’s network and use it to steal from people.
The rapid injection vulnerability has since been fixed and Anthropic is also currently working on fixes for the other two, Oasis confirmed.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
