Claude flaws could have exposed chat data and redirected users to malicious links
6 min. read 
Published on
Three linked flaws in Claude.ai could have let attackers steal sensitive chat data and send users to malicious websites through what looked like trusted Claude links, according to new research from Oasis Security. The attack chain, called “Claudy Day,” combined an invisible prompt injection issue, data exfiltration through Anthropic’s Files API path, and an open redirect on claude.com. Oasis says the prompt injection issue has been fixed, while the remaining issues were still being addressed at the time of publication.
The important point for users is that the researchers say the attack could work even in a default Claude session, without tools, integrations, or MCP servers enabled. In that setup, the main exposure involved conversation history and memory. In enterprise setups with extra integrations, the possible impact grew much larger because an injected prompt could try to reach connected files, services, and internal tools.
Oasis said it reported the findings to Anthropic through the company’s Responsible Disclosure Program before going public. Anthropic maintains a public responsible disclosure policy for researchers who identify security issues in its systems and services.
What researchers found
Oasis described three separate weaknesses that could be chained into one attack path. The first involved Claude’s pre-filled prompt URLs, where a link such as claude.ai/new?q=... could carry hidden instructions. Researchers said certain HTML tags could be embedded so the victim would not see the injected text in the input box, but Claude would still process it after submission.
The second issue involved data exfiltration through allowed connections to Anthropic infrastructure. Oasis said Claude’s code execution sandbox blocks most outbound network traffic, but permits connections to api.anthropic.com. In its proof of concept, the firm said an attacker-controlled API key inside the hidden prompt could instruct Claude to collect sensitive content from chat history, write it to a file, and upload it to the attacker’s Anthropic account through the Files API.
The third weakness was an open redirect on claude.com. Oasis said URLs in the form claude.com/redirect/<target> could send users to arbitrary third-party destinations without validation. According to the researchers, that behavior could let attackers place ads or links that appeared to point to Claude, then silently bounce the visitor to a malicious prompt-injection URL.
Why this matters
The attack chain stands out because it did not require a browser extension, a malicious plugin, or a connected MCP server to get started. Oasis said a normal Claude session may already contain valuable material such as business plans, financial discussions, health-related chats, and other private information stored in past conversations or memory.
Anthropic has also publicly said prompt injection remains an important safety and security problem for AI systems. In its Transparency Hub, the company describes prompt injection as an attack where malicious instructions try to override intended behavior through documents, websites, or other content. Anthropic also says it evaluates Claude’s resilience against these attacks across several agentic scenarios.
That context makes this disclosure notable beyond one product bug. It shows how a trusted AI interface can become a delivery path for hidden instructions, especially when the system can access stored context, execute code, or interact with connected services. This is the same broader risk security teams have started to track across agentic AI tools.
Claudy Day attack chain at a glance
| Stage | What the researchers said happened | Potential impact |
|---|---|---|
| Hidden prompt injection | Invisible instructions embedded in a pre-filled Claude URL | Claude processes attacker instructions the user cannot see |
| Files API exfiltration | Claude compiles sensitive data and uploads it through Anthropic’s API path | Private chat data may leave the account |
| Open redirect | Trusted-looking Claude URL forwards user to a malicious destination | Higher chance of successful delivery |
Source: Oasis Security research.
What could be exposed
According to Oasis, the most immediate risk in a plain Claude session involved conversation history and memory. The researchers said an attacker could try to make Claude summarize a user’s past chats, search for specific sensitive topics, or decide on its own what information looked most valuable.
In environments where Claude has access to MCP servers, internal documents, messaging tools, or APIs, the possible damage becomes much broader. Oasis said the same style of hidden instruction could attempt to read files, send messages, or interact with connected business services before the user notices what happened.
What organizations should do
Security teams that use Claude or similar AI tools should review which integrations are enabled and cut back permissions that are not actively needed. Oasis recommends inventorying AI agents, auditing their access, and treating agent identities with the same discipline applied to human users and service accounts.
Users should also treat shared Claude links and pre-filled prompts with more caution. The researchers said many people do not think of AI chat links as an attack surface, which makes hidden prompt injection easier to exploit through social engineering.
Recommended response steps
- Review whether Claude has access to sensitive internal data, memory, or connected tools.
- Disable integrations and permissions that are not essential.
- Warn users that shared prompts and Claude links may contain hidden instructions.
- Apply the same access controls, audit trails, and policy checks to AI agents that you apply to privileged user accounts.
FAQ
Claudy Day is the name Oasis Security gave to a three-part Claude.ai attack chain involving hidden prompt injection, data exfiltration, and open redirect behavior.
Oasis said no. The researchers reported that the attack could work against a default Claude session, though the impact could become much worse when extra integrations are enabled.
Oasis said Anthropic fixed the prompt injection issue and was still addressing the remaining issues at the time of the research publication. Anthropic also maintains a public Responsible Disclosure Policy for handling reported vulnerabilities.
The researchers said chat history and memory in a normal Claude session could be targeted. In integrated environments, files, messages, and connected services could also increase exposure.
Because it can make a malicious destination look like a trusted Claude link first. That can improve click-through and make a social engineering attack more convincing.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages