- Oasis researchers uncover “Cloudy Day” attack chain in Claude
- Exploitation includes invisible prompt injection, data exfiltration via API, and open redirects
- Anthropic patched one bug, and fixes the remaining two in progress
Security researchers Oasis recently found three vulnerabilities in Claude that, when used together, form a complete attack chain – from targeted victim delivery to exfiltration of sensitive data.
The researchers dubbed it Cloudy Day and disclosed it responsibly to Anthropic.
One of the bugs was already fixed, with fixes for the other two on the way.
The article continues below
Abusing Google
In an in-depth report published on the company’s website, Oasis said the theoretical attack starts with an invisible prompt injection via URL parameters. The researchers discovered that Claude.ai allows users to open a new chat with a pre-populated prompt via a URL parameter (claude.ai/new?q=…). Since users can embed HTML tags in the parameter, these can be used to smuggle in invisible prompts that Claude will process when the user presses Enter.
But injecting a malicious prompt is only the first step. Claude’s code execution sandbox does not allow outbound network access, which means the tool cannot connect to a third-party server. However, it can connect to api.anthropic.com, and if the attacker embeds an API key in the prompt, they can ask Claude to search through all the victim’s previous conversations for sensitive information, generate a file, and upload it to the attacker’s Anthropic account using the Files API.
“No integrations or external tools are required, just features delivered out of the box.”
Okay, so we have quick injection and data exfiltration – but how do we get the victims to click on the link with a pre-populated prompt? A simple phishing email might suffice, but Oasis found an even more dangerous method. The third vulnerability concerns open redirects on claude.com. Any URL in the format claude.com/redirect/ redirects visitors without validation, including to arbitrary third-party domains.
At the same time, Google Ads only validates URLs by hostname, which means an attacker could create a seemingly legitimate ad on Google’s network and use it to rob people.
The rapid injection vulnerability has since been fixed, and Anthropic is currently working on fixes for the other two as well, Oasis confirmed.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
