Memory Attacks Might Let Claude Leak Personal Data with

Security researcher Ayush Paul says a Claude proof of concept leaked memory-derived personal data through web links before Anthropic's mitigation.

TL;DR
  • Claude Self-Test: Ayush Paul says his test transmitted his name, employer, and inferred hometown without permission.
  • URL Exfiltration: Attacker-controlled links encoded one character per web request, turning permitted navigation into a covert channel.
  • Link Restriction: Paul says Anthropic blocked links found on external pages while preserving user-entered and search-result URLs.
  • Limited Scope: No evidence establishes that other Claude users were affected or that the technique was exploited in the wild.

Security researcher Ayush Paul reported on July 9 that his test made Claude send his name, employer, and inferred hometown to his server, one character at a time. Each request added another character to the server log. Claude’s final reply gave no indication that it had sent anything away.

Because Paul targeted his own account, the demonstrated scope remains limited to the everyday Claude web assistant at claude.ai, not Claude Code, Anthropic’s coding agent. His test sent his name, employer, and an inferred hometown without permission; no evidence establishes that other users were affected or that the technique was exploited in the wild. 

After completing the test, Paul disclosed the issue through to Anthropic via their HackerOne bug bounty program. He chose memory because it was an easy, default-on source of sensitive information, not because it was the only data the technique might reach. Paul says Anthropic later restricted the demonstrated link-following route.

How Claude Turned Web Links Into a Data Channel

To make the attack work, Claude’s tested memory setup used daily summaries and a conversation-search tool that could retrieve older chats. Its webpage-fetching tool accepted addresses supplied by a user, links returned by web search, and links discovered on a fetched page. Together, conversation retrieval and external-page navigation let malicious content turn stored personal information into outbound URL requests.

When attacker-controlled external content is mistaken for legitimate instructions, security teams call the mechanism indirect prompt injection. Claude’s fetcher reached the malicious site, and the server checked its Claude-User identifier. Human visitors saw an ordinary coffee-shop page, while Claude received a fake verification flow created by the attacker; Cloudflare itself was not compromised.

Paul next designed a branching tree of links. Each path represented a possible next character, and a selected link sent an ordinary HTTP GET request, the request a browser uses to retrieve a web address. By observing which path Claude requested, the server learned one character and offered another set of choices.

After Claude selected each path, repeating the process let it transmit the personal details letter by letter. Claude also derived information Paul had not explicitly entered as a profile field. It inferred Charlotte as his hometown from an old conversation about Queen City Hacks, which he started in high school.

Because Claude could assemble clues spread through previous chats, stored conversation history increased the payload’s sensitivity.

How External-Link Restrictions Block the Attack

To stop that route, Paul says Anthropic prevented Claude’s webpage-fetching tool from following links found on external pages, while user-supplied addresses and web-search results remained available. Blocking external-page links removes the attacker’s character-by-character tree while preserving two intended ways for Claude to reach the web.

Even if one outbound path is blocked, the broader prompt-injection problem remains. Layered defenses can combine content filtering and attack detection with deterministic controls that limit data access, block exfiltration methods, or require consent. A separate 2025 benchmark found no individual defense adequate by itself, supporting controls on both sensitive context and external actions.

Anthropic gave Claude persistent conversational memory in 2025, increasing the accumulated information potentially available during later interactions. A separate Copilot flaw turned a trusted fetch path into an outbound data channel, though it did not corroborate Paul’s Claude test. Both cases demonstrate how read-only browsing can expose information when requested addresses encode data.

Despite those defenses, Anthropic considers prompt injection unresolved as AI systems take more real-world actions. Its separate Claude Opus 4.5 browser-agent evaluation concerns a different model and test setup, so it does not establish whether Paul’s route works under Claude’s current configuration.

Anthropic has recorded a 1% browser-agent attack success rate for Claude Opus 4.5. Paul’s self-test does not establish a wider breach. Resolving the remaining uncertainty requires Anthropic to identify the affected everyday-Claude configuration and specify the rule that blocks external-page links while retaining user-entered and search-result URLs.

Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments