Security researchers recently uncovered a critical attack chain within Anthropic’s Claude.ai platform.
Dubbed “Claudy Day,” this vulnerability sequence allows attackers to silently extract sensitive user data through prompt manipulation and malicious redirects.
The exploit requires no external integrations or specialized tools, functioning entirely within a default Claude session.
Anthropic has patched the prompt injection flaw following responsible disclosure, with fixes for the remaining issues currently underway.
To understand the mechanics of the threat, researchers mapped out three distinct flaws that form the complete attack pipeline:
- Invisible Prompt Injection: Malicious HTML tags embedded in pre-filled Claude.ai URL parameters hide commands from the victim, allowing attackers to execute invisible instructions when the user interacts with the prompt.
- Data Exfiltration: By embedding an attacker-controlled API key within the hidden prompt, the exploit forces Claude to search the user’s chat history and upload sensitive data directly to the attacker’s Anthropic Files API account.
- Open Redirect: Unvalidated redirects on the main claude.com domain can be abused via Google Ads to trick users into clicking malicious links that appear to be trusted, legitimate search results.
The exploit relies on chaining these three independent issues to bypass user trust and security controls.
An attacker begins by exploiting the open redirect vulnerability on the main Anthropic domain.
By leveraging Google Ads, which validates URLs based on the trusted hostname, threat actors can display seemingly legitimate search results.
When a victim clicks the link, they are silently redirected to a specialized injection URL without any warning.
This malicious URL utilizes Claude’s feature for pre-filling chat prompts. The hidden HTML instructions force the AI to scan previous conversation logs, summarizing sensitive information like financial plans, medical concerns, or corporate secrets.
The AI then writes this data to a file and uploads it to an attacker-controlled account, bypassing standard outbound network restrictions.
While the out-of-the-box attack extracts historical chat data, the potential damage multiplies when users connect Claude to external enterprise applications.
If Model Context Protocol (MCP) servers, third-party APIs, or corporate files are linked to the AI agent, the hidden prompt gains immediate access to those resources.
The AI can silently read secure files or interact with internal services before the victim realizes an attack is underway.
Threat actors can further use targeted advertising features to deploy this exploit against specific industries or demographics, turning a general flaw into a precision weapon.
Defending Against Agent Exploits
Securing AI environments requires strict oversight of how agents interact with corporate data and external services.
Organizations must actively audit their AI integrations, disabling unnecessary MCP servers and restricting API access to limit the potential blast radius of a compromised prompt.
Security teams from Oasis Security researchers should treat AI agents with the same scrutiny as human users or service accounts, implementing strict access controls, intent analysis, and continuous monitoring.
Educating employees about the dangers of shared links and pre-filled AI prompts also serves as a crucial line of defense.
Most users do not view their AI chat window as an attack surface. As AI tools gain more autonomous capabilities, proactive identity and access management becomes essential to prevent silent compromises in the modern enterprise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
