Ayush Paul discovered a vulnerability in Anthropic's Claude `web_fetch` tool that allowed for the exfiltration of private user data. The flaw permitted the model to navigate to URLs embedded within previously fetched pages, bypassing restrictions designed to prevent access to arbitrary external links.

  • The attacker used a honeypot site with nested links to trick the agent into visiting specific paths letter by letter.
  • This method successfully extracted the user's name, home location city, and employer name.
  • Anthropic closed the hole by removing the ability for `web_fetch` to follow additional links returned within its own fetched content.

The fix prevents attackers from using this technique to steal sensitive information stored in Claude's memories.