New Attack Chain Targeting Claude Involves “Invisible Prompt” Vulnerability

Claude users should be aware of a new attack chain that targets the service, but the warning extends more broadly to other AI assistants that could be compromised by a similar vulnerability.

Research from Oasis Security documents a new attack chain that targets sensitive information that might have appeared in prior user chats, and potentially MCP integrations. The central vulnerability, use of a pre-filled chat URL with certain instructions, has reportedly been patched by Anthropic prior to publication. The attack involves two other elements that remain exploitable, however, and might be present with other services.

One vulnerability after another

The attack chain relies on three specific vulnerability elements: an open redirect from the main Claude website that makes a malicious URL look like a legitimate link to the AI, a prompt injection in the attack URL that is not visible to the end user, and a means by which to exfiltrate requested data via the Claude API.

The main target is any sensitive information that might have been entered in previous Claude conversations, but if the victim has MCP servers or tools installed those could also potentially be used to grab files or send messages. There is not yet any indication of the attack chain being exploited in the wild, and the most effective deployment of it would involve purchasing ads from Google that are meant to reach a specific demographic group. However, it does not require any special skill or knowledge to pull off and does not even otherwise require spending any money.

The attack chain does require the victim to click on a tainted search result to initiate, but the URL and preview presentation will look safe when viewed. The attack commands are sitting directly in the URL, but hidden from user view until they click through and initiate the chat. After clicking they can see the instructions in the Claude chat history, but by then any damage will have very likely been done already.

Attack chain stems from legitimate-looking search results

Anthropic has patched out the method of exfiltrating data, but both hiding prompts and setting up a redirect from claude.com are still possible. The malicious instructions to Claude are sitting right in the attack URL, but will be invisible to the user prior to click-through due to the combination of the redirect and use of tags that hide them from view in web browsers.

What Anthropic has patched out is the data exfiltration method by way of a Claude API. The attack commands in the URL will be formatted in such a way as to probe the user’s chat history for sensitive information, which Claude is then asked to summarize and deliver as a prompt to the Anthropic Messages API. The attacker needs only to create a free-tier account with an API key that they include in their payload, and they can then read the summary of stolen data from their API logs.

That does substantially limit the ability to abuse this vulnerability, as Claude otherwise generally does a good job of “sandboxing” output and refusing to pass it to external parties or sources. However, other elements of the attack chain can be abused in other ways. This (among other numerous incidents) should provide a wake-up call about treating autonomous AI-driven elements of networks as if they are human users for security purposes, something that may in some cases require a serious rethinking of cybersecurity architecture.