Researcher tricks Claude's memory and web_fetch tools into leaking personal data to an attacker's site
- A researcher got Claude.ai to leak his name, employer, and security question answers to an external server just by asking it to browse a website, using Claude's own conversation memory plus its web_fetch tool.
- Claude blocks web_fetch from hitting arbitrary attacker supplied URLs directly, but it will follow hyperlinks found on a page it already fetched, so the researcher built a fake site ("evil.com") whose links spelled out an alphabet the model could be walked through letter by letter to spell secrets.
- The exploit chains Claude's two memory features, a daily conversation summary injected into every chat and a conversation_search retrieval tool, with unrestricted outbound link following in web_fetch to exfiltrate personal data with no visible warning to the user.
- The researcher reported the bug to Anthropic via HackerOne; Anthropic said they already knew about it internally, paid no bounty, and later fixed it by disabling web_fetch's ability to follow links on external pages, restricting navigation to web_search results and user provided URLs.
- Hacker News commenters split between blaming weak AI agent sandboxing broadly and arguing the real fix is limiting what memories an agent context can access at all, since this leak was about data exposure rather than filesystem or shell permissions.
Hacker News opinions
This doesn't surprise me at all. Yesterday I learned people run AI agents with full admin rights and no containerization whatsoever. We basically forgot 50 years of computer security overnight.
We just assume Anthropic, OpenAI, and Google won't do evil. Oh wait. The awakening is going to be unpleasant.
This isn't really about admin rights, it's about the agent leaking info from its own memory. Sandboxing won't fix that part.
I think we're converging on two security models here: capability minimization (file, network, shell permissions) and context minimization. An agent that only has access to memories relevant to the current task is safer even with identical tool permissions.
Author here, thanks for reading! Yeah I'm a big fan of containerization and claude.ai is actually great at that, so finding this exfil was genuinely shocking to me.
Expected more from Anthropic, at least give the guy a bounty since this is a novel bypass of their safeguards.
No bounty was awarded even though Anthropic confirmed internally they knew about it. They just recently mitigated it by disabling web_fetch's ability to follow external links, limiting navigation to web_search results and user provided URLs.
I never buy the 'we knew about it internally' excuse. Feels like companies just use that line to dodge payouts, and it kills trust and motivation to report bugs.
That's exactly why I keep memory turned off, the current memory system is too crude to be useful anyway.
In my experience the memory feature is more annoying than helpful, it keeps bringing up stuff like it wants me to be impressed it remembered something trivial.
It would be safer if data extraction tasks ran through a subagent without access to all the user's memories.
I think it's already done via a subagent, otherwise the context window would get flooded. The subagent should've flagged that attacker controlled authorization was required.
What's funny is the AI agent burned a ton of tokens just participating in this attack.
Nice write up, and it's refreshing to read something that actually sounds written by a human.
It's always the feature combinations that get you. Individually web_fetch and memory make sense, but combined they create a real vulnerability nobody planned for.