- Oasis researchers discover “Cloudy Day” attack chain on Claude
- The exploits include invisible fast injection, data exfiltration via APIs, and open redirects.
- Anthropic fixed one defect and the remaining two are being fixed
Oasis security researchers recently found three vulnerabilities in Claude that, when used together, form a complete attack chain, from targeted delivery to the victim to leakage of sensitive data.
The researchers named it Cloudy Day and responsibly revealed it to Anthropic.
One of the bugs has already been patched, and fixes are currently being worked on for the other two.
Article continues below.
Abuse Google
In a detailed report posted on the company’s website, Oasis said the theoretical attack begins with an invisible injection via URL parameters. Researchers discovered that Claude.ai allows users to open a new chat with a preloaded message via a URL parameter (claude.ai/new?q=…). Since users can embed HTML tags in the parameter, these can be used to smuggle invisible messages that Claude will process when the user presses Enter.
But injecting a malicious message is only the first step. Claude’s code execution sandbox does not allow outbound network access, which means the tool cannot connect to a third-party server. However, it can connect to api.anthropic.com, and if the attacker includes an API key in the message, he can tell Claude to search for sensitive information in all of the victim’s previous conversations, generate a file, and upload it to the attacker’s Anthropic account using the Files API.
“No integrations or external tools are needed, just capabilities that are delivered out of the box.”
Well, we have rapid injection and data exfiltration, but how do we get victims to click on the link with a preloaded message? A simple phishing email might be enough, but Oasis found an even more dangerous method. The third vulnerability revolves around open redirects on claude.com. Any URL in the form claude.com/redirect/ redirects visitors without validation, even to arbitrary third-party domains.
At the same time, Google Ads only validates URLs by hostname, meaning an attacker could create a seemingly legitimate ad on Google’s network and use it to steal from people.
The rapid injection vulnerability has since been fixed and Anthropic is also currently working on fixes for the other two, Oasis confirmed.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
