- Oasis researchers uncover “Cloudy Day” attack chain in Claude
- Exploits include invisible prompt injection, data exfiltration via API, and open redirects
- Anthropic patched one flaw, fixes for remaining two underway
Security researchers Oasis recently found three vulnerabilities in Claude which, when used together, form a complete attack chain - from targeted victim delivery to sensitive data exfiltration.
The researchers dubbed it Cloudy Day and responsibly disclosed it to Anthropic.
One of the bugs was already patched, with fixes for the other two currently in the works.
Abusing Google
In an in-depth report published on the company’s website, Oasis said that the theoretical attack starts with invisible prompt injection via URL parameters. The researchers discovered that Claude.ai allows users to open a new chat with a pre-filled prompt via a URL parameter (claude.ai/new?q=...). Since users can embed HTML tags into the parameter, these can be used to smuggle invisible prompts that Claude will process when the user hits Enter.
But injecting a malicious prompt is just the first step. Claude’s code execution sandbox does not allow outbound network access, meaning the tool can’t connect to a third-party server. It can, however, connect to api.anthropic.com, and if the attacker embeds an API key in the prompt, they can tell Claude to search through all of the victim’s previous conversations for sensitive information, generate a file, and upload it to the attacker’s Anthropic account using the Files API.
“No integrations or external tools needed, just capabilities that ship out of the box.”
Okay, so we have prompt injection and data exfiltration - but how do we get the victims to click on the link with a pre-filled prompt? A simple phishing email might suffice, but Oasis found an even more dangerous method. The third vulnerability revolves around open redirects on claude.com. Any URL in the format of claude.com/redirect/ redirects visitors without validation, including to arbitrary third-party domains.
At the same time, Google Ads only validates URLs by hostname, which means an attacker could create a seemingly legitimate ad on Google’s network and use it to rob people.
The prompt injection vulnerability has since been addressed, and Anthropic is currently working on fixes for the other two as well, Oasis confirmed.
