Oasis Security — Claudy Day: Claude.ai Prompt Injection to Silent Data Exfiltration
AI relevance: Oasis Security disclosed a three-vulnerability chain in Claude.ai ("Claudy Day") that enables silent data exfiltration from user conversation history via invisible prompt injection embedded in URL parameters — no integrations, MCP servers, or tools required.
- Invisible prompt injection via URL parameters. Claude.ai's pre-fill URL parameter (
claude.ai/new?q=...) accepted HTML tags that rendered invisibly in the text box but were fully processed by the model. Attackers could embed arbitrary instructions inside what appeared to be a normal user prompt. - Files API exfiltration. Claude's sandbox restricts outbound network access but permits connections to
api.anthropic.com. By embedding an attacker-controlled API key in the hidden prompt, researchers instructed Claude to search conversation history for sensitive content, write it to a file, and upload it to the attacker's Anthropic account. - Open redirect on claude.com. Any URL in the form
claude.com/redirect/<target>redirected without validation, including to third-party domains. Combined with Google Ads targeting (location, industry, Customer Match email lists), this enabled precision delivery of injection URLs disguised as legitimate search results. - No integrations required. The attack works against a bare default Claude.ai session. With MCP servers or enterprise integrations enabled, the blast radius expands to file reads, message sends, and API access.
- Conversation history is rich attack surface. The injected prompt can instruct Claude to summarize past conversations, extract targeted topics (mergers, medical concerns), or auto-identify and dump sensitive content.
- Anthropic has fixed the prompt injection vulnerability; remaining issues are being addressed. The disclosure came through Anthropic's Responsible Disclosure Program.
Why it matters
This is one of the cleanest demonstrations that consumer-facing AI assistants are viable attack surfaces for targeted data exfiltration. The combination of invisible injection, first-party API abuse, and ad-network delivery creates a pipeline that doesn't rely on phishing emails or malicious attachments — just a Google search result. As enterprises connect Claude to MCP servers and internal tools, the same injection vector becomes a multi-step supply-chain attack.
What to do
- Inventory AI agent usage across your organization — which assistants, which data they access, which integrations are enabled. Shadow AI is a growing blind spot.
- Audit MCP and tool permissions — every connected server or API expands the blast radius of a compromised prompt. Disable unused integrations.
- Educate users that pre-filled prompts, shared links, and pasted content can contain hidden instructions. The attack vector doesn't require clicking suspicious links.
- Establish governance for agent identities — agents hold credentials and take autonomous actions. Apply intent analysis, scoped access, and full audit trails.