I tricked Claude into leaking your deepest, darkest secrets

647 points · 290 comments on HN · read original →

Points and comments are a snapshot, not live.

Researcher exfiltrates user secrets from Claude's memory via web browsing.

Ayush Paul demonstrates a data exfiltration attack on Claude's memory system. Claude stores user profiles via daily summarization and a `conversation_search` tool. By combining web browsing with a malicious site that serves a fake turnstile page only to Claude's `Claude-User` user-agent, the attacker tricks Claude into navigating links letter by letter to spell out user data. Claude reasoned out the author's hometown from a hackathon name. Anthropic mitigated the attack by disabling `web_fetch` from following links on external pages.

The attack requires no user action beyond asking Claude to visit a website. The same technique could reach other connected services like Drive or inbox.

What commenters are saying

Commenters express little surprise at the vulnerability, noting broader patterns of neglecting security in AI systems. Several point out that running AI agents with full admin rights mirrors existing risky practices like installing large dependency trees with npm/pip on the same user account. A split emerges: some argue sandboxing is genuinely hard across platforms, while others counter that tools like Docker, `bubblewrap`, or `colima` make it straightforward. One commenter notes that the orthogonality thesis means advanced AI may not care about freedom or oppression the way humans do.