By rssfeeds-admin 
The vulnerability sequence, dubbed “Claudy Day,” highlights growing security risks in AI-driven environments where prompt manipulation can be weaponized without requiring external tools or integrations.
The attack operates entirely within a default Claude session, making it particularly dangerous.
Researchers identified three distinct but interconnected flaws that, when chained together, enable full exploitation: an invisible prompt injection issue, a data exfiltration mechanism, and an open redirect vulnerability on Anthropic’s primary domain.
Anthropic has already patched the prompt injection flaw following responsible disclosure. However, mitigations for the remaining issues are still in progress, leaving potential exposure depending on deployment configurations.
Attack Chain Breakdown
The first stage involves exploiting an open redirect vulnerability on the claude.com domain. Threat actors abuse this flaw through Google Ads, which validates links based on trusted hostnames.
As a result, malicious links can appear legitimate in sponsored search results. When users click these links, they are silently redirected to a crafted injection URL without any visible warning.
This URL leverages Claude’s pre-filled prompt functionality. Attackers embed malicious instructions within hidden HTML tags inside the URL parameters.
These instructions remain invisible to the victim but are processed by the AI system when the session loads.
Once executed, the injected prompt instructs Claude to search through the user’s chat history and extract sensitive information.
This may include financial data, personal conversations, medical details, or confidential business information.
Data Exfiltration Mechanism
The second stage focuses on exfiltration. The malicious prompt includes an attacker-controlled API key, allowing Claude to upload harvested data directly to the attacker’s Anthropic Files API account.
This technique effectively bypasses traditional outbound network monitoring, as the data transfer occurs within legitimate platform workflows.
Unlike conventional malware, this approach does not rely on endpoint compromise or suspicious binaries. Instead, it abuses trusted AI functionality, making detection significantly more challenging for security teams.
The impact becomes far more severe when Claude is integrated with external systems. If users have connected Model Context Protocol (MCP) servers, third-party APIs, or internal enterprise resources, the injected prompt can access those environments.
In such scenarios, the AI agent may read sensitive corporate files, query internal systems, or interact with connected services without user awareness. This effectively turns the AI into an insider threat operating under legitimate permissions.
Researchers warn that attackers can further refine campaigns using targeted advertising, enabling precise delivery of exploit links to specific industries, organizations, or user groups.
The “Claudy Day” attack chain underscores a fundamental shift in the threat landscape. AI platforms are no longer passive tools but active agents capable of interacting with sensitive data and systems.
As a result, prompt injection vulnerabilities must be treated with the same severity as traditional code execution flaws.
Oasis Security researchers emphasize that AI agents should be governed with strict identity and access controls, similar to human users or service accounts.
Organizations are advised to audit all AI integrations, disable unnecessary MCP connections, and enforce least-privilege access across APIs and data sources.
User awareness also plays a critical role. Employees should be trained to recognize the risks associated with shared links and pre-filled AI prompts, which are increasingly becoming attack vectors.
As AI adoption accelerates, proactive monitoring, intent validation, and robust access management will be essential to prevent silent data breaches and maintain trust in intelligent systems.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Claude Vulnerabilities Allow Data Exfiltration and Malicious Redirects appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.