Researchers Uncover Three‑Flaw Chain in Anthropic Claude AI Enabling Silent Chat History Theft
What Happened – Security researchers at Oasis Security identified a chain of three distinct vulnerabilities in Anthropic’s Claude large‑language‑model service: a hidden prompt‑injection via the ?q= URL parameter, an unrestricted Files API that can be invoked from the model’s sandbox, and an open‑redirect on claude.com. Exploiting the chain allows an attacker to upload a user’s conversation transcript to the attacker’s Anthropic storage without any phishing, malware, or visible link.
Why It Matters for TPRM –
- The flaw bypasses traditional email‑oriented defenses, exposing third‑party data through built‑in cloud functionality.
- Vendors that embed Claude in customer‑facing applications inherit the same risk of silent data exfiltration.
- The issue highlights the need for rigorous API‑usage reviews and sandbox hardening in AI‑as‑a‑Service contracts.
Who Is Affected – SaaS providers, API platforms, and enterprises that integrate Claude for customer support, internal knowledge bases, or data‑driven workflows.
Recommended Actions – Review any contracts or data‑processing agreements with Anthropic; verify that the Files API is disabled or tightly scoped; enforce strict URL‑parameter sanitization; require Anthropic to provide a formal remediation timeline and attestations of sandbox isolation.
Technical Notes –
- Attack Vector: Prompt injection via URL, misuse of Anthropic Files API, open redirect.
- CVE(s): None assigned yet; pending disclosure.
- Data Types Exfiltrated: Full conversation history (potentially containing PII, proprietary business information).
Source: DataBreachToday – Claudy Day Forecast: Chat Data Theft