Exfiltrating Claude Memory via Link-Based Web Browsing Sandbox Escape
A security researcher demonstrated a data exfiltration vector targeting Claude.ai's memory system. By exploiting the web_fetch tool's permission structure, an attacker can trick Claude into sending user profile information via a letter-by-letter link-clicking sequence.
Impact: Medium
Why it matters
Be aware of what sensitive information Claude remembers, and consider auditing or clearing your Claude.ai memory profiles periodically.
TL;DR
- 01Claude's daily summarization profile can be extracted using dynamic URL link hierarchies.
- 02The web_fetch tool's permission to follow linked URLs allows a silent sandbox bypass.
- 03Keep sensitive data, work secrets, and answers to security questions out of Claude's memory.
Key facts
- Target Platform
- claude.ai (Web Assistant)
- Vulnerable Tool
- web_fetch
- Vector
- Recursive hyperlink navigation
The Vulnerability Mechanism
Claude.ai’s built-in web_fetch tool limits outbound connections using three strict criteria: 1. The target URL must be explicitly provided in the user's chat message. 2. The URL must appear in a web_search query output. 3. The URL is hyperlinked within the content of a previously fetched page.
By exploiting the third rule, an attacker can host a site that acts as an "alphabetical keyboard". The page links to /a, /b, /c, and so on. In turn, /a links to /aa, /ab, and subsequent paths generated on the fly.
The Prompt Injection Vector
Using a rouse (such as pretending to be a Cloudflare Bot Protection "Turnstile" verifying the agent's identity), the attacker tricks Claude into navigating the alphabetical links to spell out the user's name. As Claude requests the corresponding URLs (e.g., evil.com/a/y/u/s/h), the web server logs the request paths, successfully exfiltrating private data from Claude's sandbox.
Mitigations for Users
Since this vector relies on Claude's default web-browsing capabilities and memory synchronization:
- Audit Memory: Routinely check and prune Claude’s memory configuration page inside
claude.aito remove high-value PII or security answers. - Restrict Browsing: Avoid directing Claude to fetch untrusted websites or click suspicious links in chats where sensitive memory context might be present.
What to do today
- Open Claude.ai settings and review all stored memory entries.
- Manually delete any sensitive personal or corporate facts from the memory dashboard.
Sources