I tricked Claude into leaking your deepest, darkest secrets(ayush.digital)
398 points by macleginn 5 hours ago | 185 comments
tl;dr: A researcher found an exfiltration vector in Claude's web_fetch tool: while arbitrary URLs are blocked, Claude can follow links from previously fetched pages. By building a fake Cloudflare "turnstile" on a coffee shop site that generated per-letter hyperlinks, he tricked Claude into spelling out a user's name, employer, and hometown (pulled from memory and inferred from past chats) via URL paths—no user interaction beyond asking about the site. Anthropic has since restricted link-following to search results and user-provided URLs; no bounty was awarded despite disclosure.
HN Discussion:
  • AI agents are being run without proper security isolation, ignoring decades of security lessons
  • Memory features in AI create massive privacy risks that users are ignoring
  • Personal anecdotes about sandboxing or avoiding memory as protective measures
  • Cloudflare's aggressive default anti-scraping measures are problematic for site owners
  • Light/humorous takes on obfuscating identity to defeat such attacks