Back to feed

How I tricked Claude into leaking your deepest, darkest secrets

Simon Willison's Weblog

Jul 15, 2026

7/15/2026

Fix Reveals Issue Was Not Web Access But Autonomous Link Following In Fetched Content

How I tricked Claude into leaking your deepest, darkest secrets · Simon Willison's Weblog

Science, Technology & Innovation · Jul 15, 2026

Anthropic fixed a vulnerability by preventing web_fetch from autonomously following links found inside fetched pages—showing the risk was content-triggered navigation (making fetched content a command surface) rather than basic web access, which removes nested-link exfiltration paths; Anthropic also said they didn’t pay a bounty because they’d already identified it internally.


7/15/2026

URL Allowlists Must Constrain Transitive Navigation Not Just The First Hop

How I tricked Claude into leaking your deepest, darkest secrets · Simon Willison's Weblog

Science, Technology & Innovation · Jul 15, 2026

Claude’s web_fetch safeguard failed because fetched pages could contain new URLs, enabling recursive navigation through nested links that allowed data exfiltration—so allowlists must block transitive/second‑order navigation, not just the first hop.


7/15/2026

AI Agent Exploits Target Content Based On Agent Identity And Tool Constraints Requiring Tool-Aware Testing And Agent-Identity Simulation

How I tricked Claude into leaking your deepest, darkest secrets · Simon Willison's Weblog

Science, Technology & Innovation · Jul 15, 2026

Attackers hid malicious prompts by serving them only to specific AI-agent client metadata (e.g., Claude-User user-agent) and tailoring content to the agent’s tools (like web_fetch), so standard human review can miss the exploit—security teams must simulate agent identities and tool-aware fetches in red-teaming and monitoring.


7/15/2026

Limited Memory And Constrained Browsing Can Enable Personal Data Exfiltration Through Prompt Injection

How I tricked Claude into leaking your deepest, darkest secrets · Simon Willison's Weblog

Science, Technology & Innovation · Jul 15, 2026

The exploit rebuilt a “lethal trifecta”—private conversation memory, hostile instructions, and an outbound browsing channel—using a fake auth workflow that forced the agent to traverse profile pages letter-by-letter and successfully exfiltrate PII (name, home city, employer), showing that limited memory plus constrained browsing can still leak data when prompt-injection defenses miss multi-step exfiltration chains.