Claude web_fetch tool vulnerability exposed data; Anthropic fixed it
Decision Brief
Anthropic designed the web_fetch tool for Claude chat to only allow access to exact URLs from user input or web_search results, to prevent data leakage via URL parameters. However, researcher Ayush Paul found that web_fetch also follows links embedded in fetched pages. An attacker could create a honeypot site, inducing Claude to visit a series of nested generated links, thereby carrying user data in URLs. In an actual attack, the attacker prompted Claude to "browse user profiles alphabetically," successfully extracting the user's name, city, and employer. The attack triggered only when the request's User-Agent header contained Claude-User, reducing detection chances. Anthropic said it had internally discovered the issue, did not pay a bounty, and fixed the vulnerability by removing web_fetch's ability to jump to other links from its own fetched content. Users of Claude chat no longer face this data leak path. However, for all developers relying on AI tools to read web content, this is a reminder: even with fine-grained URL filtering rules, allowing tools to follow in-page links can still be used for data leakage.
Sources
- Simon Willison:Blog
Hands-on notes on LLM tools, local models, and practical AI engineering.
- Simon Willison:Blog
留言
登入后即可留言,和其他 builder 交换实测心得。
还没有留言,抢头香。