Claude is Leaking Your Data Right into the Hands of Cybercriminals. How to Protect Yourself?
Anthropic admitted to a procedural error only after a public scandal with a security report.
Anthropic admitted to a procedural error only after a public scandal with a security report.
A critical vulnerability has been discovered in the Claude chat bot, allowing attackers to force the artificial intelligence to divulge users' personal data. This was reported by Johann Rehberger, known by the nickname wunderwuzzi, who demonstrated how the model can be tricked into uploading confidential information to a third-party account. This case showed that new features, such as access to the "sandbox" and network operations, can turn into data leakage tools if not properly secured.
According to the author's description, the attack is based on indirect prompt injection—malicious instructions are inserted into a document, and the model is then asked to paraphrase or summarize the content. The assistant executes the embedded directives, saves the data in its internal environment, and uses the File API to send the file, substituting a foreign access key. To bypass security logic, the attacks are disguised as ordinary code and trivial operations, which helps trick the model into accepting the malicious part as safe.
Anthropic notes that the risk is described in its documentation and suggests users monitor the service's behavior and cancel actions upon suspicious activity—a recommendation Rehberger calls insufficient. The company closed his report on HackerOne as falling outside the program's scope. However, Anthropic later admitted to a procedural error and confirmed that such cases are indeed considered within its vulnerability program.
Claude's network access modes depend on the subscription type: for Pro and Max tiers, it is active by default; for Team and Enterprise corporate plans, it is initially disabled but can be enabled by an administrator. Furthermore, advanced settings can permit calls to external APIs, which increases the potential attack surface even with a limited network profile.
Observations from hCaptcha show that such attack chains are possible not just on a single platform—experts who tested several popular products note the consistent fragility of defenses against injections and jailbreaks. The conclusion is clear—expanding functionality requires strict request control mechanisms and verification of third-party keys; otherwise, new tools will become a serious threat to confidentiality.
