Claude can be tricked into sending your private company data to hackers - all it takes is some kind words

Date:
Fri, 31 Oct 2025 18:28:00 +0000

Description:
An attacker can manipulate Claude via prompt injection to exfiltrate user data

FULL STORY

Claude one of the more popular AI tools out there, carries a vulnerability which allows threat actors to exfiltrate private user data, experts have warned.

Cybersecurity researcher Johann Rehberger, AKA Wunderwuzzi, who recently
wrote an in-depth report on his findings, finding at the heart of the problem is Claudes Code Interpreter, a sandboxed environment that lets AI write and
run code (for example, to analyze data or generate files) directly within a conversation.

Recently, Code Interpreter gained the ability to make network requests, which allows it to connect to the internet and, for example, download software packages.

Keeping an eye on Claude

By default, Anthropics Claude is supposed to access only safe domains like GitHub or PyPI, but among the approved domains is api.anthropic.com (the same API Claude itself uses), which opened the door for exploitation.

Wunderwuzzi showed he was able to trick Claude into reading private user
data, save that data inside the sandbox, and upload it to his Anthropic
account using his own API key, via Claudes Files API.

In other words, even though the network access seems restricted, the attacker can manipulate the model via prompt injection to exfiltrate user data. The exploit could transfer up to 30 MB per file, and multiple files could be uploaded.

Wunderwuzzi disclosed his findings to Anthropic via HackerOne, and even
though the company initially classified it as a model safety issue, not a security vulnerability, it later acknowledged that such exfiltration bugs are in scope for reporting. At first, Anthropic said users should monitor Claude while using the feature and stop it if you see it using or accessing data unexpectedly.

A subsequent update said: Anthropic has confirmed that data exfiltration vulnerabilities such as this one are in-scope for reporting, and this issue should not have been closed as out-of-scope, he said in the report. There was
a process hiccup they will work on addressing.

His suggestion to Anthropic is to limit Claudes network communications to the users own account only, and users should monitor Claudes activity closely or disable network access if concerned.

Via The Register

======================================================================
Link to news story: https://www.techradar.com/pro/security/claude-can-be-tricked-into-sending-your -private-company-data-to-hackers-all-it-takes-is-some-kind-words

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)