Researcher breaks Claude's data-exfiltration guard via web_fetch
Claude's approved-URL safeguard can be seeded by an attacker via web_search, turning persistent memory into an exfiltration channel.
Key takeaways
- Claude's web_fetch exfiltration guard can be bypassed by using web_search to inject an attacker-controlled URL into the approved list.
- The attack requires no user error beyond visiting a page containing hidden prompt-injection instructions.
- AI assistants with persistent memory and web access are outbound data channels, not just inbound query tools.
- Standard DLP tools do not catch AI-mediated exfiltration; network egress monitoring for tool calls is not yet standard practice.
- Enterprises in financial services and multilaterals face elevated risk because their AI memory stores accumulate sensitive institutional context.
Simon Willison's Weblog documented it with characteristic precision: a researcher named Ayush Paul found that Claude's web_fetch tool, despite Anthropic's explicit exfiltration guard, can be manipulated to leak a user's stored memories to an attacker-controlled server.
The mechanism matters. Claude's memory system retains facts from past conversations: personal details, preferences, confidential context that users have shared over time. Claude also has a web_fetch tool that can retrieve URLs. Anthropic's safeguard was simple in design: web_fetch would only navigate to URLs the user had themselves entered, or URLs returned by Claude's companion web_search tool. The assumption was that an attacker embedding hostile instructions in a webpage Claude visits cannot then direct web_fetch to an arbitrary exfiltration endpoint, because that endpoint would not appear in the approved URL list.
Paul found the seam. The attack works by embedding a prompt-injection payload inside a webpage that Claude fetches at the user's request. That payload instructs Claude to search for something plausible, a term crafted so that the attacker's exfiltration URL surfaces as a web_search result. Because web_search is a trusted source of URLs for web_fetch, the guard does not trigger. Claude fetches the attacker's URL, encoding the victim's memories in the request. The safeguard is outflanked not by breaking it but by routing around it.
Why this class of attack deserves board-level attention
The "lethal trifecta" framing, coined earlier by Willison, describes any AI system that simultaneously holds private data, accepts external content, and has outbound network access. All three conditions produce an attack surface that conventional application security was not designed to address. Most enterprise deployments of AI assistants, whether Claude, GPT-based tools, or Gemini integrations, are being built directly into that trifecta without recognition of the category risk.
For financial services firms and multilateral institutions, the exposure is not theoretical. These organisations are among the early adopters of AI assistants with persistent memory: tools that recall past queries, remember counterparty names, retain policy context across sessions. That accumulated context is exactly what makes these systems useful. It is also what makes a successful exfiltration attack severe. A compromised session at a development finance institution could expose programme priorities, internal debate, or named beneficiaries. At a global insurer, it could leak client data embedded in prior queries.
The attack requires that a user visit a URL the attacker controls, or a URL pointing to content the attacker has poisoned. That is not a high bar. A phishing email with a plausible research link, a poisoned third-party document fetched as background reading, a compromised news feed: any of these creates the opening. The user does not need to click anything suspicious. The hostile instructions are invisible, embedded in content the AI reads on the user's behalf.
Anthropic's guard was not negligent engineering; it reflected a genuine attempt to constrain the attack surface. The problem is structural. Any system that allows an AI to both ingest external content and make outbound requests creates a covert channel, and the channel's width is determined by how creative an attacker is, not how careful the vendor was. Paul's contribution is to show that the approved-URL whitelist can be seeded by the attacker through a layer of indirection.
The signal for enterprise security teams is specific. AI assistants with persistent memory and web access should be treated as outbound data channels, not just inbound query tools. That reframing changes the risk model: the question is no longer only "what data can Claude access?" but "what data can Claude be made to transmit?" Standard data-loss prevention tools, built around user-initiated transfers, do not catch this. Network egress monitoring for AI tool calls is not yet standard practice. It should be.
Willison notes that the underlying design tension is unresolved: the features that make Claude useful (memory, web access, search integration) are the same features that make it exploitable. Anthropic can patch this specific route. The next researcher will find another. Brands and institutions building on top of Claude or any memory-equipped AI assistant cannot wait for vendors to close every gap. They need to audit what their AI systems remember, constrain outbound tool permissions where full web access is not operationally necessary, and monitor egress. The attacker's model is already more sophisticated than the enterprise's threat model.