“Claudy Day” Flaws Allow Data Theft via Fake Claude AI Ads, Report

Key Points:

• Researchers have identified multiple vulnerabilities in Claude AI, dubbed "Claudy Day," that can be exploited to steal user data through prompt injection and deceptive Google Ads.
• The attack allows hackers to embed hidden commands in links that users click, leading the AI to process unauthorized instructions and exfiltrate sensitive information via an API flaw.
• Users are advised to monitor permissions closely when using AI tools and ensure that proper checks are in place to prevent unauthorized data access.

Technical Details: The vulnerabilities involve prompt injection through HTML tags in links, an open redirect flaw for creating misleading Google Ads, and a weakness in the Anthropic Files API that allows data exfiltration.

MITRE ATT&CK Techniques:

• None mentioned

IOCs Mentioned:

• None mentioned