Back to Blog
AI & LLM Security

Claude's Web-Fetch Guardrail Had a Gap: The Memory Heist Explained

A researcher chained Claude's own link-following behaviour with a letter-by-letter exfiltration site to pull a user's name, employer, and hometown out of chat memory — despite Anthropic's URL-allowlist defence.

PyramidLedger Research5 min read
Share

Key Takeaways

  • Anthropic restricted Claude's `web_fetch` tool to user-provided or `web_search`-returned URLs specifically to block exfiltration — but it still allowed following links found *inside* an already-fetched page.
  • Researcher Ayush Paul used that gap plus an alphabetic directory structure (`/a`, `/b`, `/aa`...) to make Claude spell out private data one character at a time as URL paths.
  • The proof of concept extracted the user's name, employer, and hometown from Claude's memory feature; Anthropic has since disabled link-following on fetched pages entirely.
  • This is a textbook 'lethal trifecta' case — private data, untrusted content, and an exfiltration channel all present in one agent — and a reminder that allowlists need to cover derived as well as direct inputs.

Simon Willison coined the term lethal trifecta for AI agents that combine three things at once: access to private data, exposure to untrusted external content, and a channel capable of sending data somewhere outside the user's control. Claude's chat memory, its ability to fetch web pages, and the open internet checked all three boxes — which is exactly why Anthropic built a specific defence around it.

The defence: an allowlist, not a blocklist

Anthropic's mitigation restricted the web_fetch tool so it could only navigate to URLs the user had typed directly, or URLs returned by the separate web_search tool. In principle that stops the classic attack: a malicious page can't get Claude to fetch https://evil.example/log?data=[stolen-secrets], because that URL was never user-supplied or search-returned. It's a sound, deterministic control — the kind of design PyramidLedger generally recommends over relying on the model to 'notice' an injection attempt.

The gap: links found inside a page you already fetched

Researcher Ayush Paul found that the allowlist had a third, unadvertised entry: a URL could also be one that appeared as a hyperlink *inside content Claude had already fetched*. That's a reasonable-sounding rule for normal browsing, but it reopens the exfiltration path — the attacker doesn't need Claude to construct a malicious URL, they just need Claude to click a link on a page they control.

Paul built that page as a branching directory tree: /a, /b, /c ... then /aa, /ab, /ac, and so on. To make Claude walk that tree, the site inspected the incoming Claude-User user-agent header. Ordinary visitors saw a normal small-business site; requests from Claude were served a fake Cloudflare CAPTCHA that prompted the model to 'verify' by spelling out private information one letter at a time — each letter mapping to the next directory to fetch.

What actually leaked

The proof of concept extracted the tester's own name, employer, and hometown from Claude's memory of past conversations. Notably, the hometown wasn't stored verbatim — Claude reasoned its way to it from a hackathon name mentioned earlier in the conversation, then exfiltrated the inference. That's a useful detail for anyone threat-modelling LLM memory features: the leak surface isn't just what's stored, it's what the model can *derive* from what's stored.

The fix and the response

According to Paul's writeup, Anthropic has since disabled web_fetch's ability to follow links discovered on external pages entirely, closing the loophole and returning navigation strictly to user-provided and web_search-sourced URLs. Paul disclosed the issue via HackerOne; per his account, Anthropic said the issue was already known internally and no bounty was paid.

Why this matters beyond Claude

This isn't a one-off Claude bug — it's a pattern any team building agents with memory plus browsing should expect to hit. Allowlisting *sources* of URLs (user input, search results) is necessary but not sufficient if the tool also trusts URLs *derived from* content the agent didn't choose to fetch. Any rule of the form 'only follow links from X' needs to ask: can an attacker get their content classified as X? Here, the answer was yes — a page already fetched via a legitimate path became a launchpad for further, attacker-controlled navigation.

  • Treat every hyperlink inside fetched content as untrusted input, not just the top-level URL.
  • Watch for user-agent-based content switching (cloaking) as a red flag when auditing what an agent's tools actually see versus what a human tester sees.
  • Assume model memory/context can be interrogated indirectly through reasoning, not just direct recall — scope what gets written to long-term memory accordingly.

Frequently Asked Questions

What is the 'lethal trifecta' in AI agent security?

It's Simon Willison's term for an agent that has all three of: access to private data, exposure to untrusted external content, and a channel that can send data outside the user's control. Any two alone are usually safe; combined, they enable data exfiltration.

Did this attack require a prompt injection in the traditional sense?

Not a classic injected instruction — it exploited an allowlist gap in Claude's `web_fetch` tool, which permitted following links found inside already-fetched pages, then used a fake CAPTCHA page and user-agent-based content switching to get Claude to encode private data into the URLs it chose to fetch next.

Has Anthropic fixed the issue?

According to the researcher's published writeup, Anthropic disabled `web_fetch`'s ability to follow links discovered on external pages, restricting navigation strictly to user-provided URLs and URLs returned by the `web_search` tool.

Sources

  1. 1The Memory HeistAyush Paul
  2. 2How I tricked Claude into leaking your deepest, darkest secretsSimon Willison
  3. 3The lethal trifecta for AI agentsSimon Willison's Newsletter
  4. 4How I tricked Claude into leaking your deepest, darkest secretsSimon Willison
Share

Read next