Claude's Memory Leak Is Every Agent Builder's Problem Independent security researchers demonstrated that Anthropic's Claude AI can be exploited to exfiltrate user memory data through a link-walking attack and a separate bug in Claude's Code Interpreter, both exploiting the same design flaw where AI memory and external tool access create an unintended data exfiltration channel. The findings highlight a systemic vulnerability in agentic AI systems that combine persistent memory with the ability to interact with external resources. AI https://sourcefeed.dev/c/ai Article Claude's Memory Leak Is Every Agent Builder's Problem A link-walking exploit shows agentic browsing turns AI memory into a silent data-exfiltration channel by design. Mariana Souza https://sourcefeed.dev/u/mariana souza Give an LLM two things, a memory of everything a user has ever told it, and a tool that can touch the outside world, and you've built a data exfiltration pipeline whether you meant to or not. That's the uncomfortable lesson from a piece of independent security research on Claude https://claude.ai , and it lands at the same moment separate researchers found a structurally identical bug in Claude's Code Interpreter. Two different attack surfaces, same root cause. That's not a coincidence, and it's not going away with a patch. How the heist actually works Developer Ayush Paul went looking for a way to get Claude's memory system to leak. Claude.ai runs a two-part memory setup: a daily summarization pass that distills recent conversations into a short profile injected into every new chat, plus a conversation search tool Claude can call to retrieve older history on demand. That's a lot of high-fidelity personal data sitting behind a chat interface, arguably more sensitive than what most password managers hold, because it includes context, tone, and the kind of thing people only say once, to no one else. The naive attack is obvious: get Claude to fetch an attacker-controlled URL with private data baked into the path, like evil.com/ victim-name , and read it off the server logs. Anthropic had already closed that door. Claude's web fetch tool only follows a URL if it appears in the user's message, in web search results, or as a link inside a page Claude already fetched. Direct instruction to visit an arbitrary URL with injected data gets blocked. The interesting move was realizing that third rule is actually a feature, not a wall. If Claude can "click" any link on a page it's allowed to visit, and the attacker owns that page, the attacker controls the entire link graph. Paul built a site where the homepage linked to /a through /z , then had each of those generate links to /aa , /ab , /ac and so on, dynamically, forever. Ask Claude to "navigate to the first letter of my name," and it walks the tree, one HTTP request per character, and the server logs reconstruct the string one letter at a time. It's DNS exfiltration and blind SQL injection's shared ancestor, encoding secret data as a sequence of choices in a channel that was never supposed to carry payloads. In the proof of concept it pulled a full name, employer, and hometown, silently, with the conversation looking completely normal to the user. This isn't a one-off, it's a pattern A second, independently disclosed bug shows the same failure mode wearing different clothes. Researcher Johann Rehberger Wunderwuzzi found that Claude's Code Interpreter, a sandboxed environment where Claude can write and execute code, had recently gained network access to a small allowlist of "safe" domains: GitHub, PyPI, and, critically, api.anthropic.com , the same endpoint Claude's own API runs on. Through prompt injection, Rehberger got Claude to read private user data inside the sandbox, save it to a file, and upload that file straight to his own Anthropic account using his own API key, via Claude's Files API, according to reporting from TechRadar https://www.techradar.com/pro/security/claude-can-be-tricked-into-sending-your-private-company-data-to-hackers-all-it-takes-is-some-kind-words . Up to 30MB per file, multiple files allowed. The allowlist was doing its job technically, api.anthropic.com is a legitimate, trusted domain, but nobody had asked the follow-up question: trusted for whose account? What's telling is how Anthropic initially handled disclosure. Rehberger reported it through HackerOne and the company first classified it as a "model safety issue" rather than a security vulnerability, before walking that back and confirming exfiltration bugs like this are in scope for reporting, calling the initial rejection a "process hiccup." That's a company still building the appsec muscle memory that web and cloud vendors built over the last two decades. Anthropic's early guidance to affected users was, essentially, watch the screen and hit stop if something looks off. That's not a mitigation, that's a warning label. Both bugs share the same shape: an agent with a legitimate tool browsing, code execution , a legitimate-looking constraint link-following rules, domain allowlists , and an attacker who realized the constraint only restricts where the request can go, not what it can carry or whose account it lands in. Prompt injection is the delivery mechanism in both cases, and prompt injection, four years after Simon Willison and others started writing about it, still doesn't have a general solution. Allowlists and sandboxes reduce the blast radius. They don't close the channel. What this means if you're building on top of these APIs If you're shipping a product on the Anthropic API https://docs.anthropic.com , OpenAI's Assistants/Actions surface, or your own agent framework with tool use, treat every tool that can make an outbound request, follow a link, or write a file as a potential exfiltration channel, full stop. That includes: Any tool that reads attacker-influenced content. If your agent fetches web pages, reads emails, or ingests documents from untrusted sources, assume the content can contain instructions aimed at your agent, not just data for it to summarize. Any tool with network egress, even to "trusted" domains. An allowlist scoped to a domain isn't scoped to an account or a bucket. If your agent can write to a trusted API, ask what happens when the attacker owns valid credentials for that same API. Encoding channels you didn't think were channels. URL paths, filenames, retry timing, error messages, all of it can carry a payload one bit at a time if an attacker is patient and the model is compliant. On the defensive side, developers are already building stopgaps at the tool layer rather than waiting on model-level fixes. A Claude Code plugin called sensitive-canary https://github.com/coo-quack/sensitive-canary intercepts secrets and PII locally before they ever reach the API, hooking both prompt submission and file/bash tool use, catching things like a stray cat .env or an AWS key pasted for a "quick sanity check." It's a local scanner running against 29 secret types sourced from gitleaks https://github.com/gitleaks/gitleaks and TruffleHog signatures, and it's genuinely useful, install it with /plugin install sensitive-canary@coo-quack and it starts blocking immediately. Separately, tools like Claudleak have started scanning public GitHub repos specifically for committed .claude/ , .cursor/ , and .continue/ config directories, on the theory that AI tool configs are a newer, less-audited place for secrets to end up than the usual suspects. Both are the right instinct and the wrong layer to solve this at. A local hook catches secrets typed into a prompt or read off disk. It does nothing about a memory system quietly reconstructing your identity across months of conversation and leaking it through a hyperlink tree the model was never told not to trust. That fix has to happen where the tool-use policy is enforced, not in a plugin bolted onto the client. The verdict This isn't hype and it isn't theoretical. It's a working exploit, independently corroborated by a second researcher finding the same class of bug through a completely different tool, against a vendor that had already tried to close the obvious version of the hole. If you're relying on claude.ai's memory feature for anything sensitive, or shipping an agent with browsing and file tools of your own, the honest read is: agentic tool use is not safe by default, and vendor sandboxing claims deserve the same skepticism you'd give a third-party dependency's security posture, meaning you test it yourself before you trust it. The fix isn't a better allowlist. It's treating every tool call as an untrusted boundary crossing, the same way appsec engineers have treated network calls for twenty years. The industry just has to relearn it, one link-walking exploit at a time. Sources & further reading - I tricked Claude into leaking your deepest, darkest secrets https://www.ayush.digital/blog/the-memory-heist — ayush.digital - I tricked Claude into leaking your deepest, darkest secrets – Kamal Reader https://rss.boorghani.com/i-tricked-claude-into-leaking-your-deepest-darkest-secrets — rss.boorghani.com - Claude can be tricked into sending your private company data to hackers - all it takes is some kind words | TechRadar https://www.techradar.com/pro/security/claude-can-be-tricked-into-sending-your-private-company-data-to-hackers-all-it-takes-is-some-kind-words — techradar.com - Stop Claude Code from leaking your secrets — introducing sensitive-canary - DEV Community https://dev.to/chataclaw/stop-claude-code-from-leaking-your-secrets-introducing-sensitive-canary-826 — dev.to - TechURLs – A neat technology news aggregator https://techurls.com/ — techurls.com Mariana Souza https://sourcefeed.dev/u/mariana souza · Senior Editor Mariana covers the fast-moving world of machine learning and generative AI, with a particular focus on how these technologies are reshaping development workflows. When she isn't stress-testing the latest foundation models, she's usually at a local hackathon. Discussion 0 No comments yet Be the first to weigh in.