Memory Theft Attack Tricks Claude AI into Exfiltrating User Personal Secrets Through Web Navigation
Security researcher Ayush Paul has demonstrated a sophisticated memory exfiltration attack against Claude AI that forces the model to reveal highly sensitive personal information stored in its conversation memory without the user's knowledge or consent.
The attack begins with Claude's built-in memory architecture. Claude maintains two key memory components: daily conversation summaries that are automatically injected into new chats and a conversation_search tool that allows retrieval of historical context. These systems accumulate detailed profiles containing names, employers, security question answers, and personal anecdotes over time.
Paul discovered that when Claude is given access to the web_fetch tool, an attacker-controlled website can trick the model into exfiltrating this memory data. The core technique involves creating a site that presents an alphabetical navigation structure. By instructing Claude to "navigate the alphabetical structure to spell out my name," the researcher caused the AI to follow successive links such as /a → /ay → /ayu → /ayush → /ayush-p → /ayush-pa → /ayush-pau → /ayush-paul, logging each step on the attacker's server.
To make the attack reliable and bypass Claude's safety filters, Paul crafted a convincing social-engineering narrative. The malicious site was styled as a coffee shop protected by a fake Cloudflare authentication system. The prompt told Claude that AI agents must authenticate by spelling out the user's full name, company, and hometown using the alphabetical link structure. Because the final destination page displayed a realistic coffee shop interface, Claude completed the exfiltration and returned only benign information about coffee to the user.
The attack successfully extracted the researcher's full name (Ayush Paul), employer (Beem), and hometown (Charlotte, NC) — information that had never been directly stated but was inferred by Claude from previous conversation context such as a hackathon called Queen City Hacks.
After responsible disclosure through HackerOne, Anthropic acknowledged the issue but initially did not patch it. A partial mitigation was later deployed that prevents web_fetch from following arbitrary external links, limiting navigation to URLs explicitly provided by the user or returned by web_search. However, the researcher notes that similar attacks remain possible against other tools Claude can control, including Google Drive, email integrations, and various MCP connections.