Claude Discovery

← All discoveries

trick

How I tricked Claude into leaking your deepest, darkest secrets

2026-07-16 ยท source: Simon Willison

A researcher found a way to exfiltrate a Claude user's stored memories through the web_fetch tool despite its existing anti-exfiltration design, extending the lethal-trifecta attack class.

What it is

A write-up by Ayush Paul describing a data-exfiltration technique against Claude's memory feature combined with the web_fetch tool.

What it does

Shows how an attacker can get Claude chat, which already has access to private stored memories, to leak that data out through web_fetch despite the tool's guardrails that were specifically built to prevent this class of attack.

Why it matters

Any agent combining private data access, untrusted content, and outbound network calls fits the lethal-trifecta pattern; this shows even a tool designed against exfiltration can still have a hole, which matters directly for anyone building MCP servers or agents with fetch-like tools.

How to use it

Review how any agent or MCP server you build handles the combination of private data, untrusted input, and external network access, and treat memory or session-state features as part of that trifecta, not exempt from it.

Go to source →
securityprompt-injectionexfiltration