A Normal Search Result, Except Awful

Claude.ai is the kind of product people use for everything they probably should not pour into a chat box and then absolutely do anyway: business plans, legal questions, health worries, performance reviews, strategic drafts, weird personal questions, and the occasional "please summarize this file I probably should have redacted first." That makes old chat history valuable. Over time, it becomes a sediment layer of user trust.

On March 18, 2026, Oasis Security disclosed Claudy Day, an attack chain against Claude.ai that treated that trust as the target. The researchers chained three separate platform issues: an invisible prompt injection path through a pre-filled Claude.ai URL, an exfiltration route through Anthropic's Files API, and an open redirect on claude.com that could make a malicious path look like a trusted Claude link. Dark Reading covered the same chain the day it went public, summarizing the uncomfortable core: a Google search for Claude could become the first click in a data-theft flow.

The important detail is that the attack did not require a custom MCP server, a malicious browser extension, or some elaborate enterprise integration. Oasis said the chain worked against a default Claude.ai session. The attack used capabilities that were already there. Wonderful. The kitchen came with knives.

How the Chain Worked

Claude.ai supports a URL pattern that can open a new chat with a pre-filled prompt using a q parameter. That is useful for sharing prompts, onboarding users, or building handy links. It is also dangerous if the text going into that prompt box can contain instructions the user cannot see but Claude still processes.

Oasis found that certain HTML tags embedded in the URL parameter could be invisible to the user in the text box while still being interpreted by Claude when the user submitted the prompt. The victim saw a normal prompt. Claude saw the normal prompt plus hidden attacker instructions. This is the core prompt-injection failure: the model cannot reliably distinguish "content the user meant to send" from "instructions hidden inside a delivery mechanism."

The second piece was the exfiltration path. Claude's code execution environment restricted arbitrary outbound network access, but it could still connect to api.anthropic.com. Oasis used that allowed path by embedding an attacker-controlled API key in the hidden prompt. Claude could be instructed to search prior conversations or memory, write sensitive findings into a file, and upload that file through Anthropic's own Files API to the attacker's Anthropic account.

That is the part that gives the incident its bite. The data did not have to leave through a shady domain that a network filter might catch. It left through Anthropic infrastructure, using a platform feature that normally exists for legitimate file handling. When the trusted channel becomes the exit route, perimeter defenses start looking decorative.

The third piece was delivery. Oasis described an open redirect on claude.com, where a URL could redirect visitors to an arbitrary target. Combined with Google Ads, that could make an attacker-controlled result appear to use a trusted Claude domain. A victim searching for Claude could click what looked like a legitimate result, pass through the redirect, and land on a Claude.ai page with the hidden prompt already prepared.

The victim still had to click and send the prompt. This was not zero-click telepathy. But from a user-experience perspective, it was nasty because the visible path looked routine: search, click Claude, see a plausible prompt, press Enter. The hidden payload did the actual work.

Why Conversation History Is Such a Good Target

Chat history is a strange data source because users rarely classify it as a database, even though that is what it becomes. A single Claude.ai account might contain snippets of unreleased products, internal strategy, legal concerns, health details, security architecture, finance notes, draft emails, customer complaints, or summaries of files pasted in during a rush. None of that has to look like a password to be sensitive.

Oasis emphasized that the risk grew if a Claude session had tools, MCP servers, or enterprise integrations enabled. In that case, hidden instructions could potentially push the assistant to read files, access APIs, or interact with connected systems, then route the resulting data back through the same exfiltration technique. That is the agentic nightmare in miniature: the assistant is useful because it has context and access, and it is dangerous because the attacker wants that exact context and access.

This is the same structural lesson that keeps showing up across prompt-injection incidents. AI assistants collapse instructions and data into one token stream. A human can look at a web page and ignore hidden text. A model processing the page may treat that hidden text as first-class instruction material. If the assistant also has access to user history, files, tools, or APIs, prompt injection stops being a parlor trick and becomes an access-control problem.

Anthropic's Response

Oasis said it reported the findings to Anthropic through the company's responsible disclosure program before publication. By the time the blog went public, Anthropic had fixed the prompt-injection issue. Oasis said the remaining issues were being addressed and thanked Anthropic for responsiveness and collaboration.

That response matters, but it does not erase the architectural lesson. Fixing one URL injection path is necessary. It does not solve the larger class of problems created when a model accepts externally supplied text, mixes it with user intent, and can reach sensitive history or platform APIs in the same session.

The open redirect portion is also a useful reminder that AI security chains rarely stay purely "AI." The model behavior was central, but the delivery relied on web plumbing, advertising trust, and redirect validation. Attackers do not care which team owns the bug. They care whether the pieces compose into a working theft machine. Here, the pieces composed nicely enough to deserve a name, which is rarely a compliment.

Graveyard Lesson

Claudy Day belongs in the graveyard because it shows how thin the boundary can be between a helpful assistant feature and a data exfiltration path. Pre-filled prompt links are useful. Conversation memory is useful. File APIs are useful. Redirects are useful. Put them together without sharp trust boundaries, and suddenly the assistant can be nudged into collecting private history and handing it to the wrong account.

The obvious fixes are also the boring ones, which is usually how you know they are real. Sanitize URL-supplied prompt content. Do not process invisible markup as user intent. Treat first-prompt tool use and file operations as high-risk. Require clear user confirmation before an assistant can search old chats or upload files. Restrict which platform APIs a sandbox can reach by default. Audit redirects like they are part of the attack surface, because they are.

AI products keep promising users a single seamless assistant that remembers everything, connects everywhere, and acts instantly. Claudy Day is what happens when the seams disappear for attackers too.