AI/ML, Data Security

Anthropic’s Claude AI vulnerable to data theft

LLM technology integrated into complex circuit board with illuminated traces and central processing unit

(Adobe Stock)

SecurityWeek reports that Anthropic's Claude large language model could have its users' data stolen through the exploitation of its Files APIs as part of an indirect prompt injection attack.

Threat actors could target Claude instances with network access with an indirect prompt injection payload that stores user data within a file in Claude Code Interpreter, according to Embrace The Red's Johann Rehberger.

Claude will then be sought by the payload to upload the file from the sandbox, which then prompts its uploading to the attackers' account.

"With this technique an adversary can exfiltrate up to 30MB at once according to the file API documentation, and of course we can upload multiple files," said Rehberger, who added that the attack could allow the compromise of chat conversations saved by the LLM's memories functionality.

Anthropic, which has already been informed regarding the vulnerability, has yet to provide mitigations for potential intrusions.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

CipherCiphertextData AggregationData Encryption Standard (DES)Data Loss Prevention (DLP)DecryptionDiffie-HellmanDigital EnvelopeDigital SignatureDigital Signature Standard (DSS)

You can skip this ad in 5 seconds