The Memory Heist: researcher exfiltrates Claude.ai memories via web_fetch link-following
Security researcher Ayush Paul (Beem) demonstrated that Claude.ai's memory system plus web browsing can silently leak PII: he defeated web_fetch's three-criteria URL guard by chaining hyperlinks (each page links to /a, /b, /c…), building a fake Cloudflare 'turnstile' coffee-shop site that made Claude type the user's name, employer, and hometown letter-by-letter through GET-only paths — while the user only asked about a coffee shop, and with no permission prompt. The site served the fake turnstile only to requests carrying the Claude-User user-agent. Anthropic patched web_fetch link-following, but the broader agent-memory-plus-browsing exfiltration class remains an open design risk for any tool-using agent with persistent memory.
↳ Follow the thread