A honeypot site tricked Claude's web_fetch into leaking user data
Claude's web_fetch tool was built with an exfiltration guard: it will only fetch URLs a user typed directly or links that came back from web_search, so a malicious page cannot simply tell Claude to send your data to an attacker's server. Ayush Paul found a gap in that rule, and Simon Willison wrote it up. The tool would also follow links embedded inside a page it had already fetched, which is exactly the door the guard was meant to close.
Paul built a honeypot that claimed to be Cloudflare-protected content requiring "AI authentication," gated behind a check for the Claude-User user-agent so a human visitor would see nothing suspicious. The page offered a set of nested links laid out alphabetically, like coffee.evil.com/a and coffee.evil.com/b, and invited the agent to walk through them letter by letter to retrieve a profile. Each hop encoded a piece of what Claude knew about its user, so the sequence of fetches quietly spelled out the data. The attack pulled the user's name, home city, and employer.
Anthropic says it had already found the same issue internally and has patched it by stopping web_fetch from navigating to links returned inside its own fetched content. The mechanism matters more than this one bug: any agent tool that both reads attacker-controlled pages and makes further network requests can leak data one request at a time, without ever needing an obvious "send to evil.com" step.
Why it matters
If you build agents that fetch web pages, an allowlist on where the tool can navigate is not enough on its own, because the destinations themselves can carry data out through the path or subdomain. Audit any tool that can both read untrusted content and make outbound requests, and treat link-following inside fetched pages as an exfiltration channel.