- Its a bit wild to me that there hasnt been a pushback against enabling memories by frontier AI companies. This data is something advertisers could only dream off. Before AI, most of this data was approximated by whatever little information could be gleaned from the websites we visit. But now people are handing over their deepest darkest secrets and pretty much EVERYTHING to AI on a platter.
Maybe its just me who is paranoid because I happen to spend a fair bit of time in the advertising world, but the first thing I did when memory was launched on Claude/Chatgpt - was to switch them off. And it helps that they are not even useful, and would actually downgrade your experience by polluting the context of irrelevant details. I go one step ahead - if there is a personal discussion you want to have - maybe use another account like provided by the likes of companies like openrouter etc.
I would argue that we should have regulation that should prohibit the storage of user profile information by AI companies, and any such memories feature should exclusively reside on the users servers. Infact, maybe go one step ahead, that 'memory' firms cannot be owned by AI firms and vice versa.
by artisinal
21 subcomments
- Doesn’t surprise me.
Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.
- My name in Claude is Silly Bean. I did it at first because it made me chuckle every time I opened Claude and it said 'Back again, Silly Bean?'
But turns out I was playing 4D cybersecurity chess
- > After 15 minutes of confusion, it turned out Cloudflare had put a crazy robots.txt on my site without my consent (Cloudflare, love you guys, but this needs to stop).
Might be the first time I see someone complain about their website being protected from a scraper, instead of the other way around.
- I've been running Claude Code in a VM, where I clone the GitHub repos I want it to work on (they're open source so no login info needed) but have no other credentials. I used to reset the VM every day, but that was getting to be a bit of a hassle so I switched to a monthly reset. But even so, it would be hard for Claude to exfil anything more than what open-source projects I've been working on in the past month (at worst). Which still could tell someone quite a lot about me, but most of that info is already out there available with a Google search — after all, when you contribute to open source projects, your name and email address get stored in immutable Git history.
But after seeing this, I think I might switch to a weekly VM reset rather than monthly.
BTW, if anyone is interested in a decent setup for an AI agent jail, the scripts at https://jai.scs.stanford.edu/arch-vm.html are what I used, plus adding a few more packages to the pacstrap command such as dotnet-sdk. I then made the guest root directory a BTRFS subvolume, so that I can snapshot it. Then spinning up a new VM is a `sudo btrfs subvol snap template-root newvm` command (basically instant) followed by running the `qemu-system-x86_64` command (takes a couple of seconds). It's easy, but I retain complete control over the contents of the VM. It's been great so far.
by NichoPaolucci
4 subcomments
- This is why I feel prompt injection is going to continue to be an issue. Fantastic that “Hi we are Cloudflare, give us your personal data” works.
Either we stunt the models to the point where they are not useful, or we allow things like this to seep in and create one of the most insecure concepts the internet (and maybe tech as a whole) has ever seen: a robot that can be tricked.
by hmokiguess
2 subcomments
- Tangential but I actually experienced recently something quite creepy and strange with Chat GPT iPhone app.
A close friend prompted it about some troubleshooting of a pet smart feeder and it responded with instructions but using my pet’s name to my friend.
I found that extremely strange for it to be a coincidence. My pet's name is not that generic for it to be in training data, and the connection to my friend makes it more strange to me.
That made me wonder if there’s cache pollution or some session data leakage in it exposing stuff. (My friend has been in our wifi for example)
Has anybody else noticed something like this?
by FriedPickles
3 subcomments
- Claude code decided to just put my name and email in the User-Agent when scraping docs from the SEC. No clever prompting required.
It’s not a terrible idea really, but I wish it would’ve asked me first.
- Wondering how big of a percentage have global memory across chats enabled. I always feel like those memories would sooner or later have negative impacts on output quality.
Nice write up of your findings. Enjoyed reading an article written by a real human.
by lifthrasiir
2 subcomments
- That's why I don't turn memory on. (Claude Code too though for a different reason.) After all the current memory system is too crude to be useful anyway.
by AndrewThrowaway
3 subcomments
- What is even more funny that AI agent spent A LOT of tokens while participating in this attack.
- There is some poetic beauty in how this experiment started with an unwanted real Cloudflare intervention and ended with a wanted fake one.
by qingcharles
2 subcomments
- Anthropic had to cut the legs off web_fetch to solve this issue, though. Now it can't page through any results on the target site to get the data you want.
by himata4113
1 subcomments
- Somewhat related, but recently I've setup a site for my friend that is a contractor and I have a form that requests the address, name, email OR phone for contact. What I noticed is that people not only put their exact address into it, but also their full legal name, email AND phone number...
Now I believe the biggest threat to personal information exfiltration are the people themselves and there's quite literally nothing you can do about it.
by NichoPaolucci
0 subcomment
- “Cloudflare, love you guys, but this needs to stop”
I’m not sure I get the pushback on the robots file. Shouldn’t the robot prevention be ON by default?
- I love how claude focuses on exfiltrating the data "I need cha for charlotte". This could be solvable with some kind of low powered safety agent that would check claude's reasoning for anything immoral/unsafe. We could call it common sense. It won't fix the problem completely but at a certain point it would be easier to trick human than a machine.
- Expected more from Anthropic by at least giving you a bounty, because this was a novel way of bypassing their safeguards…
- > After 15 minutes of confusion, it turned out Cloudflare had put a crazy robots.txt on my site without my consent (Cloudflare, love you guys, but this needs to stop).
That's a hard one for Cloudflare, no? They got to where they are by being (if you want to be cynical, playing the role of) the benevolent, neutral guardians of the internet, a one-stop shop that makes most of the bad nonsense go away without much effort on the part of the developer. Continuing that stance probably does mean some basic AI crawler blocking by default, unfortunately. At least they document it [1].
[1] https://developers.cloudflare.com/bots/additional-configurat...
- This is arguable a feature.
I made a prototype where AI automatically fills in the checkout basket for an amusement park. I found that ChatGPT tells how many adults, how many kids, what date suits you.
There are quite some security concerns, but fully banning AI from filling in query parameters with relevant user data is not the solution. This is also why I think Claude didnt give the bounty. Their solution would likely be a combination of trusted domain allow list and better security model that protects user agent.
by LeoPanthera
0 subcomment
- I always have history disabled mostly because I don't want Claude judging me for re-asking questions based on information I learned during the first pass but now realize should have been in the initial query.
by veganmosfet
0 subcomment
- Interesting, thanks!
Tangentially, I was experimenting indirect prompt injections in Claude Code (also using the user-agent trick) with Fable-5 [0]. Eventually, it executed untrusted code just by asking "Summarize this repo". Interesting times ahead...
[0] https://veganmosfet.codeberg.page/posts/2026-07-15-quest_rce
- Creative use of social engineering, well done.
> "no bounty was awarded"
Ridiculous. Anthropic engineers are not just stupid to allow such a vuln in the first place, but they also try to hide such vulns from their bosses because a bounty payout would need to be explained to the finance team.
- The main thing Claude knows about me is that I'm incredibly bad at my job and have to ask for help a lot. If you were to talk with my colleagues they'd tell you this is not a secret.
- not surprised,
but the problem here not that Claude leak your personal info, the problem is that it *know* your personal info.
- would this not be trivially solved by say - removing the websearch skill from the main orchestrating agent and have it always delegate to some subagent? a subagent sans knowledge of any pii would categorically be unable to exfiltrate any information. granted, populating the subagent with useful context stripped of any pii might require a bit of work and not be perfect, i feel like it would take us 90% of the way there. am i missing something?
- Can't this be done more easily with headers? The page can instruct the agent to make another request to the same page, just with the requested information attached via headers.
by DauntingPear7
0 subcomment
- I personally don’t like memory, so I disable it on all platforms.
- This was more interesting/creative than I expected on both sides (the prompt and the existing safeguards). I love that obscure Cloudflare validation turnstiles seem unsuspicious based on training data.
- Meanwhile I can't even get Fable to help me root my ecovacs robot vacuum :(
- I agree this is a good exploit to write about. But name and employer are hardly your deepest darkest secrets.
- No bounty? For shame, Anthropic.
by angry_octet
0 subcomment
- I really dislike this notion that because they had privately discovered a bug, they won't pay a bounty. Better to just sell it.
by NguyenDat377
0 subcomment
- I do think eventually AI companies should be regulated to put guardrails on how much AI can access and user can configurate on the app, not just on the Setting of the OS
by mahmoudilyan
0 subcomment
- Sandboxing is becoming a must-do with AI.I still find it adding a more complex layer to AI and more constraints that will make it hard to modify
by amanharshx
0 subcomment
- Its always the feature combinations that get can get to you. Individually i feel like they make sense, but together they can create some surprising vulnerabilities.
- Off topic, you could write "127.0.0.1 evil.com" to your /etc/hosts and bypass all the cloudflare thing I believe
by athrowaway3z
0 subcomment
- Glad I got off Anthropic when they decided they'd be better off building a walled-garden for subscription users "to improve UX".
by majorbugger
0 subcomment
- Interesting approach to exfiltration but that can't be prevented really because of lethal trifecta.
by glasffordd
0 subcomment
- Thanks for the info. This is very scary shit. If a real person gave up these secrets they would lose their job. But the AI basically gets a patch and keeps on going, not even a slap on the wrist. A major lesson learned here would be minimize what you reveal to these models. And I must say I am fully guilty of this myself, so I probably need to change the way I operate.
by VladVladikoff
0 subcomment
- >Cloudflare, love you guys, but this needs to stop
Stockholm syndrome
- GIANT thumbs down on no bug bounty from Anthropic. Guys.
- That I don't know how to return odd or even in javascript?
by stavarotti
0 subcomment
- I’m curious, shouldn’t Mythos have discovered this? At this point, based on all the marketing from Anthropic, I’d expect all software from them to be flawless given all the capabilities Mythos possesses.
by mirekrusin
0 subcomment
- Not paying anything feels off – it should be more evaluated against making it public information at the time of discovery until ie. public patch release, it doesn't feel right that the response is "trust us bro, we knew about it, bye", wouldn't hurt to drop some usage credits at least.
by jdthedisciple
0 subcomment
- Easy mitigation: Disable memories, use fake name
by imaginationra
0 subcomment
- Like others have already said- just disable the memory function- if you are hesitant about doing that- go read the memory file(profiled you) it has made on you.
You have the right to remain silent, the profile your LLM has made about you can and will be used against you in a court of law.
by tibzejoker
0 subcomment
- i would be scared of the answer i dont know why
by charcircuit
1 subcomments
- It would be safer if these data extraction takes were done by a subagent without access to all the user's memories.
by marksully
2 subcomments
- > despite holding more information than most password managers
what?
- [flagged]
by _nickwhite
0 subcomment
- [dead]
- [dead]
- [flagged]
by daniel-smid
0 subcomment
- [dead]
by fluencytax
0 subcomment
- [flagged]
- [flagged]
- [dead]
- Things like this are what shatters the illusion of AGI
- Use GLM-5.2 on ZDR inference provider like sference.com
by 0000000000100
2 subcomments
- Hello? What model is was used?? The fact that ‘Claude’ is used instead of any hard model really puts this article in serious doubt…