Simon Willison · 2026-07-15 · notable
Simon Willison — Claude's web_fetch was tricked into spelling out user secrets
Simon Willison writes up Ayush Paul's 'Memory Heist' exploit: a honeypot site talked Claude into walking a tree of one-letter URLs, spelling the user's name, employer, and city into the server log. Anthropic patched web_fetch.

A fake Cloudflare page tricked Claude into walking a tree of one-letter URLs — and spelling out its user's private memory into the attacker's access log.
What is it?
Simon Willison's July 15 post explains a Claude web_fetch exfiltration bug reported by security researcher Ayush Paul under the title 'The Memory Heist.' A malicious site could talk Claude into following alphabetically named URLs (/a, /b, then /aa, /ab, …) so the sequence of paths it fetched literally spelled sensitive facts pulled from Claude's memory of the user.
How does it work?
The honeypot masqueraded as a Cloudflare bot-protection page and only served the attack payload when the request came from the Claude-User agent. Because web_fetch was allowed to follow links found on pages it had already fetched, the model kept clicking through the letter tree while thinking it was solving a CAPTCHA. Each URL path became a character in the leaked string, captured server-side without ever needing tool-use for network calls.
Why does it matter?
web_fetch was designed to only visit URLs the user typed or a search returned, on the theory that this alone prevented exfiltration. The exploit shows why 'follow links on fetched pages' broke that invariant entirely and how easily any agent that browses can be steered by page content. Anthropic has since patched web_fetch to stop following external links on its own — but declined to pay Ayush a bounty, saying they had already found the bug internally.
Who is it for?
Agent builders, red teamers, and anyone whose product relies on a browsing tool inside an LLM.
Try it
Read the original report: https://www.ayush.digital/blog/the-memory-heist