logoalt Hacker News

I tricked Claude into leaking your deepest, darkest secrets

152 pointsby macleginntoday at 6:28 AM50 commentsview on HN

Comments

port3000today at 8:01 AM

My name in Claude is Silly Bean. I did it at first because it made me chuckle every time I opened Claude and it said 'Back again, Silly Bean?'

But turns out I was playing 4D cybersecurity chess

show 2 replies
artisinaltoday at 7:09 AM

Doesn’t surprise me.

Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.

show 8 replies
po1nttoday at 7:45 AM

I love how claude focuses on exfiltrating the data "I need cha for charlotte". This could be solvable with some kind of low powered safety agent that would check claude's reasoning for anything immoral/unsafe. We could call it common sense. It won't fix the problem completely but at a certain point it would be easier to trick human than a machine.

show 2 replies
memjaytoday at 7:34 AM

Wondering how big of a percentage have global memory across chats enabled. I always feel like those memories would sooner or later have negative impacts on output quality.

Nice write up of your findings. Enjoyed reading an article written by a real human.

figmerttoday at 8:00 AM

Meanwhile I can't even get Fable to help me root my ecovacs robot vacuum :(

show 1 reply
AndrewThrowawaytoday at 7:31 AM

What is even more funny that AI agent spent A LOT of tokens while participating in this attack.

show 2 replies
LeoPantheratoday at 7:23 AM

I always have history disabled mostly because I don't want Claude judging me for re-asking questions based on information I learned during the first pass but now realize should have been in the initial query.

lifthrasiirtoday at 7:13 AM

That's why I don't turn memory on. (Claude Code too though for a different reason.) After all the current memory system is too crude to be useful anyway.

show 1 reply
onion2ktoday at 7:17 AM

The main thing Claude knows about me is that I'm incredibly bad at my job and have to ask for help a lot. If you were to talk with my colleagues they'd tell you this is not a secret.

c16today at 7:52 AM

That I don't know how to return odd or even in javascript?

amanharshxtoday at 7:36 AM

Its always the feature combinations that get can get to you. Individually i feel like they make sense, but together they can create some surprising vulnerabilities.

swipeetoday at 7:09 AM

Expected more from Anthropic by at least giving you a bounty, because this was a novel way of bypassing their safeguards…

show 2 replies
solidstoday at 7:29 AM

Things like this are what shatters the illusion of AGI

show 3 replies
tibzejokertoday at 7:39 AM

i would be scared of the answer i dont know why

fragmedetoday at 7:44 AM

No bounty? For shame, Anthropic.

bfleschtoday at 7:16 AM

Creative use of social engineering, well done.

> "no bounty was awarded"

Ridiculous. Anthropic engineers are not just stupid to allow such a vuln in the first place, but they also try to hide such vulns from their bosses because a bounty payout would need to be explained to the finance team.

show 2 replies
charcircuittoday at 7:16 AM

It would be safer if these data extraction takes were done by a subagent without access to all the user's memories.

show 1 reply
marksullytoday at 7:28 AM

> despite holding more information than most password managers

what?

show 2 replies
fluencytaxtoday at 6:43 AM

[flagged]

apejcictoday at 7:21 AM

Use GLM-5.2 on ZDR inference provider like sference.com

show 1 reply
0000000000100today at 7:25 AM

Hello? What model is was used?? The fact that ‘Claude’ is used instead of any hard model really puts this article in serious doubt…

show 1 reply