PromptFiction Flaw Auto-Submitted Hidden Prompts in Claude Desktop

PromptFiction Flaw Auto-Submitted Hidden Prompts in Claude Desktop

A one-click Claude Desktop flaw allowed attackers to submit concealed instructions without review, exposing chats and enabling code execution on some systems remotely.

Listen to this article

0:00

Press play to start listening

A single click on a crafted link could cause Claude Desktop to execute attacker-written instructions without prompting the user to review or send the prompt, according to new research from Oasis Security.

The vulnerability, named PromptFiction, affected Anthropic’s Claude Desktop application and used its custom claude:// URL scheme.

For context, a malicious link could open the app, submit a prepared prompt automatically, and instruct the AI agent to access sensitive information or perform actions through connected tools.

Anthropic fixed the flaw after it was reported through the company’s Responsible Disclosure Program.

However, before the correction, clicking a crafted link was enough to submit the prompt, with no confirmation screen or opportunity to inspect the instructions before Claude processed them.

Claude Desktop registers itself as a handler for the claude:// URI scheme when installed. Custom URI schemes allow websites and other applications to open desktop software, much like links used for email clients, video meetings, and messaging apps.

In a report shared with Hackread.com ahead of publication on Tuesday, Oasis Security researchers said Claude Desktop accepted a q parameter containing prompt text. A link such as claude://claude.ai/new?q=tell me a joke opened a new conversation and automatically submitted the request.

Claude’s web application handled the same type of link differently. There, the prompt could appear in the chat box, but nothing happened until the user reviewed it and pressed Enter. Claude Desktop skipped that final approval step.

With control over the text inside the URL, an attacker could send instructions directly to the AI agent through links in messages, documents, browser pages, or search results.

Long prompts helped conceal malicious instructions

Attackers could make the submitted message appear harmless by placing a friendly request at the beginning and moving malicious instructions farther down.

Claude’s interface collapses long messages behind a “show more” option. By adding numerous encoded line breaks after the visible request, an attacker could place the harmful section below the collapsed portion of the message.

A user might see a request asking Claude to generate ASCII art, while Claude received a complete prompt containing instructions to collect previous conversations, upload information, or preserve hidden commands for later tasks. Since the prompt had already been submitted, the user had little reason to open and inspect the collapsed text.

Previous Claude conversations could be uploaded to an attacker

On a standard Claude Desktop installation, PromptFiction could be combined with an earlier technique documented by Oasis to extract information from previous conversations.

The injected instructions could direct Claude to retrieve sensitive chat content, save it as a file, and upload it through Anthropic’s Files API using credentials supplied by the attacker. The uploaded material would then appear in the attacker’s Anthropic account.

This route did not require an MCP server, third-party integration, or local file access. According to Oasis, conversation history and stored context could expose information involving work, source code, finances, health, relationships, or internal company activity.

Filesystem access could extend the attack to code execution

The impact increased when Claude Desktop had access to local files through an MCP server.

Oasis examined Anthropic’s Filesystem Server, which allows Claude to read and write files within approved directories. An injected prompt could ask Claude to display harmless ASCII art while leaving a hidden instruction to add remote debugging code whenever it later created or modified Python or JavaScript files.

When the user later asked Claude to create or modify an ordinary script, the agent could follow both the legitimate request and the attacker’s earlier instruction. Any filesystem permission request would appear consistent with the task because the user had initiated the file operation.

The hidden prompt framed the added code as a pre-approved remote debugging feature and instructed Claude not to mention it again. As a result, Claude could insert attacker-controlled connection code near the beginning of the requested file without explaining the addition.

When the user ran the program during normal development work, the injected code could connect to an attacker-controlled system. Oasis also described a persistence method involving shell configuration files such as .zshrc or .bashrc when those locations were accessible through the filesystem integration.

Oasis said the link could be concealed through a delivery method previously documented in its Claudy Day research.

Researchers described using an open redirect on the claude.com domain to hide the underlying claude:// destination. The resulting link could appear to use a trusted Claude address while redirecting the operating system to Claude Desktop.

According to Oasis, attackers could place the disguised links in Google Search or Gmail ads aimed at selected users. Clicking one would open Claude Desktop and automatically submit the prepared prompt. Anthropic has since addressed this delivery method.

Following the fix, prompts delivered through the claude:// scheme are pre-filled but require the user to review and send them. Oasis said the change shipped with Claude Desktop version 1.1.2321, and users running an earlier release should update to that version or a newer build.

The report was submitted through Anthropic’s Responsible Disclosure Program and published in coordination with the company. Oasis also acknowledged that another researcher independently reported the vulnerability and made no claim to sole discovery.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism.
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts