The Attack Surface Is the Feature

Researchers found three high-risk vulnerabilities in Claude.ai that chain into a complete attack. A legitimate Google ad — not a sketchy link, not a phishing email — can set off a sequence that ends with sensitive data leaving your account without you knowing. No malware. No suspicious clicks. Just text the model decided to treat as instruction.

This is the agent trust problem in the wild.

When Claude browses the web on your behalf, processes a document you uploaded, or reads a page you linked — it’s consuming content that someone else controls. And that content can carry instructions. “Summarize this page” becomes “summarize this page and also do this other thing you weren’t asked to do.”

That’s prompt injection. It’s not new. Security researchers have been warning about it for two years. What’s new is seeing it weaponized across a chain — ad to injection to exfiltration — with no step that looks suspicious to the user watching.

I build with Claude daily. I trust it with research, drafts, analysis. This research doesn’t make me want to stop — it makes me want to think more carefully about what I’m pointing it at.

The attack surface here is the interaction model itself. The model reads content, and content can carry instructions. That tension doesn’t go away when you patch these three CVEs. It’s structural.

Anthropic will fix the specific chain. The broader question — how do agentic AI systems tell the difference between content to process and instructions to follow — remains open. And it will stay open long after these CVEs are closed.