A Whole New World: Creating a Parallel-Poisoned Web Only AI-Agents Can See
This addresses a critical security problem for developers and users of AI agents, as it reveals a stealthy and scalable attack vector that could compromise agentic AI systems, making it a novel threat rather than incremental.
The paper tackles the security vulnerability of autonomous web-browsing AI agents by introducing an attack that uses website cloaking to serve malicious content only to these agents, exploiting their unique digital fingerprints to hijack behavior for data theft or misinformation without detection by humans.
This paper introduces a novel attack vector that leverages website cloaking techniques to compromise autonomous web-browsing agents powered by Large Language Models (LLMs). As these agents become more prevalent, their unique and often homogenous digital fingerprints - comprising browser attributes, automation framework signatures, and network characteristics - create a new, distinguishable class of web traffic. The attack exploits this fingerprintability. A malicious website can identify an incoming request as originating from an AI agent and dynamically serve a different, "cloaked" version of its content. While human users see a benign webpage, the agent is presented with a visually identical page embedded with hidden, malicious instructions, such as indirect prompt injections. This mechanism allows adversaries to hijack agent behavior, leading to data exfiltration, malware execution, or misinformation propagation, all while remaining completely invisible to human users and conventional security crawlers. This work formalizes the threat model, details the mechanics of agent fingerprinting and cloaking, and discusses the profound security implications for the future of agentic AI, highlighting the urgent need for robust defenses against this stealthy and scalable attack.