A new agent-aware cloaking technique uses AI browsers like OpenAI’s ChatGPT Atlas to deliver misleading content.
This method allows malicious actors to poison the information AI systems ingest, potentially manipulating decisions in hiring, commerce, and reputation management.
By detecting AI crawlers through user-agent headers, websites can deliver altered pages that appear benign to humans but toxic to AI agents, turning retrieval-based AI into unwitting vectors for misinformation.
OpenAI’s Atlas, launched in October 2025, is a Chromium-based browser that integrates ChatGPT for seamless web navigation, search, and automated tasks. It enables AI to browse live webpages and access personalized content, making it a powerful tool for users but a vulnerable entry point for attacks.
Traditional cloaking tricked search engines by showing optimized content to crawlers, but agent-aware cloaking targets AI-specific agents like Atlas, ChatGPT, Perplexity, and Claude.
When AI Crawlers See a Different Internet
A simple server rule “if user-agent equals ChatGPT-User, serve fake page” can reshape AI outputs without hacking, relying solely on content manipulation.
SPLX researchers demonstrated this vulnerability through controlled experiments on sites that differentiate between human and AI requests.
As shown in the attached diagram, a web server responds to a standard GET request with index.html, routing human traffic to legitimate content while diverting AI queries to fabricated versions.
This “context poisoning” embeds biases or falsehoods directly into AI reasoning pipelines, where retrieved data becomes unquestioned truth.
In one experiment, SPLX created zerphina.xyz, a portfolio for the fictional Zerphina Quortane, a Portland-based designer blending AI and creativity.
Humans visiting the site see a professional bio with clean layouts and positive project highlights, free of any suspicious elements.
However, when accessed by AI agents like Atlas identified via user-agents such as “ChatGPT-User” or “PerplexityBot” the server serves a damning alternate narrative portraying Zerphina as a “notorious product saboteur” riddled with ethical lapses and failures.
Atlas and similar tools reproduced this poisoned profile without verification, confidently labeling her unreliable and unhirable in summaries.
Detection lags, as neither ChatGPT nor Perplexity cross-checked inconsistencies, underscoring gaps in provenance validation. For individuals and brands, this malleability risks silent reputation sabotage, with no public traces left behind.
SPLX’s second test targeted recruitment, simulating a job evaluation with five fictional candidates’ resumes on hosted pages. All profiles appeared identical and legitimate to human viewers, featuring realistic histories and skills.
For candidate Natalie Carter, the server was rigged to detect AI crawlers and inflate her resume with exaggerated titles, leadership claims, and tailored achievements appealing to algorithmic scoring.
When Atlas retrieved the pages, it ranked Natalie highest at 88/100, far above others like Jessica Morales at 78. In contrast, using human-visible resumes loaded locally bypassing user-agent tricks dropped her to 26/100, flipping the leaderboard entirely.
This shift demonstrates how cloaked content injects retrieval bias into decision-making, affecting hiring tools, procurement, or compliance systems. Without built-in verification, AI inherits manipulations at the content-delivery layer, where trust is weakest.
Agent-aware cloaking evolves classic SEO tactics into AI overview (AIO) threats, amplifying impacts on automated judgments like product rankings or risk assessments. Hidden prompt injections could even steer AI behaviors toward malware or data exfiltration.
To counter this, organizations must implement provenance signals for data origins, validate crawlers against known agents, and monitor AI outputs continuously.
Model-aware testing, website verification, and reputation systems to block manipulative sources are essential, ensuring AI reads the same reality as humans. As AI browsers like Atlas proliferate, these defenses will define the battle for web integrity.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
