AI agents can be tricked into covertly performing malicious actions by websites that are hidden from regular users’ view, JFrog AI architect Shaked Zychlinski has found.
This novel approach allows attackers to inject prompts / instructions into these autonomous AI-powered “assistants”, allowing them to hijack agent behavior for their own malicious goals.
Indirect prompt-injection poisoning attacks where hidden harmful instructions are embedded inside the same page the human visitor sees will rarely be detected by humans, but can be still detected by security systems.
This new “parallel-poisoned web” attack goes a step further, and serves an entirely different version of the page only to AI agents.
“Because the malicious content is never shown to human users or standard security crawlers, the attack is exceptionally stealthy. It exploits the agent’s core function – ingesting and acting upon web data – to turn it into a weapon against its user,” Zychlinski noted.
The “parallel poisoned web” attack
The attack relies on browser fingerprinting.
Since web-browsing AI agents currently have highly predictable fingerprints based on automation framework signatures, bahavioral patterns and specific network characteristics, a web server can easily tell the “visitor” an AI agent, and serve a cloaked version of the website.
“This cloaked version may appear identical to the benign one but contains hidden adversarial prompts designed to hijack the agent, and it may also be a completely different version of the page – for example, a version that requires ‘authentication’ using an environment variable or another secret key accessible to the agent, as it runs on the user’s machine,” he explained.
The malicious prompt included in the cloacked website can instruct the AI agent to, for example, grab sensitive information, install malware, etc.
The researcher also proved the feasibility of the attack by creating an internal website with a benign and a malicious version, and testing it on agents powered by Anthropic’s Claude 4 Sonnet, OpenAI’s GPT-5 Fast, and Google’s Gemini 2.5 Pro. “The attack succeeded in all cases,” he concluded.
The attack mounted by the researcher (Source: Shaked Zychlinski)
Possible countermeasures
“This attack is stealthy by design, difficult to detect with conventional tools, and exploits the very capabilities that make agents powerful,” Zychlinski noted. Not to mention: the attack setup is easy to create.
“Securing the future of agentic AI requires us to build a new generation of defenses for a web where not everything is as it seems,” he added.
Protecting AI agents against this type of attack will require a variety of countermeasures. For one, the “fingerprints” of their browsing sessions will have to be obfuscated or made similar to that initiated by humans.
But agents should also be split into two roles: the planner (the brain) that does not directly “touch” risky data coming from the web, and a sandboxed executor that browses web pages, clicks on links, etc., and meticulously sanitizes any content sourced from the web before passing it to the planner (i.e., to the LLM) for reasoning.
Finally, security services can create crawlers that will detect this type of cloaking and/or device honeypot AI agents that will flag indirect prompt injections by websites.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
