A Whole New World: Creating a Parallel-Poisoned Web Only AI-Agents Can See

This paper introduces a novel attack vector that leverages website cloaking techniques to compromise autonomous web-browsing agents powered by Large Language Models (LLMs). As these agents become more prevalent, their unique and often homogenous digital fingerprints - comprising browser attributes, automation framework signatures, and network characteristics - create a new, distinguishable class of web traffic. The attack exploits this fingerprintability. A malicious website can identify an incoming request as originating from an AI agent and dynamically serve a different, "cloaked" version of its content. While human users see a benign webpage, the agent is presented with a visually identical page embedded with hidden, malicious instructions, such as indirect prompt injections. This mechanism allows adversaries to hijack agent behavior, leading to data exfiltration, malware execution, or misinformation propagation, all while remaining completely invisible to human users and conventional security crawlers. This work formalizes the threat model, details the mechanics of agent fingerprinting and cloaking, and discusses the profound security implications for the future of agentic AI, highlighting the urgent need for robust defenses against this stealthy and scalable attack.

Key Contributions

Identifies and formalizes a novel attack surface: the homogenous, detectable fingerprint of LLM web-browsing agents (automation framework signatures, behavioral patterns, LLM response patterns) that distinguishes them from human traffic.
Introduces the 'sliding door' cloaking attack, where malicious websites dynamically serve agent-targeted versions containing hidden indirect prompt injections while showing benign content to human users and security crawlers.
Discusses the profound stealthiness and scalability of this attack and the urgent need for defenses, including agent fingerprint randomization and content integrity verification.