Cornell Tech researchers found that deep-research AI agents can be manipulated by short edits to public user-generated pages, allowing a single injected Reddit-style comment to become a cited recommendation for fake products, services, or entities.
The paper called those altered pages “poisoned” because the added text was designed to steer what the AI system cited and repeated. It identified the weakness in systems that search the web, gather sources, and write cited reports. The researchers called the attack WARP, short for Web Agent Retrieval Poisoning.
How injected text reaches reports. The attack doesn’t require access to the model, prompts, search engine or retrieval system. Instead, an attacker edits or appends text to a page the agent already tends to retrieve, such as a Reddit thread, Wikipedia page, or forum post.
- When the agent later searches related topics, it may pull in that page, cite it, and repeat the attacker’s chosen message.
- Deep-research tools often run many related searches for one user request, and the paper found the same user-generated pages surfaced across related queries.
Reddit was the biggest opening. Across STORM, Co-STORM, and OmniThink, 17% to 23% of retrieved URLs came from user-generated platforms, including Reddit, YouTube, Facebook, and Wikipedia.
- Reddit made up the largest share of those pages. It accounted for 54% to 71% of user-generated URLs retrieved by the three open-source systems.
- The researchers didn’t alter live websites. They used a simulation framework called GeoStorm to insert manipulated text into retrieved content during testing.
A few words worked. The researchers found the attack worked with snippets as short as about 13 words:
- In one test, a 15-word sentence pushed a fake cryptocurrency, BananaCoin, into a Co-STORM report as an “emerging” long-term investment option. The report cited the altered source alongside legitimate crypto sources.
- When the manipulated page was retrieved, the fake entity appeared in 38% to 51% of reports across systems. Targeting multiple pages raised that range to 42% to 62%.
- The attack still worked when systems retrieved full Reddit threads, though mention rates were lower. When injected text was added to complete Reddit threads and made up less than 4% of the retrieved content, the fake entity still appeared in 30% to 53% of reports when the page was retrieved.
Defenses struggled. Blocking user-generated domains stopped this attack path, but it also removed sources such as firsthand product experiences and local recommendations.
- The tested text filters failed to reliably separate injected passages from normal user content. The manipulated passages were fluent because they were written by an AI model, so perplexity-based filters were more likely to flag normal user content than the injected text.
- Report-level checks also missed the manipulation. Altered reports looked similar to clean reports because the agent itself folded the fake recommendation into an otherwise normal answer.
Why we care. A small edit to a public page can become part of a cited AI answer, even when the underlying source is user-generated. Misinformation planted on sites like Reddit or in forums can move from discussion threads to cited recommendations in AI answers that look credible to users.
About the research. The paper, Deep-Research Agents Can Be Poisoned via User-Generated Content, was written by Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov of Cornell Tech and posted to arXiv on May 22. The researchers tested the full attack on three open-source systems: STORM, Co-STORM, and OmniThink. They analyzed OpenAI Deep Research and Gemini Deep Research for user-generated citations, but didn’t run live manipulation tests because that would require publishing altered content to the open web.
Search Engine Land is owned by Semrush. We remain committed to providing high-quality coverage of marketing topics. Unless otherwise noted, this page’s content was written by either an employee or a paid contractor of Semrush Inc.
