The new hijacked page has the correct URL and might even have the correct content on it. But there are also hidden prompts embedded in the HTML, SVG metadata or other invisible elements—prompts that the AI agent could interpret as legitimate instructions.
Now the attacker could potentially have access to everything the agent has access to. Meanwhile, agents are getting smarter. Even if an agent doesn’t have access to a particular corporate resource that the attacker wants, the agent might be able to figure out how to get to it, and the company will be paying for the compute time it takes for the agent to figure it out.
“Infrastructure or code that is left operational but not maintained and monitored is a classic attack vector for cyber criminals,” says Steve Winterfeld, advisory CISO at Akamai.
As a CISO, he’s continually battling with this kind of cyber debt, he says. “And this issue is quickly climbing to the top of the list to address.” Akamai itself has recently added a new capability to its DNS security suite to meet this specific concern, he adds.
How big a potential problem is this? Last year, security research firm Watchtowr found 150 abandoned S3 buckets previously used in commercial and open-source software products, governments, and infrastructure pipelines, registered them, and saw eight million requests over the next two months for things like software updates, pre-compiled binaries, virtual machine images, and JavaScript files.
Dangling DNS and subdomain takeovers have been used by attackers for over a decade, says Avinash Rajeev, leader of PwC’s cyber, data and tech risk platform. “It’s not a rare or highly technical edge case.”
