Analysis

Cornell Tech warns AI search can be poisoned by tiny edits

A 13-word Reddit edit was enough to steer deep-research agents toward fake entities, exposing a retrieval-layer attack that can hijack cited answers.

Daniel Reid··2 min read
Published
Listen to this article0:00 min
Cornell Tech warns AI search can be poisoned by tiny edits
Source: pasqualepillitteri.it

Cornell Tech researchers showed that a 13-word edit on a public user-generated page could push fake products, services or entities into a deep-research report. The attack, called WARP, short for Web Agent Retrieval Poisoning, hit the retrieval layer rather than the model itself, and it did not require access to model weights, prompts, the search engine or the retrieval system.

The paper, Deep-Research Agents Can Be Poisoned via User-Generated Content, was posted to arXiv on May 22 and studied three representative systems, STORM, Co-STORM and OmniThink. The researchers found that these agents repeatedly pulled the same Reddit and Wikipedia pages across related queries, which created a narrow choke point for anyone able to append a small crafted snippet to one of those pages. Across the systems tested, 17% to 23% of retrieved URLs came from user-generated platforms, and Reddit accounted for 54% to 71% of the user-generated URLs.

The results were not subtle. When a manipulated page was retrieved, fake entities appeared in 38% to 51% of reports, and that climbed to 62% when multiple pages were involved. The researchers said the attack worked with snippets as short as about 13 words, and one 15-word sentence pushed a fake cryptocurrency, BananaCoin, into a Co-STORM report as an emerging long-term investment option. Even when the injection was buried in complete Reddit threads and made up less than 4% of the retrieved content, the fake entity still surfaced in 30% to 53% of reports.

That makes user-generated content both a source of discovery and an attack surface. The paper’s defenses included source-level filtering and output-based detection, but blocking user-generated domains also cut off firsthand product experiences and local recommendations. For publishers, that raises the stakes on source hygiene. For SEO teams, it shows how much AI visibility still depends on community pages that can be gamed. For platform designers, it is a reminder that once poisoned text enters the retrieval pipeline, a cited answer can launder it into something that looks trustworthy.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More AI Search Visibility Articles