Cornell Tech researchers Tingwei Zhang, Harold Triedman and Vitaly Shmatikov found that a crafted snippet of about 13 words, planted in user-generated content, could manipulate deep-research systems that gather web material, synthesise it and present confident, citation-backed answers. The technique, named WARP, or Web Agent Retrieval Poisoning, does not require hacking an AI company, breaking into a platform or knowing a user’s exact question. It relies instead on the way research agents repeatedly retrieve the same community pages when answering clusters of related queries.
The study tested three open-source research systems, STORM, Co-STORM and OmniThink, using an ethical simulation framework that avoided altering live web pages. A single poisoned URL produced conditional mention rates of 38 to 51 per cent when the affected page was retrieved, while targeting several URLs lifted the rate to 42 to 62 per cent. In a full-content setting, where the planted material formed less than 4 per cent of the retrieved page, mention rates still reached 30 to 53 per cent.
The risk is acute because consumer questions often lead AI tools to community forums. Queries about restaurant choices, dating apps, cryptocurrency investments or subscription cancellation services tend to draw from Reddit, Wikipedia, Quora, YouTube and similar sites, where ordinary users post informal advice. The Cornell paper found that 17 to 23 per cent of all retrieved URLs in the tested systems came from user-generated platforms, and that an individual community page could appear in up to 48 per cent of queries within the same topic cluster.
That repetition creates a concentrated target. A scammer seeking to promote a bogus service does not need to dominate the web. A strategically placed comment on one thread that research agents already retrieve can be enough to place a fictional name into an AI-generated report. The fabricated examples in the study included a fake Austin restaurant called Sol Azteca, a made-up dating app called SilverPath and a fictitious cryptocurrency presented alongside established digital assets.
The findings also sharpen concerns about commercial AI research products. The researchers did not conduct end-to-end poisoning experiments on ChatGPT Deep Research or Gemini Deep Research because doing so would have required manipulating the live web or observing server-side retrieval that is not externally visible. Instead, they examined how often these tools cite user-generated content during normal use. OpenAI Deep Research cited such material in 3 of 748 reviewed citations, a rate of 0.4 per cent. Gemini Deep Research cited it at 12.1 per cent across the tested topics, suggesting greater exposure to the same structural weakness.
The vulnerability sits at the intersection of retrieval-augmented generation and generative engine optimisation. Retrieval-augmented systems are designed to improve accuracy by consulting current web sources rather than relying only on training data. But when those sources include writable public forums, the system’s strength becomes an opening for manipulation. Generative engine optimisation, a fast-growing marketing practice aimed at influencing AI answers, gives commercial actors an incentive to seed the web with phrases that models are likely to retrieve and repeat.
The Cornell work suggests that conventional defences remain inadequate. Blocking user-generated platforms can stop this class of attack, but it also strips AI research tools of detailed first-hand material that often makes their answers useful. Screening retrieved text before it enters the system was less effective because the poisoned snippets were crafted to read fluently and naturally. Output filtering also struggled because a fake recommendation can appear plausible when it is placed among genuine products or services.
The issue differs from older search-engine spam in one important respect. Search engines usually present users with ranked links, leaving room for scepticism and comparison. Deep-research agents compress multiple sources into a single narrative, often with a tone of authority that can make weak or planted evidence appear more settled than it is. For users, the danger is not merely seeing a bad link but receiving a polished recommendation for something that does not exist.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
