Researchers from SNU have discovered a critical vulnerability called Agent Data Injection (ADI), which allows attackers to bypass modern AI agent protection mechanisms. Unlike classic instruction injections, ADI masks malicious commands as trusted metadata or user content, paving the way for 'arbitrary click attacks.'

image
image

What Happened

During the research, it was demonstrated that popular web agents, such as Anthropic's Claude for Chrome, Google Antigravity, and Nanobrowser, are susceptible to 'arbitrary click attacks.' For example, while performing a task to summarize product reviews, an agent could make an unauthorized purchase if malicious instructions were hidden within the text of those very reviews.

Context

Traditional Prompt Injection (IPI) defense methods focus on preventing direct commands in the system prompt, but they are ineffective against ADI. The problem lies in the lack of architectural isolation between trusted system instructions and untrusted external data that the agent reads from web pages to perform its tasks.

Why It Matters for the Industry

For the industry, this means a fundamental need to rethink AI agent architecture. The current model, where an agent has direct access to the DOM, is becoming insecure. An increased demand is expected for security evaluation tools (evals), context isolation mechanisms, and a transition toward controlled abstraction layers for interacting with web interfaces.

Why It Matters for Users

Users employing browser or coding agents (such as Claude Code or Gemini CLI) for automation should exercise caution. Ordinary website content, such as comments or reviews, can be used to perform actions on your behalf, including making transactions or executing malicious code. It is recommended to use human-in-the-loop mechanisms to confirm critical actions.

What Is Not Yet Known / Limitations

There are no explicit technical disagreements regarding the assessment of the threat; however, the focus is shifting from purely academic research interest toward market opportunities and the necessity of implementing new security standards.

Sources

Author

Look at AI, Editorial Staff