Researchers from SNU have discovered a critical vulnerability called Agent Data Injection (ADI), which allows attackers to bypass modern AI agent protection mechanisms. Unlike classic instruction injections, ADI masks malicious commands as trusted metadata or user content, paving the way for 'arbitrary click attacks.'


What Happened
During the research, it was demonstrated that popular web agents, such as Anthropic's Claude for Chrome, Google Antigravity, and Nanobrowser, are susceptible to 'arbitrary click attacks.' For example, while performing a task to summarize product reviews, an agent could make an unauthorized purchase if malicious instructions were hidden within the text of those very reviews.
Context
Traditional Prompt Injection (IPI) defense methods focus on preventing direct commands in the system prompt, but they are ineffective against ADI. The problem lies in the lack of architectural isolation between trusted system instructions and untrusted external data that the agent reads from web pages to perform its tasks.
Why It Matters for the Industry
For the industry, this means a fundamental need to rethink AI agent architecture. The current model, where an agent has direct access to the DOM, is becoming insecure. An increased demand is expected for security evaluation tools (evals), context isolation mechanisms, and a transition toward controlled abstraction layers for interacting with web interfaces.
Why It Matters for Users
Users employing browser or coding agents (such as Claude Code or Gemini CLI) for automation should exercise caution. Ordinary website content, such as comments or reviews, can be used to perform actions on your behalf, including making transactions or executing malicious code. It is recommended to use human-in-the-loop mechanisms to confirm critical actions.
What Is Not Yet Known / Limitations
There are no explicit technical disagreements regarding the assessment of the threat; however, the focus is shifting from purely academic research interest toward market opportunities and the necessity of implementing new security standards.
Sources
- SNU Computer Security Blog
- arXiv paper: Agent Data Injection Attacks are Realistic Threats to AI Agents
Author
Look at AI, Editorial Staff
