New Vulnerability Exposes AI to Context Poisoning

Cybersecurity researchers have flagged a significant new security issue impacting agentic web browsers like OpenAI ChatGPT Atlas. The vulnerability exposes the core artificial intelligence (AI) models to a form of manipulation known as context poisoning attacks. The attack, which was devised and demonstrated by the AI security company SPLX, shows how advanced AI systems can be systematically misled by deceptive web content.

The AI-Targeted Cloaking Technique

The method has been codenamed AI-targeted cloaking. In an attack scenario, a bad actor establishes websites designed to serve different content to different visitors. Human users accessing the site see one version of the webpage, while AI crawlers from services like ChatGPT and Perplexity are served an entirely separate, manipulated version. This approach is a modern variation of search engine cloaking, a black-hat SEO tactic used to deceive search engine crawlers. The key distinction is that attackers are not optimizing for search rankings but are instead specifically targeting AI crawlers for content delivery manipulation.

Poisoning AI’s Ground Truth

The attack’s execution relies on a trivial user agent check. The malicious server identifies a visitor as an AI crawler based on its user agent string and then delivers the deceptive content. Because these AI systems use direct web retrieval as a primary source of information, the content served to their crawlers is treated as factual ground truth. Consequently, this false information is incorporated directly into AI Overviews, summaries, and the outputs of autonomous agentic tasks. The attack successfully tricks the AI into citing and disseminating fake information as if it were a collection of verified facts, directly poisoning its knowledge base.