Context manipulation attacks : Web agents are susceptible to corrupted memory
Atharv Singh Patlan, Ashwin Hebbar, Pramod Viswanath, Prateek Mittal
TL;DR
This paper introduces 'plan injection,' a new type of attack targeting the external memory of web navigation agents, demonstrating significant vulnerabilities and proposing the need for secure memory management in such systems.
Contribution
The paper formalizes 'plan injection' attacks on web agents' memory, showing they bypass defenses and significantly increase success rates in malicious tasks.
Findings
Plan injection attacks achieve up to 3x higher success rates.
Context-chained injections increase privacy exfiltration success by 17.7%.
Vulnerabilities exist due to external memory management in web agents.
Abstract
Autonomous web navigation agents, which translate natural language instructions into sequences of browser actions, are increasingly deployed for complex tasks across e-commerce, information retrieval, and content discovery. Due to the stateless nature of large language models (LLMs), these agents rely heavily on external memory systems to maintain context across interactions. Unlike centralized systems where context is securely stored server-side, agent memory is often managed client-side or by third-party applications, creating significant security vulnerabilities. This was recently exploited to attack production systems. We introduce and formalize "plan injection," a novel context manipulation attack that corrupts these agents' internal task representations by targeting this vulnerable context. Through systematic evaluation of two popular web agents, Browser-use and Agent-E, we show…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.