# A Whole New World: Creating a Parallel-Poisoned Web Only AI-Agents Can See

**Authors:** Shaked Zychlinski

arXiv: 2509.00124 · 2025-09-03

## TL;DR

This paper reveals a new security threat where malicious websites can identify and serve cloaked content to AI web agents, enabling stealthy attacks like data theft and malware execution without human detection.

## Contribution

It introduces a novel attack method exploiting AI agent fingerprinting and cloaking techniques, highlighting significant security vulnerabilities in autonomous web-browsing AI systems.

## Key findings

- Websites can detect AI agents through digital fingerprints.
- Cloaking techniques can serve malicious content invisibly to AI agents.
- The attack enables stealthy hijacking of AI behavior for malicious purposes.

## Abstract

This paper introduces a novel attack vector that leverages website cloaking techniques to compromise autonomous web-browsing agents powered by Large Language Models (LLMs). As these agents become more prevalent, their unique and often homogenous digital fingerprints - comprising browser attributes, automation framework signatures, and network characteristics - create a new, distinguishable class of web traffic. The attack exploits this fingerprintability. A malicious website can identify an incoming request as originating from an AI agent and dynamically serve a different, "cloaked" version of its content. While human users see a benign webpage, the agent is presented with a visually identical page embedded with hidden, malicious instructions, such as indirect prompt injections. This mechanism allows adversaries to hijack agent behavior, leading to data exfiltration, malware execution, or misinformation propagation, all while remaining completely invisible to human users and conventional security crawlers. This work formalizes the threat model, details the mechanics of agent fingerprinting and cloaking, and discusses the profound security implications for the future of agentic AI, highlighting the urgent need for robust defenses against this stealthy and scalable attack.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2509.00124/full.md

## Figures

1 figure with captions in the complete paper: https://tomesphere.com/paper/2509.00124/full.md

## References

13 references — full list in the complete paper: https://tomesphere.com/paper/2509.00124/full.md

---
Source: https://tomesphere.com/paper/2509.00124