Whispers of Wealth: Red-Teaming Google's Agent Payments Protocol via Prompt Injection

TL;DR

This paper evaluates the security of Google's Agent Payments Protocol against prompt injection attacks, revealing vulnerabilities that could compromise financial transactions managed by large language model agents.

Contribution

It introduces novel prompt injection attack techniques and demonstrates their effectiveness against a real-world agent payment system, exposing critical security flaws.

Findings

Simple adversarial prompts can subvert agent behavior.

Vulnerabilities allow manipulation of product ranking and data extraction.

Current payment architectures lack sufficient safeguards.

Abstract

Large language model (LLM) based agents are increasingly used to automate financial transactions, yet their reliance on contextual reasoning exposes payment systems to prompt-driven manipulation. The Agent Payments Protocol (AP2) aims to secure agent-led purchases through cryptographically verifiable mandates, but its practical robustness remains underexplored. In this work, we perform an AI red-teaming evaluation of AP2 and identify vulnerabilities arising from indirect and direct prompt injection. We introduce two attack techniques, the Branded Whisper Attack and the Vault Whisper Attack which manipulate product ranking and extract sensitive user data. Using a functional AP2 based shopping agent built with Gemini-2.5-Flash and the Google ADK framework, we experimentally validate that simple adversarial prompts can reliably subvert agent behavior. Our findings reveal critical weaknesses in current agentic payment architectures and highlight the need for stronger isolation and defensive safeguards in LLM-mediated financial systems.