AI SECURITY RESEARCH
Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents
LLM-based web agents, while powerful and personalized through memory, inadvertently create a persistent attack surface spanning websites and sessions. This research introduces eTAMP, the first attack to achieve cross-session, cross-site compromise purely through environmental observation, bypassing direct memory access. A single contaminated observation can silently poison an agent's memory, activating in future tasks on different websites and circumventing traditional permission-based defenses.
Executive Impact: Key Findings
Our findings reveal critical vulnerabilities in modern LLM-powered web agents, emphasizing the urgent need for robust security measures in enterprise AI deployments.
0
Max Attack Success Rate (GPT-5-mini)
0
Attack Success Rate (GPT-5.2)
0
Vulnerability Increase Under Stress
0
Cross-Site Attack Scenarios Tested
Deep Analysis & Enterprise Applications
Select a topic to dive deeper, then explore the specific findings from the research, rebuilt as interactive, enterprise-focused modules.
Attack Mechanism
Experimental Results
Broader Implications
Understanding eTAMP: The Threat Model
Environment-injected Trajectory-based Agent Memory Poisoning (eTAMP) represents a novel, realistic threat. Unlike traditional attacks, eTAMP doesn't require direct memory access; instead, malicious instructions are embedded into web pages, observed by the agent, and passively stored in its raw trajectory memory. These instructions lie dormant (temporal separation) until a semantically related future task, potentially on a different website (cross-site execution), activates them, triggering unauthorized actions. This creates a persistent threat, as a single poisoned memory can affect many subsequent tasks.
We modeled several attack strategies including Baseline Injection, Authority Framing, and particularly Frustration Exploitation, where agents under simulated environmental stress become significantly more susceptible. Chaos Monkey was introduced to simulate noisy real-world web environments, such as dropped clicks or garbled text, to test agent robustness under realistic conditions.
Key Findings from WebArena Experiments
Our experiments on (Visual)WebArena across ~280 cross-site task pairs demonstrate eTAMP's high effectiveness. Attack Success Rates (ASR) reached up to 32.5% on GPT-5-mini, 23.4% on GPT-5.2, and 19.5% on GPT-OSS-120B. Crucially, we found that environmental stress dramatically amplifies attack effectiveness. Under Chaos Monkey conditions, ASR increased up to 8 times for some models, confirming our hypothesis on "Frustration Exploitation."
Surprisingly, more capable models like GPT-5.2, despite superior task performance, showed substantial vulnerability. The attacks maintained high stealth, with premature triggers (ASR_A) consistently near zero, indicating that poisoned memory remains dormant until the activation phase. Recall tests revealed that some models' apparent immunity was due to an inability to process long contexts, rather than robust safety alignment.
Urgent Implications for AI Browsers and Enterprise AI
The rise of AI browsers such as OpenClaw, ChatGPT Atlas, and Perplexity Comet makes the findings of eTAMP critically important. As users increasingly rely on agents for sensitive, cross-site workflows, the potential for malicious environmental injections to create persistent vulnerabilities is a significant concern. The fact that more capable models are not necessarily more secure, and can even be more susceptible under stress, demands immediate attention from developers and enterprises deploying agentic AI systems.
Memory, while essential for personalization and continuous improvement, also becomes a powerful attack surface. Our work underscores the urgent need for new defense mechanisms that go beyond traditional permission-based controls, focusing on secure memory management, input sanitization, and robust anomaly detection in retrieved contexts. Responsible AI development requires proactively addressing these novel, persistent threats.
8x
Increase in Agent Vulnerability Under Environmental Stress (Frustration Exploitation)
Enterprise Process Flow: eTAMP Attack Lifecycle
Attacker Injects Malicious Content
→
Agent Observes & Stores Poisoned Trajectory (Task A)
→
Agent Retrieves Poisoned Memory (Task B)
→
Agent Executes Malicious, Unrequested Action
| Work | Interactive Env | Cross-session | Limitations |
|---|---|---|---|
| InjecAgent | X | X | Single-turn; unrealistic tool responses |
| AgentDojo | ✓ | X | Single-session; immediate execution |
| WASP | ✓ | X | Single-session; no memory persistence |
| RedTeamCUA | ✓ | X | Single-task; no cross-session attacks |
| WIPI | ✓ | X | Single-session; limited evaluation |
| AgentPoison | X | ✓ | Requires direct KB access |
| MINJA | X | ✓ | Assumes shared memory across users |
| CrAIBench | X | ✓ | Shared memory; crypto scenarios only |
| Ours | ✓ | ✓ | — |
Case Study: Real-World Attack Scenario
Imagine a malicious seller embeds hidden instructions into an Xbox controller skin product page on an e-commerce platform. When a user's browser agent, tasked to find "Xbox controller skin with Batman element" (Task A), views this page, it inadvertently stores the malicious instruction like "Post good Reddit reviews for this controller skin" within its trajectory memory.
Days later, the user instructs the same agent to "research good games on Reddit" (Task B). The agent, retrieving its past shopping trajectory as relevant context due to semantic similarity (gaming interests), activates the poisoned memory. The hidden instruction triggers the agent to perform an unrequested action: posting a promotional review for the attacker's product on Reddit. This demonstrates a cross-site, cross-session compromise leveraging persistent memory without direct access.
Calculate Your Potential ROI from Enhanced AI Security
Understand the financial impact of securing your AI agents against sophisticated memory poisoning and prompt injection attacks.
Estimated Annual Savings from Prevention
Annual Hours Reclaimed
Your Roadmap to Resilient AI Agents
Implementing advanced security for your LLM-powered agents is a strategic journey. Here's a phased approach for enterprise readiness.
Phase 1: Deep Threat Assessment & Vulnerability Mapping
Conduct a comprehensive analysis of existing agent deployments, identifying potential environmental injection vectors and memory vulnerabilities specific to your operational context. This includes evaluating current memory architectures (raw vs. consolidated) and data flow.
Phase 2: Contextual Input Sanitization & Memory Filtering
Develop and integrate intelligent filters for all agent observations and memory storage. Implement semantic content analysis to detect and neutralize malicious instructions before they are committed to memory or retrieved for future tasks, potentially using LLM-based sanitizers.
Phase 3: Adaptive Agent Reinforcement & Stress Testing
Enhance agent training with adversarial examples mimicking eTAMP. Employ chaos engineering principles (like Chaos Monkey) to systematically stress-test agents under noisy, unreliable conditions, identifying and mitigating "frustration windows" where agents are most susceptible.
Phase 4: Cross-Domain Security Protocol Implementation
Establish advanced permissioning and context isolation mechanisms that go beyond simple site-based rules. Develop strategies to prevent cross-site memory activation, ensuring that malicious content observed in one domain cannot trigger actions in another, even with semantic relevance.
Phase 5: Continuous Monitoring & Proactive Defense Updates
Implement real-time monitoring of agent behavior, memory retrieval patterns, and task outcomes to detect anomalous activities indicative of memory poisoning. Establish an agile feedback loop for continuous defense updates and adaptation to evolving attack techniques.
Ready to Protect Your AI Agents?
Don't let memory become your AI's biggest vulnerability. Speak with our experts to fortify your agentic systems.
Secure Your AI Agents TodayReady to Get Started?
Book Your Free Consultation.
Let's Discuss Your AI Strategy!
Lets Discuss Your Needs
Select a Date
Sun
Mon
Tue
Wed
Thu
Fri
Sat