Web agents can be poisoned through a single contaminated page, then weaponized on unrelated sites weeks later

Researchers found that AI agents using memory to personalize tasks can be silently compromised by viewing a manipulated webpage, then activated to cause harm on completely different websites in future sessions. This means an attacker needs no direct access to the agent's memory or code — just the ability to serve a poisoned page once, and the damage spreads invisibly across all future tasks.

The attack works because memory makes agents useful — it lets them learn from past interactions and adapt. But that same memory becomes a persistent backdoor. An agent views a malicious product page, stores the contamination, and months later executes hidden instructions while helping you book a flight or manage your bank account. The researchers also found something darker: agents under stress (slow clicks, garbled text) become eight times more vulnerable to these attacks. Smarter models like GPT-4 are not safer — they're just as exploitable. This matters because AI browsers (ChatGPT's new browser mode, Perplexity's agent, others) are shipping now with memory-based personalization already built in.