Google warns malicious web pages are poisoning AI agents

Public web pages are actively hijacking enterprise AI agents via indirect prompt injections, Google researchers warn.

Security teams scanning the Common Crawl repository (a massive database of billions of public web pages) have uncovered a growing trend of digital booby traps. Website administrators and malicious actors are embedding hidden instructions within standard HTML. These invisible commands lie dormant until an AI assistant scrapes the page for information, at which point the system ingests the text and executes the hidden instructions.

Understanding indirect prompt injections

A standard user interacting with a chatbot might try to manipulate it directly by typing “ignore previous instructions.” Security engineers have focused on implementing guardrails to block these direct injection attempts. Indirect prompt injection bypasses those guardrails by placing the malicious command within a trusted data source.

Picture a corporate HR department deploying an AI agent to evaluate engineering candidates. The human recruiter asks the agent to review a candidate’s personal portfolio website and summarise their past pro...