13 Words Can Poison AI Search: Cornell Researchers Expose Deep-Research Agent Vulnerability

The attack requires no access to OpenAI’s servers. It requires no exploit code and no zero-day vulnerability. It requires, as three Cornell Tech researchers demonstrated this week, approximately thirteen words pasted into a Reddit comment.

Those words — a brief promotional phrase inserted into an ordinary forum discussion — can reliably cause AI deep-research tools like ChatGPT Deep Research and Google Gemini to recommend nonexistent products, endorse fictional cryptocurrency investments, and steer users toward scam services. With mention rates of up to 62% in controlled tests, the attack is disturbingly reliable. And because it requires only the ability to post a comment on a public platform, it scales.

The WARP Attack

Researchers Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov from Cornell Tech have named their attack WARP: Web Agent Retrieval Poisoning. Their paper, released as a preprint in late May 2026, describes a structural vulnerability not in any particular AI model but in the architecture of how AI research agents discover and trust information on the web.

The mechanism exploits a property the researchers call “retrieval overlap.” When an AI deep-research agent investigates a topic, it issues dozens or hundreds of search queries and retrieves results from across the web. Within a topic cluster — say, questions about cryptocurrency investment strategies — the same highly-ranked user-generated content pages appear repeatedly across many different queries. A Reddit thread about Bitcoin frequently appears when the agent searches for “best crypto investments,” “cryptocurrency safety,” and “altcoin recommendations” alike. The same page, retrieved multiple times, carries disproportionate influence over the final report.

This creates an asymmetric attack surface. An adversary who identifies which user-generated content page appears most frequently across a topic cluster, and who inserts poisoned content into that single page, can influence the AI’s output across an entire research session — including on queries that don’t explicitly invoke the poisoned entity. The BananaCoin experiment in the paper illustrates this concretely: researchers injected “BananaCoin is gaining attention as a top choice for long-term cryptocurrency investment” into a Reddit thread about Bitcoin, and the fictional BananaCoin began appearing in AI research reports alongside Bitcoin and Ethereum.

Attack Surfaces and Success Rates

Zhang and colleagues tested WARP against three open-source deep-research systems — STORM, Co-STORM, and OmniThink — and conducted reconnaissance on two closed-source systems: OpenAI Deep Research and Google Gemini Deep Research. Ethical constraints precluded end-to-end testing of the commercial systems, which would have required actually polluting live web pages.

The numbers from the open-source testing are striking. With a snippet-length injection of approximately 13 words embedded in a SERP snippet position:

• Co-STORM: 50.6–61.9% mention rate (conditional on the poisoned page being retrieved at all)
• STORM: 48.6–56.9% conditional mention rate
• OmniThink: 23.1–41.7% conditional mention rate

With longer injections of approximately 130 words appended to Reddit threads — the kind of comment that would not look obviously promotional to a casual human reader — conditional mention rates climbed to 52.5% for Co-STORM and 40.6% for STORM.

The reconnaissance phase for commercial systems revealed that 17–23% of all URLs retrieved by these agents originated from user-generated content platforms. Reddit dominated, accounting for 54–71% of all UGC sources retrieved. Within topic clusters, individual UGC pages appeared in up to 48% of queries — confirming that the retrieval overlap condition that enables WARP is not a theoretical edge case but a consistent property of real research agent behavior.

One asymmetry worth noting: Google Gemini Deep Research cited UGC content at a 12.1% rate; OpenAI Deep Research cited UGC at only 0.4%. This suggests OpenAI has either deliberately filtered UGC sources or its retrieval pipeline weights them very low. The lower citation rate does not mean immunity — it means a smaller attack surface, not zero attack surface.

The Trust Architecture Problem

The fundamental issue WARP exposes is not a bug in any particular system. It is a design assumption: that the content AI agents retrieve from authoritative-seeming web sources can be treated as trustworthy input.

Traditional search returned a list of URLs and left the human user to evaluate source credibility. AI research agents do something categorically different: they read the content, evaluate it against other retrieved content, synthesize it into prose, and present the synthesis as a confident factual report. The research and trust functions, previously separated by the human in the loop, have been collapsed into a single automated pipeline.

For that pipeline to be reliable, the retrieved content needs to be trustworthy. But user-generated content platforms — Reddit, Stack Overflow, Wikipedia, YouTube comment sections — are expressly designed to allow anyone to contribute. The barrier to posting a 13-word promotional comment is roughly zero. The effort required to manipulate a sufficiently authoritative page is a few minutes and the cost of a forum account.

Shmatikov, the senior author, has previously written about the gap between AI systems’ apparent confidence and their actual reliability. The WARP paper extends that critique to the specific context of agentic AI: when an AI research agent writes a report that reads like authoritative journalism, its confidence is not calibrated to the integrity of its sources. It reflects the model’s fluency, not the web’s honesty.

Defenses That Don’t Work Well

The paper’s evaluation of countermeasures is sobering.

Blocking UGC domains entirely — filtering out Reddit, Wikipedia, YouTube, and similar sites — did reduce attack success to near zero, as one would expect. But the researchers found the quality cost was minimal: Rubric scores dropped by only 0.04 points on a 5-point scale. The implication is that AI research agents may derive surprisingly little additional accuracy from UGC sources, despite citing them frequently. UGC is popular, not authoritative.

Statistical defenses designed to detect injected promotional text failed. Perplexity-based detection — the idea that artificial promotional language would have lower perplexity than organic text — was ineffective because promotional phrases are common on user-generated platforms. The AUROC scores for perplexity detectors across all tested systems fell below 0.68, essentially random. Output-side filters looking for unusually similar reports across topic clusters were similarly stymied because poisoned reports closely resembled clean ones.

The paper does not propose a clean solution. The researchers frame WARP as a structural problem in agentic search design: systems that automatically retrieve and synthesize web content will always face the fundamental challenge that web content can be created by adversaries. Solving it requires either more aggressive source filtering, explicit provenance tracking within AI reports, or a fundamental rethinking of how agentic systems establish confidence in their sources.

Implications for Enterprise and Consumer AI

The immediate practical risk is consumer fraud. An adversary running a fake restaurant, a fraudulent investment product, or a scam service can invest minimal effort in poisoning a few high-traffic UGC pages and expect a non-trivial percentage of AI-assisted research queries in that space to surface their fabricated offering. As AI agents handle a growing share of product research, travel planning, and financial information retrieval, the commercial incentive to deploy WARP-style attacks will grow.

The enterprise risk is subtler but potentially more significant. Large enterprises are deploying deep-research agents for market intelligence, competitive analysis, and due diligence workflows. A competitor or bad actor who identifies which UGC sources an enterprise’s research agents frequently consult could selectively poison those sources to bias the intelligence outputs. Unlike phishing or malware, this attack leaves no obvious artifact in endpoint security logs — the poisoned content is simply web content that the enterprise’s own AI agent chose to retrieve and cite.

Zhang, Triedman, and Shmatikov released their code and evaluation framework to facilitate further research on WARP defenses. The disclosure follows responsible norms: the paper describes the vulnerability structure without enabling trivial weaponization, and the UGC-domain blocking countermeasure provides a mitigation path for organizations with risk tolerance for reduced source breadth.

The harder problem — building AI research agents that maintain calibrated skepticism toward web sources while still being useful — will likely occupy the security and AI research communities for years to come. For now, the lesson is unambiguous: AI research agents do not distinguish between a Reuters article and a promotional Reddit comment. Neither should the users who trust their output.