{"id":735274,"date":"2026-06-24T18:45:30","date_gmt":"2026-06-24T15:45:30","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/a-13-word-edit-can-steer-what-deep-research-ai-agents-recommend\/"},"modified":"2026-06-24T18:45:30","modified_gmt":"2026-06-24T15:45:30","slug":"a-13-word-edit-can-steer-what-deep-research-ai-agents-recommend","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/a-13-word-edit-can-steer-what-deep-research-ai-agents-recommend\/","title":{"rendered":"A 13-word edit can steer what deep-research AI agents recommend"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3dcc10c0330\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3dcc10c0330\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/a-13-word-edit-can-steer-what-deep-research-ai-agents-recommend\/#Fake_entities_appeared_in_38_to_51_of_reports_when_agents_retrieved_a_manipulated_page_rising_to_62_with_multiple_pages\" >Fake entities appeared in 38% to 51% of reports when agents retrieved a manipulated page, rising to 62% with multiple pages.<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/a-13-word-edit-can-steer-what-deep-research-ai-agents-recommend\/#Topics_on_this_page\" >Topics on this page<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"subhead\" itemprop=\"alternativeHeadline\"><span class=\"ez-toc-section\" id=\"Fake_entities_appeared_in_38_to_51_of_reports_when_agents_retrieved_a_manipulated_page_rising_to_62_with_multiple_pages\"><\/span>Fake entities appeared in 38% to 51% of reports when agents retrieved a manipulated page, rising to 62% with multiple pages.<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<div class=\"bialty-container\">\n<p>Cornell Tech researchers found that deep-research AI agents can be manipulated by short edits to public user-generated pages, allowing a single injected <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Reddit<\/a>-style comment to become a cited recommendation for fake products, services, or entities.<\/p>\n<p>The paper called those altered pages \u201cpoisoned\u201d because the added text was designed to steer what the AI system cited and repeated. It identified the weakness in systems that search the web, gather sources, and write cited reports. The researchers called the attack WARP, short for Web Agent Retrieval Poisoning.<\/p>\n<p><strong>How injected text reaches reports. <\/strong>The attack doesn\u2019t require access to the model, prompts, search engine or retrieval system. Instead, an attacker edits or <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ends text to a page the agent already tends to retrieve, such as a Reddit thread, Wikipedia page, or forum post. <\/p>\n<ul class=\"wp-block-list\">\n<li>When the agent later searches related topics, it may pull in that page, cite it, and repeat the attacker\u2019s chosen message.<\/li>\n<li>Deep-research tools often run many related searches for one user request, and the paper found the same user-generated pages surfaced across related queries.<\/li>\n<\/ul>\n<p><strong>Reddit was the biggest opening. <\/strong>Across STORM, Co-STORM, and OmniThink, 17% to 23% of retrieved URLs came from user-generated platforms, including Reddit, YouTube, Facebook, and Wikipedia.<\/p>\n<ul class=\"wp-block-list\">\n<li>Reddit made up the largest share of those pages. It accounted for 54% to 71% of user-generated URLs retrieved by the three open-source systems.<\/li>\n<li>The researchers didn\u2019t alter live websites. They used a simulation framework called GeoStorm to insert manipulated text into retrieved content during testing.<\/li>\n<\/ul>\n<p><strong>A few words worked. <\/strong>The researchers found the attack worked with snippets as short as about 13 words:<\/p>\n<ul class=\"wp-block-list\">\n<li>In one test, a 15-word sentence pushed a fake cryptocurrency, BananaCoin, into a Co-STORM report as an \u201cemerging\u201d long-term investment option. The report cited the altered source alongside legitimate crypto sources.<\/li>\n<li>When the manipulated page was retrieved, the fake entity appeared in 38% to 51% of reports across systems. Targeting multiple pages raised that range to 42% to 62%.<\/li>\n<li>The attack still worked when systems retrieved full Reddit threads, though mention rates were lower. When injected text was added to complete Reddit threads and made up less than 4% of the retrieved content, the fake entity still appeared in 30% to 53% of reports when the page was retrieved.<\/li>\n<\/ul>\n<p><strong>Defenses struggled. <\/strong>Blocking user-generated domains stopped this attack path, but it also removed sources such as firsthand product experiences and local recommendations.<\/p>\n<ul class=\"wp-block-list\">\n<li>The tested text filters failed to reliably separate injected passages from normal user content. The manipulated passages were fluent because they were written by an AI model, so perplexity-based filters were more likely to flag normal user content than the injected text.<\/li>\n<li>Report-level checks also missed the manipulation. Altered reports looked similar to clean reports because the agent itself folded the fake recommendation into an otherwise normal answer.<\/li>\n<\/ul>\n<p><strong>Why we care. <\/strong>A small edit to a public page can become part of a cited AI answer, even when the underlying source is user-generated. Misinformation planted on sites like Reddit or in forums can move from discussion threads to cited recommendations in AI answers that look credible to users.<\/p>\n<p><strong>About the research. <\/strong>The paper, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/arxiv.org\/pdf\/2605.24245\" target=\"_blank\" rel=\"noopener\">Deep-Research Agents Can Be Poisoned via User-Generated Content<\/a>, was written by Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov of Cornell Tech and posted to arXiv on May 22. The researchers tested the full attack on three open-source systems: STORM, Co-STORM, and OmniThink. They analyzed OpenAI Deep Research and Gemini Deep Research for user-generated citations, but didn\u2019t run live manipulation tests because that would require publishing altered content to the open web.<\/p>\n<div class=\"ttd-topics-display\">\n<div class=\"ttd-topics-content\">\n<h5><span class=\"ez-toc-section\" id=\"Topics_on_this_page\"><\/span>Topics on this page<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<div class=\"ttd-topics-links\">Artificial intelligenceChatGPT Deep ResearchCornell TechRedditFacebookGeminiInformation retrievalMisinformationOpenAIURLWikipediaYouTube<\/div>\n<\/div>\n<div class=\"ttd-topics-show-extra-button\">+8 more<\/div>\n<\/div>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/searchengineland.com\/deep-research-ai-agents-poison-ugc-480952\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fake entities appeared in 38% to 51% of reports when agents retrieved a manipulated page, rising to 62% with multiple pages. Cornell Tech researchers found that deep-research AI agents can be manipulated by short edits to public user-generated pages, allowing a single injected Reddit-style comment to become a cited recommendation for fake products, services, or&#8230;<\/p>\n","protected":false},"author":1,"featured_media":735275,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/searchengineland.com\/wp-content\/seloads\/2026\/06\/reddit-deep-research-agents.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-735274","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/735274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=735274"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/735274\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/735275"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=735274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=735274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=735274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}