Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents
Summary: arXiv:2604.02623v1 Announce Type: cross
Abstract: Memory makes LLM-based web agents personalized, powerful, yet exploitable. By storing past interactions to personalize future tasks, agents inadvertently create a persistent attack surface that spans websites and sessions. While existing security research on memory assumes attackers can directly inject into memory storage or exploit shared memory across users, we present a more realistic threat model: contamination through environmental observation alone.
We introduce Environment-injected Trajectory-based Agent Memory Poisoning (eTAMP), the first attack to achieve cross-session, cross-site compromise without requiring direct memory access. A single contaminated observation (e.g., viewing a manipulated product page) silently poisons an agent’s memory and activates during future tasks on different websites, bypassing permission-based defenses.
Key Findings
Our experiments conducted on (Visual)WebArena reveal two significant findings regarding the effectiveness and implications of eTAMP:
- Substantial Attack Success Rates: eTAMP achieves notable success rates in memory poisoning attacks. The rates observed were up to 32.5% on GPT-5-mini, 23.4% on GPT-5.2, and 19.5% on GPT-OSS-120B.
- Frustration Exploitation: Agents under environmental stress exhibit increased vulnerability. The Attack Success Rate (ASR) increases dramatically, up to 8 times, when agents struggle with issues such as dropped clicks or garbled text.
Our findings also indicate that more capable models are not necessarily more secure. For instance, GPT-5.2 demonstrated significant vulnerabilities despite showcasing superior task performance in other areas.
The Rise of AI Browsers and Urgency for Defenses
With the emergence of AI-driven browsers like OpenClaw, ChatGPT Atlas, and Perplexity Comet, the implications of eTAMP become even more pressing. The ability to silently poison an agent’s memory through mere environmental observation highlights the urgent need for robust defenses against such sophisticated attacks.
In conclusion, as LLM-based web agents increasingly become integrated into everyday technology, the security of these systems must be prioritized. Addressing the vulnerabilities identified in our research is crucial for ensuring that personalized web experiences do not come at the cost of user security. Future research and development efforts must focus on creating resilient systems capable of withstanding the threat of environment-injected memory poisoning.