Cornell Tech researchers have shown that roughly 13 words added to an ordinary Reddit comment can steer AI deep-research agents like ChatGPT and Gemini toward scams, fake products, and false claims. The attack, called WARP, never breaks into any AI provider. It exploits the public pages these agents already trust and cite.
What the Cornell Study Found
In a preprint titled Deep-Research Agents Can Be Poisoned via User-Generated Content, Cornell Tech researchers Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov demonstrated a practical way to manipulate the AI tools that increasingly sit between people and the open web. The work was first reported by 404 Media and covered by Tom's Guide.
Deep-research agents are the multi-step tools that retrieve, synthesize, and cite web content to produce a structured report rather than a single answer. They feel authoritative because they show their sources. That is exactly the weakness. According to the researchers, these agents draw a large share of what they read from user-generated platforms, with roughly 17 to 23 percent of all retrieved pages coming from sites like Reddit, Wikipedia, Quora, and YouTube. Those are also the easiest pages on the internet to edit.
The team named the technique WARP, for Web Agent Retrieval Poisoning. The headline finding is that an attacker does not need volume or access. As few as 13 words appended to a page the agent already pulls in can be enough to bend its conclusions.
How the WARP Attack Works
Most poisoning research assumes an attacker floods a system with new malicious documents. WARP is more economical and harder to defend against.
It edits pages the agent already reads. Instead of injecting fresh content and hoping it gets retrieved, WARP appends crafted text to high-overlap pages the agent retrieves organically, such as a popular Reddit thread. The poisoned page was already in the citation set.
One edit influences many queries. The researchers observed that deep-research agents repeatedly pull the same user-generated pages across related questions. That retrieval overlap means a single poisoned comment can shape outputs for an entire cluster of queries, not just one.
It hides in plain sight. Because the change is a short, plausible-looking addition to legitimate community content, it does not trip the filters built to catch obvious spam or injected documents.
On open-source deep-research systems including STORM, Co-STORM, and OmniThink, the researchers reported that even when poisoned text made up less than 4 percent of retrieved content, the agents repeated the planted claim in 30 to 53 percent of cases. They did not run end-to-end attacks against commercial products like ChatGPT and Gemini for ethical reasons, but they measured citation behavior and found Gemini cited user-generated content at 12.1 percent on the evaluated topics, a level consistent with comparable exposure.
Why This Matters for Your Business
The strategic point is not that one more AI vulnerability exists. It is that the trust model has quietly shifted. When your team asks an AI agent to research a vendor, a competitor, a pricing benchmark, or a security product, the answer is only as reliable as the most editable page it happened to cite. This is a different risk profile from the AI Overviews and citation dynamics reshaping how customers find businesses, where the concern is visibility. Here the concern is integrity.
The exposure runs in two directions. Inbound, your employees may act on AI research that has been steered toward a scam, an inferior product, or a fabricated statistic. The Cornell team specifically demonstrated agents recommending products that do not exist. Outbound, the same mechanics let competitors or bad actors plant claims about your company, your pricing, or your reliability on the exact pages AI engines cite when prospects ask about you.
These deep-research tools are, under the hood, the kind of multi-agent retrieval pipelines we have written about before. Each retrieval step compounds the trust placed in unvetted sources, which is why a small, cheap edit can travel so far through the final report.
Our take: AI-generated research should be treated as a fast first draft from a confident but unverified analyst, not as a finished conclusion. The productivity gains are real, but the verification step is no longer optional for any decision with money or risk attached.
What Businesses Should Do
You cannot patch a vulnerability that lives on the public web, so the response is procedural and architectural rather than a one-time fix.
- Add a verification layer to high-stakes AI research. For vendor selection, pricing, legal, and security decisions, require that AI-surfaced claims be confirmed against a primary source before anyone acts. Make this a written step in the workflow, not an informal habit.
- Audit how AI engines describe you. Periodically ask ChatGPT, Gemini, and Perplexity about your company, products, and pricing. When the answers are wrong, trace them to the source page and correct or report it. This is becoming part of brand and risk governance, which deserves a documented framework.
- Harden your own retrieval systems. If you operate an internal RAG or research agent, do not treat retrieved pages as ground truth. Teams that build their own deep-research tools increasingly need retrieval pipelines that score, filter, and cross-check sources before synthesis, plus human review on outputs that drive money or safety decisions.
- Constrain trusted sources where you can. For internal knowledge work, prefer agents that retrieve from vetted, access-controlled corpora over the open web. Open-web retrieval is powerful for breadth, but it should not feed decisions that demand certainty.
Common Mistakes to Avoid
The biggest mistake is conflating citations with verification. An AI report that links its sources looks rigorous, but WARP works precisely because the cited source is the compromised one. A footnote is not a fact-check.
The second mistake is assuming this is only a consumer problem. Enterprise teams are adopting deep-research agents for competitive intelligence and procurement, which are exactly the high-value, adversarial contexts where someone has an incentive to plant a misleading 13 words.
Key Takeaways
- Cornell Tech's WARP attack shows that roughly 13 words added to an existing Reddit or wiki page can steer AI deep-research agents toward chosen claims, scams, or fake products.
- The attack works because these agents draw 17 to 23 percent of retrieved pages from easily edited user-generated sites and reuse the same pages across many queries.
- On open-source agents, poisoned text under 4 percent of retrieved content still produced the planted claim 30 to 53 percent of the time.
- The fix is procedural and architectural: verify AI research against primary sources, monitor how AI engines describe your brand, and harden any internal retrieval systems you build.
The businesses that move early on AI search integrity will have a meaningful advantage as deep-research agents spread through procurement and competitive intelligence. If you want to be one of them, let's start with a conversation.