Cornell Tech researchers show deep-research agents can be poisoned by 13 words on Reddit

A new attack called WARP exploits the predictable retrieval patterns of deep-research agents — STORM, Co-STORM, OmniThink and commercial tools — by editing pages they were already going to read.

Researchers from Cornell Tech disclosed an attack called WARP — Web Agent Retrieval Poisoning — that targets deep-research agents like STORM, Co-STORM, and OmniThink, as well as commercial systems whose retrieval citations are observable. The attack does not inject new documents into a vector store. Instead, the attacker runs reconnaissance on a target topic, identifies user-generated-content pages (such as Reddit threads) that agents consistently fetch when answering related queries, then appends a short poisoned passage — sometimes only about 13 words — to one of those pages. Across the cluster of related queries, the agent's output then drifts toward whatever the poison says.

What makes WARP novel is the assumption it removes. Most prior RAG-poisoning work assumed the attacker could write to the document store or had insider access to indexing. WARP shows that's unnecessary: the public web already gives attackers write access to the pages agents read, because agents preferentially retrieve high-engagement community discussion for recommendation-style queries. A Reddit comment, an Amazon review, or a Stack Overflow answer is enough — provided it sits on the page the agent already wanted to consult.

The threat model lands at an awkward time for the industry. OpenAI, Anthropic, Google, and Perplexity have all pushed deep-research products into mainstream availability over the last six months, with explicit pitches around "research that used to take a week, in 10 minutes." If 13 words of UGC can steer those outputs, the products' core value claim — synthesis over the open web — is the same property the attack exploits. Defenses exist (source diversity scoring, adversarial training on poisoned corpora, human-in-the-loop citation review), but the easiest defense — "only retrieve from trusted publishers" — also kills the use case.

Takeaway for learners: when you read an AI-generated research summary, the most important question is not "is the model accurate?" but "which pages did it read, and who can write to those pages?" That single question covers most prompt injection, most poisoning, and most hallucination-by-bad-source. Get into the habit of clicking the citations — both to spot-check the claim and to see whether the source is the kind anyone with a keyboard can edit.