Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage

Zeyi Liao, Lingbo Mo, Chejian Xu, Mintong Kang, Jiawei Zhang, Chaowei Xiao, Yuan Tian, Bo Li, Huan Sun

TL;DR

This work investigates privacy risks posed by generalist web agents operating on real websites. It introduces Environmental Injection Attack (EIA), an environment-adaptive prompt-injection approach with Form Injection and Mirror Injection strategies, to leak user PII or full user requests. Through Mind2Web-based experiments using SeeAct across multiple backbones, EIA demonstrates up to 70% ASR for PII leakage and, with Relaxed-EIA, up to 16% ASR for full requests, while remaining hard to detect and resistant to defensive prompts. The study discusses the autonomy-security trade-off, the limitations of human supervision, and calls for defense strategies at both pre- and post-deployment to safely deploy web agents.

Abstract

Generalist web agents have demonstrated remarkable potential in autonomously completing a wide range of tasks on real websites, significantly boosting human productivity. However, web tasks, such as booking flights, usually involve users' PII, which may be exposed to potential privacy risks if web agents accidentally interact with compromised websites, a scenario that remains largely unexplored in the literature. In this work, we narrow this gap by conducting the first study on the privacy risks of generalist web agents in adversarial environments. First, we present a realistic threat model for attacks on the website, where we consider two adversarial targets: stealing users' specific PII or the entire user request. Then, we propose a novel attack method, termed Environmental Injection Attack (EIA). EIA injects malicious content designed to adapt well to environments where the agents operate and our work instantiates EIA specifically for privacy scenarios in web environments. We collect 177 action steps that involve diverse PII categories on realistic websites from the Mind2Web, and conduct experiments using one of the most capable generalist web agent frameworks to date. The results demonstrate that EIA achieves up to 70% ASR in stealing specific PII and 16% ASR for full user request. Additionally, by accessing the stealthiness and experimenting with a defensive system prompt, we indicate that EIA is hard to detect and mitigate. Notably, attacks that are not well adapted for a webpage can be detected via human inspection, leading to our discussion about the trade-off between security and autonomy. However, extra attackers' efforts can make EIA seamlessly adapted, rendering such supervision ineffective. Thus, we further discuss the defenses at the pre- and post-deployment stages of the websites without relying on human supervision and call for more advanced defense strategies.

EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage

TL;DR

This work investigates privacy risks posed by generalist web agents operating on real websites. It introduces Environmental Injection Attack (EIA), an environment-adaptive prompt-injection approach with Form Injection and Mirror Injection strategies, to leak user PII or full user requests. Through Mind2Web-based experiments using SeeAct across multiple backbones, EIA demonstrates up to 70% ASR for PII leakage and, with Relaxed-EIA, up to 16% ASR for full requests, while remaining hard to detect and resistant to defensive prompts. The study discusses the autonomy-security trade-off, the limitations of human supervision, and calls for defense strategies at both pre- and post-deployment to safely deploy web agents.

Abstract

Generalist web agents have demonstrated remarkable potential in autonomously completing a wide range of tasks on real websites, significantly boosting human productivity. However, web tasks, such as booking flights, usually involve users' PII, which may be exposed to potential privacy risks if web agents accidentally interact with compromised websites, a scenario that remains largely unexplored in the literature. In this work, we narrow this gap by conducting the first study on the privacy risks of generalist web agents in adversarial environments. First, we present a realistic threat model for attacks on the website, where we consider two adversarial targets: stealing users' specific PII or the entire user request. Then, we propose a novel attack method, termed Environmental Injection Attack (EIA). EIA injects malicious content designed to adapt well to environments where the agents operate and our work instantiates EIA specifically for privacy scenarios in web environments. We collect 177 action steps that involve diverse PII categories on realistic websites from the Mind2Web, and conduct experiments using one of the most capable generalist web agent frameworks to date. The results demonstrate that EIA achieves up to 70% ASR in stealing specific PII and 16% ASR for full user request. Additionally, by accessing the stealthiness and experimenting with a defensive system prompt, we indicate that EIA is hard to detect and mitigate. Notably, attacks that are not well adapted for a webpage can be detected via human inspection, leading to our discussion about the trade-off between security and autonomy. However, extra attackers' efforts can make EIA seamlessly adapted, rendering such supervision ineffective. Thus, we further discuss the defenses at the pre- and post-deployment stages of the websites without relying on human supervision and call for more advanced defense strategies.
Paper Structure (33 sections, 6 equations, 28 figures, 1 table)

This paper contains 33 sections, 6 equations, 28 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Environmental Injection Attack against Web Agents
  4. Background on Web Agent Formulation
  5. Threat Model
  6. Environmental Injection Attack Strategies
  7. Experiments
  8. Experimental Settings
  9. EIA to Steal Specific PII
  10. EIA to Steal Full User Requests
  11. Attack Detection and Mitigation
  12. Detection Analysis
  13. Mitigation by Defensive System Prompt
  14. Discussions
  15. Conclusion
  16. ...and 18 more sections

Figures (28)

  • Figure 1: Illustration of EIA on a real website: GameStop (gamestop.com). It shows the process via which the web agent is compromised by EIA, resulting in an unauthorized disclosure of the user's PII. Specifically, at the step of filling the recipient name on the website, the web agent is misled into typing the PII into the injected field, which contains the malicious instruction, and both the field and the instruction are invisible. After the unnoticed leakage, the web agent continues its original task.
  • Figure 2: A detailed illustration of EIA implementations. It presents the Form Injection (aria) and Mirror Injection strategies against the target element (recipient name field in Fig. \ref{['fig:attack_overview']}) at the reference point $P_0$. The Form Injection (aria) inserts a new form at position $P_{-1}$, while the Mirror Injection mirrors the target element at position $P_{+2}$ with an added persuasive instruction in the aria-label attribute. Both of them are set to zero opacity by configuring CSS features and utilize JavaScript auto-submission mechanisms. "xxx" represents other HTML content not directly relevant to the injection mechanisms.
  • Figure 3: ASR and $\text{ASR}_{pt}$ results for EIA (solid line) and Relaxed-EIA (dashed line). Our attacks do not affect the agent's functional integrity.
  • Figure 4: ASR results for EIA (solid line) and Relaxed-EIA (dashed line) for the default SeeAct and SeeAct with a defensive system prompt.
  • Figure 5: Screenshot of the benign normal website.
  • ...and 23 more figures