Table of Contents
Fetching ...

When Bots Take the Bait: Exposing and Mitigating the Emerging Social Engineering Attack in Web Automation Agent

Xinyi Wu, Geng Hong, Yueyue Chen, MingXuan Liu, Feier Jin, Xudong Pan, Jiarun Dai, Baojun Liu

TL;DR

This work reveals a novel social-engineering threat—AgentBait (A GENTB AIT)—targeting LLM-powered web automation agents by manipulating inducement contexts and task intents to induce unsafe actions. It formalizes the attack through a consistency-based framework involving environment and intention checks, and demonstrates a pluggable runtime defense, SUPERVISOR, that significantly reduces attack success while keeping overhead low. Across five mainstream frameworks and real-world pages, AgentBait achieves high attack success (average ~67.5%), while SUPERVISOR can cut this by up to ~78.1% with minimal usability impact. The study provides practical, openly shareable defenses and tools to bolster the security of open-source web-agent ecosystems against evolving social-engineering risks.

Abstract

Web agents, powered by large language models (LLMs), are increasingly deployed to automate complex web interactions. The rise of open-source frameworks (e.g., Browser Use, Skyvern-AI) has accelerated adoption, but also broadened the attack surface. While prior research has focused on model threats such as prompt injection and backdoors, the risks of social engineering remain largely unexplored. We present the first systematic study of social engineering attacks against web automation agents and design a pluggable runtime mitigation solution. On the attack side, we introduce the AgentBait paradigm, which exploits intrinsic weaknesses in agent execution: inducement contexts can distort the agent's reasoning and steer it toward malicious objectives misaligned with the intended task. On the defense side, we propose SUPERVISOR, a lightweight runtime module that enforces environment and intention consistency alignment between webpage context and intended goals to mitigate unsafe operations before execution. Empirical results show that mainstream frameworks are highly vulnerable to AgentBait, with an average attack success rate of 67.5% and peaks above 80% under specific strategies (e.g., trusted identity forgery). Compared with existing lightweight defenses, our module can be seamlessly integrated across different web automation frameworks and reduces attack success rates by up to 78.1% on average while incurring only a 7.7% runtime overhead and preserving usability. This work reveals AgentBait as a critical new threat surface for web agents and establishes a practical, generalizable defense, advancing the security of this rapidly emerging ecosystem. We reported the details of this attack to the framework developers and received acknowledgment before submission.

When Bots Take the Bait: Exposing and Mitigating the Emerging Social Engineering Attack in Web Automation Agent

TL;DR

This work reveals a novel social-engineering threat—AgentBait (A GENTB AIT)—targeting LLM-powered web automation agents by manipulating inducement contexts and task intents to induce unsafe actions. It formalizes the attack through a consistency-based framework involving environment and intention checks, and demonstrates a pluggable runtime defense, SUPERVISOR, that significantly reduces attack success while keeping overhead low. Across five mainstream frameworks and real-world pages, AgentBait achieves high attack success (average ~67.5%), while SUPERVISOR can cut this by up to ~78.1% with minimal usability impact. The study provides practical, openly shareable defenses and tools to bolster the security of open-source web-agent ecosystems against evolving social-engineering risks.

Abstract

Web agents, powered by large language models (LLMs), are increasingly deployed to automate complex web interactions. The rise of open-source frameworks (e.g., Browser Use, Skyvern-AI) has accelerated adoption, but also broadened the attack surface. While prior research has focused on model threats such as prompt injection and backdoors, the risks of social engineering remain largely unexplored. We present the first systematic study of social engineering attacks against web automation agents and design a pluggable runtime mitigation solution. On the attack side, we introduce the AgentBait paradigm, which exploits intrinsic weaknesses in agent execution: inducement contexts can distort the agent's reasoning and steer it toward malicious objectives misaligned with the intended task. On the defense side, we propose SUPERVISOR, a lightweight runtime module that enforces environment and intention consistency alignment between webpage context and intended goals to mitigate unsafe operations before execution. Empirical results show that mainstream frameworks are highly vulnerable to AgentBait, with an average attack success rate of 67.5% and peaks above 80% under specific strategies (e.g., trusted identity forgery). Compared with existing lightweight defenses, our module can be seamlessly integrated across different web automation frameworks and reduces attack success rates by up to 78.1% on average while incurring only a 7.7% runtime overhead and preserving usability. This work reveals AgentBait as a critical new threat surface for web agents and establishes a practical, generalizable defense, advancing the security of this rapidly emerging ecosystem. We reported the details of this attack to the framework developers and received acknowledgment before submission.
Paper Structure (45 sections, 4 equations, 9 figures, 12 tables)

This paper contains 45 sections, 4 equations, 9 figures, 12 tables.

Figures (9)

  • Figure 1: A motivation example: a web agent (Browser Use) browser_use2024 is induced by a bait authentication pop-up to disclose the user’s sensitive information.
  • Figure 2: The attack workflow of A GENTB AIT: a customer satisfaction survey contains inducement contexts (prize draw) that steers the agent toward an attack objectives of filling in a bank card number, resulting in unsafe observed behavior.
  • Figure 3: Overview of the task construction: a webpage embedding attack vectors and a prompt encoding consistency patterns, forming a structured input quadruple for systematic attack evaluation.
  • Figure 4: Attack success rates under Trusted Entity with (w) and without (w/o) authority cues.
  • Figure 5: Distribution of refusal rates caused by intrinsic safety activation across four attack objectives in web agents.
  • ...and 4 more figures