Cornell Tech's WARP Attack Shows 13-Word Reddit Comment Can Steer ChatGPT Deep Research and Gemini Toward Fake Products at 38–62% Success Rate

Cornell Tech researchers Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov demonstrated that as few as 13 words of promotional text embedded in a Reddit comment can redirect ChatGPT Deep Research and Google Gemini toward fabricated products and scams in 38–51% of runs where the poisoned source is retrieved; spreading the payload across multiple threads pushed success rates to approximately 62%. The attack, named WARP (Web Agent Retrieval Poisoning), requires no platform access — it exploits the implicit trust AI agents extend to user-generated content on Reddit, Wikipedia, and similar sites. Researchers validated end-to-end attacks against STORM, Co-STORM, and OmniThink, and assessed commercial systems through citation behavior.