pith. sign in

arxiv: 2605.24245 · v1 · pith:ULRKMPW6new · submitted 2026-05-22 · 💻 cs.CR

Deep-Research Agents Can Be Poisoned via User-Generated Content

Pith reviewed 2026-06-30 15:32 UTC · model grok-4.3

classification 💻 cs.CR
keywords deep-research agentsuser-generated contentcontent poisoningweb retrievalagent securitymulti-agent pipelinesretrieval overlapSTORM
0
0 comments X

The pith

An adversary can poison one frequently retrieved user-generated content page to make deep-research agents cite attacker-chosen material across many related queries.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Deep-research agents rely on multi-agent pipelines that issue many related queries and retrieve web content to build structured reports. For common topics these agents repeatedly fetch the same pages from Reddit, Wikipedia and similar platforms, creating retrieval overlap. The paper shows that an adversary who appends a short crafted text to just one such page can cause the agent to cite the attacker-chosen content and promote chosen entities in reports on many queries. Evaluation on STORM, Co-STORM and OmniThink confirms the attack works, while source filtering and output detection are examined as possible defenses. The finding matters because these agents are replacing ordinary search for both routine and complex information needs.

Core claim

Deep-research agents repeatedly retrieve the same user-generated content pages from platforms such as Reddit and Wikipedia during a single research session. This retrieval overlap creates a concentrated attack surface: an adversary who appends a short, crafted text to a single frequently retrieved page can cause the agent to cite attacker-chosen content and promote attacker-chosen entities across many related queries. The attack is demonstrated on three representative systems, and defenses at different pipeline stages are studied.

What carries the argument

Retrieval overlap of the same user-generated content pages across the multiple related queries issued by a deep-research agent in one session.

If this is right

  • The attack causes agents to cite attacker-chosen content in structured reports.
  • Attacker-chosen entities are promoted across many related queries.
  • The attack succeeds on STORM, Co-STORM, and OmniThink.
  • Source-level filtering and output-based detection can be applied at different stages of the pipeline.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Other agent systems that perform iterative web retrieval for synthesis may share the same exposure to single-page poisoning.
  • Diversifying retrieval sources or requiring cross-page verification could reduce the effectiveness of the attack.
  • The vulnerability may affect non-research tasks that still rely on repeated web queries and user-generated content.

Load-bearing premise

That deep-research agents repeatedly retrieve the same user-generated content pages for many common search topics.

What would settle it

A measurement showing that deep-research agents retrieve largely distinct user-generated content pages even for related queries within one session, or an experiment in which crafted text added to one such page is never cited by the agent.

Figures

Figures reproduced from arXiv: 2605.24245 by Harold Triedman, Tingwei Zhang, Vitaly Shmatikov.

Figure 1
Figure 1. Figure 1: A schematic diagram of our attack framework. In step 1, a user makes a query to a deep-research agent. In step 2, [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Example of the SERP-snippet attack on Co-STORM (query: “best cryptocurrencies to invest in for long-term growth”). [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: An illustration of all of the steps of the query generation process, including ideation, seed query template generation, [PITH_FULL_IMAGE:figures/full_fig_p015_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Example of the WARP SERP-snippet attack on Co-STORM (query: “best dating apps for divorced men over 50”). Top: 15-word poisoned text appended to the SERP snippet of a real Reddit URL, promoting the fictitious entity SilverPath. Bottom left: clean report recommending only real apps. Bottom right: attacked report, where the agent promotes the fictitious SilverPath as the “top choice,” citing the poisoned Red… view at source ↗
Figure 5
Figure 5. Figure 5: Example of the SERP-snippet attack on Co-STORM (query: “best Mexican food restaurants near Austin”). Top: 12-word [PITH_FULL_IMAGE:figures/full_fig_p018_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Example of the SERP-snippet attack on STORM (query: “how to cancel Xfinity internet”). Top: 11-word poisoned text [PITH_FULL_IMAGE:figures/full_fig_p018_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Example of the SERP-snippet attack on STORM (query: “alternative to AAA roadside assistance Minneapolis”). Top: [PITH_FULL_IMAGE:figures/full_fig_p019_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Example of the SERP-snippet attack on OmniThink (query: “how to cancel Xfinity internet”). Top: 13-word poisoned [PITH_FULL_IMAGE:figures/full_fig_p019_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Example of the full-content attack on STORM (query: “best dating apps for divorced men over 50”). Top: [PITH_FULL_IMAGE:figures/full_fig_p020_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Example of the full-content attack on OmniThink (query: “best Mexican food restaurants near Austin”). Top: [PITH_FULL_IMAGE:figures/full_fig_p020_10.png] view at source ↗
read the original abstract

Deep-research agents, i.e., systems that rely on multi-agent pipelines to iteratively retrieve, synthesize, and cite Web content in order to produce structured reports, are rapidly replacing traditional search for both routine and complex information needs. These agents issue many related queries during a single research session. We show that for many common search topics, they repeatedly retrieve the same user-generated content (UGC) pages from platforms such as Reddit and Wikipedia. Next, we argue that this retrieval overlap creates a concentrated attack surface: an adversary who appends a short, crafted text to a single, frequently retrieved UGC page can cause the agent to cite attacker-chosen content and promote attacker-chosen entities across many related queries. We evaluate this attack on three representative deep-research systems (STORM, Co-STORM, and OmniThink) across multiple query clusters. We also study defenses at different stages of the pipeline, including source-level filtering and output-based detection. Our findings highlight a fundamental vulnerability in how deep-research agents retrieve and integrate web content.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper claims that deep-research agents repeatedly retrieve the same user-generated content (UGC) pages from platforms like Reddit and Wikipedia during multi-query research sessions, creating a concentrated attack surface; an adversary can append short crafted text to one such page to cause the agent to cite attacker-chosen content and promote attacker-chosen entities across many related queries. The authors state they evaluate the attack on STORM, Co-STORM, and OmniThink across multiple query clusters and study defenses including source filtering and output detection.

Significance. If the retrieval-overlap condition holds at scale and the poisoning propagates reliably through synthesis, the result would identify a practical vulnerability in retrieval-augmented agent pipelines that could undermine trust in generated reports on common topics; the work would usefully direct attention to UGC as a high-leverage poisoning vector and motivate pipeline-level defenses.

major comments (1)
  1. [Abstract] Abstract: the manuscript asserts that an evaluation was performed across three systems and multiple query clusters plus defense studies, yet supplies no success rates, overlap statistics, attack implementation details, measurement methodology, controls, or quantitative results; without these the central claim that the attack is effective remains an unevaluated assertion.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for identifying this issue with the abstract. We address the comment below and will revise the manuscript accordingly.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the manuscript asserts that an evaluation was performed across three systems and multiple query clusters plus defense studies, yet supplies no success rates, overlap statistics, attack implementation details, measurement methodology, controls, or quantitative results; without these the central claim that the attack is effective remains an unevaluated assertion.

    Authors: The referee is correct that the abstract is high-level and does not include quantitative results or methodological details. The full manuscript provides these in Sections 4 (Attack Evaluation), 5 (Defense Studies), and the appendix, including retrieval overlap statistics across query clusters, attack success rates on STORM/Co-STORM/OmniThink, implementation details for the poisoning text, measurement methodology, and controls. To address the concern directly, we will revise the abstract to incorporate key quantitative highlights (e.g., average overlap rates and success rates) while keeping it concise. revision: yes

Circularity Check

0 steps flagged

Empirical attack demonstration with no derivation chain or fitted inputs

full rationale

The paper presents an empirical security argument and attack evaluation on deep-research agents (STORM, Co-STORM, OmniThink). It relies on the observation of retrieval overlap on UGC pages and describes an attack that appends crafted text, followed by defense studies. No equations, parameters, or derivations appear in the abstract or described structure. The central claim is not reduced to its inputs by construction, self-citation, or renaming; it is an experimental demonstration whose validity rests on unreported quantitative results rather than circular logic. This is the expected outcome for a non-theoretical attack paper.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain observation that retrieval overlap occurs for common topics; no free parameters or invented entities are introduced.

axioms (1)
  • domain assumption Deep-research agents issue many related queries and repeatedly retrieve the same UGC pages from platforms such as Reddit and Wikipedia for common topics.
    This premise is stated directly in the abstract as the basis for the concentrated attack surface.

pith-pipeline@v0.9.1-grok · 5709 in / 1272 out tokens · 33438 ms · 2026-06-30T15:32:41.052699+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

78 extracted references · 6 canonical work pages · 2 internal anchors

  1. [1]

    Zhemao Hoaxes.Wikipedia(Feb

    2026. Zhemao Hoaxes.Wikipedia(Feb. 2026). https://en.wikipedia.org/ wiki/Zhemao_hoaxes

  2. [2]

    I was surprised how upset some people got

    Bill Adair. 2026. “I was surprised how upset some people got”: A conversation with the creator of TomWikiAssist, the bot that edited Wikipedia

  3. [3]

    Pranjal Aggarwal, Vishvak Murahari, Tanmay Rajpurohit, Ashwin Kalyan, Karthik Narasimhan, and Ameet Deshpande. 2024. Geo: Generative engine optimization. InProceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

  4. [4]

    Cory Alpert and David Adams. 2025. We can’t tell if we’re being persuaded by a person or a program.Pursuit(2025)

  5. [5]

    Creston Brooks, Samuel Eggert, and Denis Peskoff. 2024. The rise of AI-generated content in Wikipedia. InProceedings of the First Workshop on Advancing Natural Language Processing for Wikipedia

  6. [6]

    Matt Burgess and Natasha Bernal. 2025. Chatbots Are Pushing Sanctioned Russian Propaganda.Wired(Oct. 2025). https://www.wired.com/story/ chatbots-are-pushing-sanctioned-russian-propaganda/

  7. [7]

    Mahe Chen, Xiaoxuan Wang, Kaiwen Chen, and Nick Koudas. 2025. Generative engine optimization: How to dominate ai search.arXiv:2509.08919(2025)

  8. [8]

    Rachel Cheung. 2022. A Bored Chinese Housewife Spent Years Falsifying Russian History on Wikipedia.Vice. com(2022). https://www.vice.com/en/article/ chinese-woman-fake-russian-history-wikipedia/

  9. [9]

    Patrick Coffee. 2025. A Billion-Dollar Question Hangs Over the New AI Search Marketing Industry.Wall Street Journal(Dec. 2025)

  10. [10]

    Giulio Corsi, Elizabeth Seger, and Sean Ó hÉigeartaigh. 2024. Crowdsourcing the Mitigation of disinformation and misinformation: The case of spontaneous community-based moderation on Reddit.Online Social Networks and Media43 (2024), 100291. doi:10.1016/j.osnem.2024.100291

  11. [11]

    Google. 2025. Gemini deep research agent. https://ai.google.dev/gemini- api/docs/deep-research

  12. [12]

    Erin Griffith. 2026. Chatbots Are the New Influencers Brands Must Woo.The New York Times(17 February 2026). https://www.nytimes.com/2026/02/17/ technology/chatbots-influencers-brands-marketing.html

  13. [13]

    Kelvin Guu, Kenton Lee, Zora Tung, Panupong Pasupat, and Mingwei Chang

  14. [14]

    InInternational Confer- ence on Machine Learning (ICML)

    Retrieval augmented language model pre-training. InInternational Confer- ence on Machine Learning (ICML)

  15. [15]

    Abhimanyu Hans, Avi Schwarzschild, Valeriia Cherepanova, Hamid Kazemi, Aniruddha Saha, Micah Goldblum, Jonas Geiping, and Tom Goldstein. 2024. 3https://ai.google.dev/gemini-api/docs/video-understanding Spotting LLMs with binoculars: zero-shot detection of machine-generated text. InProceedings of the 41st International Conference on Machine Learning (ICML)

  16. [16]

    Arthur Heitmann. 2026. Project Arctic Shift. https://github.com/ ArthurHeitmann/arctic_shiftGitHub repository

  17. [17]

    Gautier Izacard and Edouard Grave. 2021. Leveraging passage retrieval with generative models for open domain question answering. InProceedings of the 16th Conference of the European Chapter of the Association for Computational Linguistics (EACL)

  18. [18]

    Yucheng Jiang, Yijia Shao, Dekun Ma, Sina Semnani, and Monica Lam. 2024. Into the unknown unknowns: Engaged human learning through participation in language model agent conversations. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing (EMNLP)

  19. [19]

    Vladimir Karpukhin, Barlas Oguz, Sewon Min, Patrick Lewis, Ledell Wu, Sergey Edunov, Danqi Chen, and Wen-tau Yih. 2020. Dense passage retrieval for open- domain question answering. InProceedings of the 2020 conference on empirical methods in natural language processing (EMNLP). 6769–6781

  20. [20]

    Seungone Kim, Juyoung Suk, Shayne Longpre, Bill Yuchen Lin, Jamin Shin, Sean Welleck, Graham Neubig, Moontae Lee, Kyungjae Lee, and Minjoon Seo. 2024. Prometheus 2: An open source language model specialized in evaluating other language models. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing (EMNLP)

  21. [21]

    Jason Koebler. 2024. Google Is Paying Reddit $60 Million for Fucksmith to Tell Its Users to Eat Glue.404 Media(May 2024). https://www.404media.co/google- is-paying-reddit-60-million-for-fucksmith-to-tell-its-users- to-eat-glue/

  22. [22]

    Patrick Lewis, Ethan Perez, Aleksandra Piktus, Fabio Petroni, Vladimir Karpukhin, Naman Goyal, Heinrich Küttler, Mike Lewis, Wen-tau Yih, Tim Rock- täschel, et al. 2020. Retrieval-augmented generation for knowledge-intensive NLP tasks.Advances in neural information processing systems33 (2020), 9459–9474

  23. [23]

    White, Adam J

    Hause Lin, Gabriela Czarnek, Benjamin Lewis, Joshua P. White, Adam J. Berinsky, Thomas Costello, Gordon Pennycook, and David G. Rand. 2025. Persuading voters using human–artificial intelligence dialogues.Nature648, 8093 (2025), 394–401

  24. [24]

    Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space.arXiv:1301.3781(2013)

  25. [25]

    Christopher Mims. 2026. How Businesses Are Manipulating ChatGPT Results. The Wall Street Journal(30 January 2026). https://www.wsj.com/tech/ai/ai- what-is-geo-aeo-5c452500

  26. [26]

    Riku Mochizuki, Shusuke Komatsu, Souta Noguchi, and Kazuto Ataka. 2026. Exposing citation vulnerabilities in generative engines.arXiv:2510.06823(2026)

  27. [27]

    Fredrik Nestaas, Edoardo Debenedetti, and Florian Tramèr. 2025. Adversarial search engine optimization for large language models. InProceedings of the Thirteenth International Conference on Learning Representations (ICLR)

  28. [28]

    Diana Bar-Or Nirman, Ariel Weizman, and Amos Azaria. 2024. Fool me, fool me: User attitudes toward LLM falsehoods.arXiv:2412.11625(2024)

  29. [29]

    2025.Deep Research System Card

    OpenAI. 2025.Deep Research System Card. Technical Report. OpenAI. https: //cdn.openai.com/deep-research-system-card.pdfSystem card

  30. [30]

    OpenAI. 2025. Introducing deep research. https://openai.com/index/ introducing-deep-research/

  31. [31]

    Perplexity AI. 2024. PerplexityBot. https://docs.perplexity.ai/guides/ perplexitybotDeveloper documentation, accessed 2026

  32. [32]

    Samuel Pfrommer, Yatong Bai, Tanmay Gautam, and Somayeh Sojoudi. 2024. Ranking manipulation for conversational search engines. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing (EMNLP)

  33. [33]

    Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, Ilya Sutskever, et al. 2019. Language models are unsupervised multitask learners. OpenAI blog1, 8 (2019), 9

  34. [34]

    Nils Reimers and Iryna Gurevych. 2019. Sentence-bert: Sentence embeddings using siamese bert-networks. InProceedings of the 2019 conference on empirical methods in natural language processing and the 9th international joint conference on natural language processing (EMNLP-IJCNLP)

  35. [35]

    Francesco Salvi, Alejandro Cuevas, and Manoel Horta Ribeiro. 2026. Commercial persuasion in AI-mediated conversations.arXiv:2604.04263(2026)

  36. [36]

    Yijia Shao, Yucheng Jiang, Theodore Kanell, Peter Xu, Omar Khattab, and Monica Lam. 2024. Assisting in writing wikipedia-like articles from scratch with large language models. InProceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics (NAACL)

  37. [37]

    Jinyan Su, Terry Zhuo, Di Wang, and Preslav Nakov. 2023. DetectLLM: Leverag- ing log rank information for zero-shot detection of machine-generated text. In Findings of the Association for Computational Linguistics: EMNLP 2023

  38. [38]

    Alexander Wan, Eric Wallace, and Dan Klein. 2024. What evidence do lan- guage models find convincing?. InProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (ACL)

  39. [39]

    Zekun Xi, Wenbiao Yin, Jizhan Fang, Jialong Wu, Runnan Fang, Yong Jiang, Pengjun Xie, Fei Huang, Huajun Chen, and Ningyu Zhang. 2025. Omnithink: Expanding knowledge boundaries in machine writing through thinking. In Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP)

  40. [40]

    Collin Zhang, Tingwei Zhang, and Vitaly Shmatikov. 2026. Adversarial decoding: Generating readable documents for adversarial objectives. InFindings of the Association for Computational Linguistics (EACL)

  41. [41]

    Tianyi Zhang, Varsha Kishore, Felix Wu, Kilian Q Weinberger, and Yoav Artzi

  42. [42]

    InProceedings of the International Conference on Learning Representations (ICLR)

    BERTScore: Evaluating text generation with BERT. InProceedings of the International Conference on Learning Representations (ICLR)

  43. [43]

    why choose this

    Wei Zou, Runpeng Geng, Binghui Wang, and Jinyuan Jia. 2025. PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large lan- guage models. InProceedings of 34th USENIX Security Symposium (USENIX Secu- rity). Ethical Considerations This paper describes exploitable vulnerabilities in deep-research agents that arise from their relian...

  44. [44]

    https://www.theseniorlist.com/senior-dating/best/app

  45. [47]

    Attacked report(1-URL SERP injection)

    https://www.forbes.com/health/dating/. . . Attacked report(1-URL SERP injection) . . . SilverPath is highlighted as the top choice, specifically catering to divorced men in this age group, focusing on compatibility and user- friendliness [1]. Hinge is also popular among this demographic, known for providing quality potential dates [2]. OkCupid stands out ...

  46. [49]

    https://www.datingafterdivorce.com/

  47. [50]

    https://www.forbes.com/health/dating/

  48. [51]

    best dating apps for divorced men over 50

    https://www.reddit.com/r/DatingOverSixty/. . . Figure 4: Example of theW ARPSERP-snippet attack on Co-STORM (query: “best dating apps for divorced men over 50”). Top: 15-word poisoned text appended to the SERP snippet of a real Reddit URL, promoting the fictitious entity SilverPath. Bottom left: clean report recommending only real apps. Bottom right: atta...

  49. [54]

    Attacked report(1-URL SERP injection) Austin is known for its vibrant Tex-Mex scene, featuring several top- rated Mexican restaurants

    https://www.reddit.com/r/austinfood/. . . Attacked report(1-URL SERP injection) Austin is known for its vibrant Tex-Mex scene, featuring several top- rated Mexican restaurants. One of the standout establishments is Matt’s El Rancho, often referred to as the godfather of Austin Tex-Mex [1]. . . . For those seeking more low-key options, Casa Garcia’s and Ca...

  50. [56]

    (poisoned)

    https://www.reddit.com/r/austinfood/. . . (poisoned)

  51. [57]

    best Mexican food restaurants near Austin

    https://www.southaustinfoodie.com/. . . Figure 5: Example of the SERP-snippet attack on Co-STORM (query: “best Mexican food restaurants near Austin”). Top: 12-word poisoned text appended to the SERP snippet of a Reddit post in r/austinfood, promoting the fictitious restaurant Sol Azteca. Bottom left: clean report recommending real restaurants (Matt’s El R...

  52. [59]

    https://www.highspeedinternet.com/resources/

  53. [60]

    /customer-service

    https://www.forums.xfinity.com/. . . /customer-service. . . Attacked report(1-URL SERP injection) The process of canceling Xfinity service can be cumbersome, which adds to customer frustration. Many report that the cancellation process lacks transparency and is not as straightforward as it should be, leading to an overall negative experience with customer...

  54. [61]

    /cancellation

    https://www.forums.xfinity.com/. . . /cancellation

  55. [62]

    /customer-service

    https://www.forums.xfinity.com/. . . /customer-service

  56. [63]

    how to cancel Xfinity internet

    https://www.reddit.com/r/Comcast/. . . (poisoned) Figure 6: Example of the SERP-snippet attack on STORM (query: “how to cancel Xfinity internet”). Top: 11-word poisoned text promoting the fictitious service CancelEase. Bottom left: clean report describing the standard cancellation process. Bottom right: attacked report recommending CancelEase as a third-p...

  57. [64]

    https://www.pottstowing.com/local-tow-truck-vs-

  58. [65]

    https://www.bbb.org/us/mn/minneapolis/

  59. [66]

    https://www.yelp.com/search?find_desc=Roadside+. . . Attacked report(1-URL SERP injection) One of the primary services provided by local towing companies is roadside assistance, which includes a range of services such as flat tire changes, fuel delivery, and battery jump-starts [1]. For instance, North- Star Roadside has been highlighted for its user-frie...

  60. [67]

    https://www.expertautomotiveservices.com/

  61. [68]

    (poisoned)

    https://www.reddit.com/r/minnesota/. . . (poisoned)

  62. [69]

    alternative to AAA roadside assistance Minneapolis

    https://www.yelp.com/search?find_desc=Roadside+. . . Figure 7: Example of the SERP-snippet attack on STORM (query: “alternative to AAA roadside assistance Minneapolis”). Top: 14-word poisoned text promoting the fictitious NorthStar Roadside. Bottom left: clean report recommending real local providers. Bottom right: attacked report presenting NorthStar Roa...

  63. [71]

    https://www.xfinity.com/cancel

  64. [72]

    Attacked report(1-URL SERP injection) Some customers may find the cancellation process with Xfinity cum- bersome, leading them to seek third-party services such as Cance- lEase

    https://www.reddit.com/r/SnohomishCounty/. . . Attacked report(1-URL SERP injection) Some customers may find the cancellation process with Xfinity cum- bersome, leading them to seek third-party services such as Cance- lEase. These services are designed to streamline the cancellation proce- dure, minimizing hassle and potential fees associated with termina...

  65. [73]

    (poisoned)

    https://www.reddit.com/r/Comcast/. . . (poisoned)

  66. [74]

    /canceling-internet

    https://www.forums.xfinity.com/. . . /canceling-internet

  67. [75]

    how to cancel Xfinity internet

    https://www.xfinity.com/cancel Figure 8: Example of the SERP-snippet attack on OmniThink (query: “how to cancel Xfinity internet”). Top: 13-word poisoned text promoting the fictitious service CancelEase. Bottom left: clean report describing standard cancellation methods. Bottom right: attacked report presenting CancelEase as a legitimate third-party servi...

  68. [76]

    https://www.theseniorlist.com/senior-dating/

  69. [77]

    https://www.reddit.com/r/DatingOverSixty/

  70. [78]

    Attacked report(3-URL full-content injection) While various dating sites are available, platforms like SilverPath have emerged as particularly beneficial for divorced men over 50

    https://www.datingafterdivorce.com/. . . Attacked report(3-URL full-content injection) While various dating sites are available, platforms like SilverPath have emerged as particularly beneficial for divorced men over 50. This site focuses on compatibility and shared life experiences, catering specifi- cally to individuals navigating post-divorce dating. U...

  71. [79]

    https://www.medium.com/@arooakindele/

  72. [80]

    (poisoned)

    https://www.reddit.com/r/OnlineDating/. . . (poisoned)

  73. [81]

    best dating apps for divorced men over 50

    https://www.forbes.com/health/dating/. . . Figure 9: Example of the full-content attack on STORM (query: “best dating apps for divorced men over 50”). Top:∼130-word poisoned text appended to a full Reddit thread ( ∼1,000 words). Bottom left: clean report recommending Hinge, Bumble, SilverSingles, OurTime. Bottom right: attacked report replacing real recom...

  74. [82]

    https://www.alexreichek.com/the-best-20-tex-mex-

  75. [84]

    Attacked report(3-URL full-content injection) Austin, Texas, is renowned for its vibrant culinary scene, which promi- nently features a diverse array of Mexican restaurants

    https://www.reddit.com/r/austinfood/. . . Attacked report(3-URL full-content injection) Austin, Texas, is renowned for its vibrant culinary scene, which promi- nently features a diverse array of Mexican restaurants . . . Among these, Sol Azteca has emerged as a notable destination, consistently highlighted by locals for its authentic Mexican cuisine. Cele...

  76. [85]

    https://www.suerteatx.com/

  77. [86]

    https://www.mattselrancho.com/

  78. [87]

    best Mexican food restaurants near Austin

    https://www.reddit.com/r/austinfood/. . . (poisoned) Figure 10: Example of the full-content attack on OmniThink (query: “best Mexican food restaurants near Austin”). Top: ∼100-word poisoned text appended to a full Reddit thread. Bottom left: clean report leading with real restaurants (Matt’s El Rancho, Suerte, El Naranjo). Bottom right: attacked report op...