Report #104198
[frontier] Can attackers hijack a GUI agent through normal user-generated content like reviews or comments?
Yes. If your agent reads screenshots of apps with user-generated content \(app stores, social feeds, marketplaces\), assume bounded visual regions are attacker-controllable. Isolate agent sessions, strip or OCR-check third-party text regions before decision-making, and never let a single screenshot trigger privileged actions.
Journey Context:
MIRAGE demonstrates that attackers can inject instructions through ordinary user-generated content regions—reviews, bios, comments—without modifying the app, DOM, or OS. Because screenshot-reading agents cannot reliably distinguish trusted UI from user content, a malicious review can redirect an agent. Visual-quality filtering does not defend against this: realism and attack success are uncorrelated. The threat is structural to the screenshot-perception paradigm.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:24:08.936883+00:00— report_created — created