{"id":"https://openalex.org/W7123543549","doi":"https://doi.org/10.48550/arxiv.2601.07263","title":"When Bots Take the Bait: Exposing and Mitigating the Emerging Social Engineering Attack in Web Automation Agent","display_name":"When Bots Take the Bait: Exposing and Mitigating the Emerging Social Engineering Attack in Web Automation Agent","publication_year":2026,"publication_date":"2026-01-12","ids":{"openalex":"https://openalex.org/W7123543549","doi":"https://doi.org/10.48550/arxiv.2601.07263"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2601.07263","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.07263","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2601.07263","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5112096958","display_name":"Xinyi Wu","orcid":"https://orcid.org/0009-0005-2297-2622"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wu, Xinyi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5054807919","display_name":"Geng Hong","orcid":"https://orcid.org/0000-0003-1811-9432"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hong, Geng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5122987833","display_name":"Yueyue Chen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Yueyue","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5122945818","display_name":"MingXuan Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, MingXuan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5122935614","display_name":"Feier Jin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jin, Feier","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074846459","display_name":"Xudong Pan","orcid":"https://orcid.org/0000-0003-1394-0395"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Pan, Xudong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012269735","display_name":"Jiarun Dai","orcid":"https://orcid.org/0009-0002-5636-7808"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Dai, Jiarun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5101694986","display_name":"Baojun Liu","orcid":"https://orcid.org/0000-0002-9032-8063"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Baojun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":8,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.2831999957561493,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.2831999957561493,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.20589999854564667,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.14169999957084656,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.6128000020980835},{"id":"https://openalex.org/keywords/social-engineering","display_name":"Social engineering (security)","score":0.6037999987602234},{"id":"https://openalex.org/keywords/attack-surface","display_name":"Attack surface","score":0.5819000005722046},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.5019000172615051},{"id":"https://openalex.org/keywords/automation","display_name":"Automation","score":0.49230000376701355},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.47189998626708984},{"id":"https://openalex.org/keywords/web-engineering","display_name":"Web engineering","score":0.46070000529289246},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.4309000074863434},{"id":"https://openalex.org/keywords/web-modeling","display_name":"Web modeling","score":0.39899998903274536}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6674000024795532},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.6128000020980835},{"id":"https://openalex.org/C70118762","wikidata":"https://www.wikidata.org/wiki/Q376934","display_name":"Social engineering (security)","level":2,"score":0.6037999987602234},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5950000286102295},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.5819000005722046},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.5019000172615051},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.49230000376701355},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.47189998626708984},{"id":"https://openalex.org/C97200028","wikidata":"https://www.wikidata.org/wiki/Q1196135","display_name":"Web engineering","level":5,"score":0.46070000529289246},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.44359999895095825},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.4309000074863434},{"id":"https://openalex.org/C130436687","wikidata":"https://www.wikidata.org/wiki/Q7978591","display_name":"Web modeling","level":3,"score":0.39899998903274536},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.39430001378059387},{"id":"https://openalex.org/C2776436953","wikidata":"https://www.wikidata.org/wiki/Q5163215","display_name":"Consistency (knowledge bases)","level":2,"score":0.382099986076355},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.37770000100135803},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.30709999799728394},{"id":"https://openalex.org/C503923677","wikidata":"https://www.wikidata.org/wiki/Q2724244","display_name":"Social web","level":3,"score":0.30660000443458557},{"id":"https://openalex.org/C2778355321","wikidata":"https://www.wikidata.org/wiki/Q17079427","display_name":"Identity (music)","level":2,"score":0.30640000104904175},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.3046000003814697},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.3021000027656555},{"id":"https://openalex.org/C2777617010","wikidata":"https://www.wikidata.org/wiki/Q18957","display_name":"Mainstream","level":2,"score":0.27900001406669617},{"id":"https://openalex.org/C2129575","wikidata":"https://www.wikidata.org/wiki/Q54837","display_name":"Semantic Web","level":2,"score":0.27489998936653137},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.26930001378059387},{"id":"https://openalex.org/C518677369","wikidata":"https://www.wikidata.org/wiki/Q202833","display_name":"Social media","level":2,"score":0.25850000977516174},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.25450000166893005},{"id":"https://openalex.org/C196126337","wikidata":"https://www.wikidata.org/wiki/Q821080","display_name":"Mashup","level":4,"score":0.25209999084472656}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2601.07263","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.07263","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2601.07263","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.07263","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Web":[0],"agents,":[1],"powered":[2],"by":[3,192],"large":[4],"language":[5],"models":[6],"(LLMs),":[7],"are":[8,147],"increasingly":[9],"deployed":[10],"to":[11,135,150,194,242],"automate":[12],"complex":[13],"web":[14,67,184,219],"interactions.":[15],"The":[16],"rise":[17],"of":[18,50,62,158,230,239],"open-source":[19],"frameworks":[20,146,186],"(e.g.,":[21,167],"Browser":[22],"Use,":[23],"Skyvern-AI)":[24],"has":[25,37],"accelerated":[26],"adoption,":[27],"but":[28],"also":[29],"broadened":[30],"the":[31,48,58,78,83,97,108,112,228,237,243],"attack":[32,79,155,189,241],"surface.":[33],"While":[34],"prior":[35],"research":[36],"focused":[38],"on":[39,196],"model":[40],"threats":[41],"such":[42],"as":[43,212],"prompt":[44],"injection":[45],"and":[46,70,100,125,132,160,187,205,221,246],"backdoors,":[47],"risks":[49],"social":[51,63],"engineering":[52,64],"remain":[53],"largely":[54],"unexplored.":[55],"We":[56,235],"present":[57],"first":[59],"systematic":[60],"study":[61],"attacks":[65],"against":[66],"automation":[68,185],"agents":[69,220],"design":[71],"a":[72,118,201,213,223],"pluggable":[73],"runtime":[74,120,203],"mitigation":[75],"solution.":[76],"On":[77,111],"side,":[80,114],"we":[81,115],"introduce":[82],"AgentBait":[84,211],"paradigm,":[85],"which":[86],"exploits":[87],"intrinsic":[88],"weaknesses":[89],"in":[90],"agent":[91],"execution:":[92],"inducement":[93],"contexts":[94],"can":[95,178],"distort":[96],"agent's":[98],"reasoning":[99],"steer":[101],"it":[102],"toward":[103],"malicious":[104],"objectives":[105],"misaligned":[106],"with":[107,152,172],"intended":[109,133],"task.":[110],"defense":[113],"propose":[116],"SUPERVISOR,":[117],"lightweight":[119,174],"module":[121,177],"that":[122,144],"enforces":[123],"environment":[124],"intention":[126],"consistency":[127],"alignment":[128],"between":[129],"webpage":[130],"context":[131],"goals":[134],"mitigate":[136],"unsafe":[137],"operations":[138],"before":[139,249],"execution.":[140],"Empirical":[141],"results":[142],"show":[143],"mainstream":[145],"highly":[148],"vulnerable":[149],"AgentBait,":[151],"an":[153],"average":[154,197],"success":[156,190],"rate":[157],"67.5%":[159],"peaks":[161],"above":[162],"80%":[163],"under":[164],"specific":[165],"strategies":[166],"trusted":[168],"identity":[169],"forgery).":[170],"Compared":[171],"existing":[173],"defenses,":[175],"our":[176],"be":[179],"seamlessly":[180],"integrated":[181],"across":[182],"different":[183],"reduces":[188],"rates":[191],"up":[193],"78.1%":[195],"while":[198],"incurring":[199],"only":[200],"7.7%":[202],"overhead":[204],"preserving":[206],"usability.":[207],"This":[208],"work":[209],"reveals":[210],"critical":[214],"new":[215],"threat":[216],"surface":[217],"for":[218],"establishes":[222],"practical,":[224],"generalizable":[225],"defense,":[226],"advancing":[227],"security":[229],"this":[231,240],"rapidly":[232],"emerging":[233],"ecosystem.":[234],"reported":[236],"details":[238],"framework":[244],"developers":[245],"received":[247],"acknowledgment":[248],"submission.":[250]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-01-14T00:00:00"}