Exploiting Web Search Tools of AI Agents for Data Exfiltration

Computer Science > Cryptography and Security [Submitted on 10 Oct 2025 (v1), last revised 10 Apr 2026 (this version, v2)] Exploiting Web Search Tools of AI Agents for Data Exfiltration Dennis Rall, Bernhard Bauer, Mohit Mittal, Thomas Fraunholz Large language models (LLMs) are now routinely used to autonomously execute complex tasks, from natural language processing to dynamic workflows like web searches. The usage of tool-calling and Retrieval Augmented Generation (RAG) allows LLMs to process and retrieve sensitive corporate data, amplifying both their functionality and vulnerability to abuse. As LLMs increasingly interact with external data sources, indirect prompt injection emerges as a critical and evolving attack vector, enabling adversaries to exploit models through manipulated inputs. Through a systematic evaluation of indirect prompt injection attacks across diverse models, we analyze how susceptible current LLMs are to such attacks, which parameters, including model size and manufacturer, specific implementations, shape their vulnerability, and which attack methods remain most effective. Our results reveal that even well-known attack patterns continue to succeed, exposing persistent weaknesses in model defenses. To address these vulnerabilities, we emphasize the need for strengthened training procedures to enhance inherent resilience, a centralized database of known attack vectors to enable proactive defense, and a unified testing framework to ensure continuous security validation. These steps are essential to push developers toward integrating security into the core design of LLMs, as our findings show that current models still fail to mitigate long-standing threats. Comments: 9 pages, 6 figures, conference article Subjects: Cryptography and Security (cs.CR); Computation and Language (cs.CL) MSC classes: 68T50, 68T0 ACM classes: F.2.2; I.2.7; K.6.5 Cite as: arXiv:2510.09093 [cs.CR]   (or arXiv:2510.09093v2 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2510.09093 Focus to learn more Submission history From: Thomas Fraunholz [view email] [v1] Fri, 10 Oct 2025 07:39:01 UTC (447 KB) [v2] Fri, 10 Apr 2026 06:21:50 UTC (415 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2025-10 Change to browse by: cs cs.CL References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)