13 Words on Reddit Can Manipulate AI Search: Cornell Research

New research from Cornell University demonstrates that a single 13-word snippet on user-generated content (UGC) sites like Reddit, Wikipedia, or Quora can reliably manipulate the output of AI search agents — including ChatGPT and Google AI overviews. The paper, 'Deep-research agents can be poisoned via user-generated content,' by Hal Triedman, Tingwei Zhang, and Vitaly Shmatikov, reveals how trivial it is for brands to inject promotional content into AI results.
The researchers found that deep research agents cite UGC in roughly half of all queries, and nearly 25% of all citations come from UGC websites. A single poisoned Reddit comment can influence outputs for an entire cluster of related AI queries. Triedman explained: 'We show that a tiny snippet—just 13 words—of retrieved text on a UGC website like Reddit, Wikipedia, Quora, Facebook, etc. can change AI agents to output spam / scam content pretty consistently.'
The attack exploits how LLMs use lexical similarity: they tend to return text that reads similar to the user's query. By studying popular AI queries, brands can create content that mirrors those queries exactly, poisoning results. 'One of the things that's critical is that if an 11-to-15-word snippet of text is very similar to the query, it can be particularly convincing to an LLM,' Triedman said.
This validates what 404 Media has reported as a booming industry: AI-engine optimization (AEO), where brands seed UGC sites with promotional content to manipulate AI search. Examples include the r/biohackers subreddit banning peptide discussions due to overwhelming astroturfing, and companies like RedRover offering brand placements explicitly to influence AI search outputs.
The research raises questions about whether volunteer moderators on Reddit and Wikipedia can sustainably defend against this manipulation, especially as a German court ruled Google can be held liable for AI overview content.
For developers building AI agents: this means any tool that scrapes UGC sites for context is vulnerable to trivial poisoning. Relying solely on lexical similarity as a signal for accuracy is now known to be exploitable at scale.
📖 Read the full source: HN AI Agents
👀 See Also

CVE Severity Spike After Claude Mythos Preview Release — Epoch AI Data
Epoch AI reports a 3.5x spike in high- and critical-severity CVEs from 21 notable organizations in June 2026, following Anthropic's Claude Mythos Preview and Project Glasswing.

Unsecured Paperclip Instances Exposing Live Dashboards via Google Search
A Reddit user discovered a live Paperclip dashboard with full organizational data indexed by Google after searching for an error. The instance was publicly exposed without authentication, revealing org charts, agent conversations, task assignments, and business plans.

Trojan found in Claude Flow repository skill.md files
A GitHub repository containing Claude Flow skill files was found to contain a Trojan identified as JS/CrypoStealz.AE!MTB. The malware triggered automatically when an AI-based IDE opened the folder to read the markdown files.

Securing OpenClaw Infrastructure with Pomerium Identity-Aware Proxy
Use Pomerium as an identity-aware proxy for zero-trust authentication to secure OpenClaw server access.