- AI Agents Are Skyrocketing in Popularity and Sites Are Adapting Them
- This means that they are forced to accommodate “bad robots” as well.
- Sites must tighten security to protect themselves and users.
AI comes in many forms, and what is dominating the tech world right now is AI agents, which are evolving rapidly, often overcoming the security measures put in place to control them, but that is only one side of the story, as security teams not only have rogue but also legitimate agents that pose security risks, but also fake agents.
New research from Radware reveals that these malicious bots disguise themselves as real AI chatbots in agent mode, such as ChatGPT, Claude and Gemini, all “good bots” that, crucially, require POST request permissions for any transactional capabilities, such as booking hotels, purchasing tickets and completing transactions, all critical to their advertised use.
Legitimate agents can interact with web page components such as account dashboards, login portals, and checkout processes, meaning websites must now allow POST requests from AI bots in order to accommodate these legitimate agents.
He only reads, never writes.
The problem here is that previously, a fundamental assumption in cybersecurity was that “good robots only read, never write.” This weakens the security of site owners, as malicious actors can much more easily spoof legitimate actors since they need the same website permissions.
Legitimate AI agent traffic is increasing, making it even more likely that these fraudulent bots will slip through undetected. The most exposed are, of course, the high-risk industries; finance, e-commerce, healthcare and also the ticketing/travel businesses that AI agents are specifically designed to use.
All chatbots use different identification and verification methods, making it even harder for security teams to detect malicious traffic and easier for threat actors who will simply impersonate the agent with the weakest verification standard.
The researchers recommend adopting a zero-trust policy for state change requests, such as implementing AI-resistant challenges like advanced CAPTCHAs. They also recommend treating all user agents as untrusted as standard and adopting strong DNS and IP-based controls to ensure that IP addresses match the bot’s declared identity.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
The best identity theft protection for every budget
