- AI Agents are skyrocketing in popularity – and sites are accommodating them
- This means they are forced to also accommodate ‘bad bots’
- Sites must tighten security to protect themselves and users
AI comes in many forms, and dominating the tech world right now is AI agents, which are evolving fast, often outpacing the security measures put in place to control them – but that’s just one side of the story, as security teams not only have rogue but legitimate agents posing security risks, but also fake agents.
New research from Radware reveals these malicious bots disguise themselves as real AI chatbots in agent mode, like ChatGPT, Claude, and Gemini – all ‘good bots’ that, crucially, require POST request permissions for any transactional capabilities such as booking hotels, purchasing tickets, and completing transactions – all central to their advertised usage.
Legitimate agents can interact with web page components like account dashboards, login portals, and checkout processes – which means websites now have to allow POST requests from AI bots in order to accommodate these legitimate agents.
Only read, never write
The issue here is that previously, a fundamental assumption in cybersecurity was that ‘good bots only read, never write’. This weakens security for site owners, as malicious actors can much more easily spoof legitimate agents, as they need the same website permissions.
Legitimate AI agent traffic is surging, making it all the more likely that these fraudulent bots will pass through undetected. Most exposed are, of course, the high risk industries; finance, ecommerce, healthcare, and also the ticketing/travel companies AI agents are specifically designed to use.
Chatbots all use different identification and verification methods, making it even more difficult for security teams to detect malicious traffic – and easier for threat actors who will just impersonate the agent with the weakest verification standard.
Researchers recommend adopting a zero-trust policy for state-changing requests, like implementing AI-resistant challenges like advanced CAPTCHAs. They also recommend treating all user-agents as untrustworthy as standard, and adopting robust DNS and IP-based checks to ensure the IP addresses match the bot’s claimed identity.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
The best ID theft protection for all budgets
https://cdn.mos.cms.futurecdn.net/2UMvPDp3snEwaGbRuCivjE-970-80.jpg
Source link
