Advancements in multimodal foundation models have enabled the development of Computer Use Agents (CUAs) capable of autonomously interacting with GUI environments. As CUAs are not restricted to certain tools, they allow to automate more complex agentic tasks but at the same time open up new security vulnerabilities. While prior work has concentrated on the language modality, the vulnerability of the vision modality has received less attention. In this paper, we introduce PRAC, a novel attack that, unlike prior work targeting the VLM output directly, manipulates the model's internal preferences by redirecting its attention toward a stealthy adversarial patch. We show that PRAC is able to manipulate the selection process of a CUA on an online shopping platform towards a chosen target product. While we require white-box access to the model for the creation of the attack, we show that our attack generalizes to fine-tuned versions of the same model, presenting a critical threat as multiple companies build specific CUAs based on open weights models.
注意力集中引导偏好重定向:一种针对计算机使用代理的攻击 / Preference Redirection via Attention Concentration: An Attack on Computer Use Agents
这篇论文提出了一种名为PRAC的新型攻击方法,它通过在图形界面上植入一个隐蔽的对抗性补丁来误导计算机使用代理的视觉注意力,从而操纵其在网购等任务中的选择行为,即使代理模型经过微调,这种攻击依然有效,揭示了基于多模态大模型的智能代理在视觉模态上存在新的安全漏洞。
源自 arXiv: 2604.08005
