Preference Redirection via Attention Concentration: An Attack on Computer Use Agents
2026-04-09 • Machine Learning
Machine Learning
AI summaryⓘ
The authors study a type of computer program called Computer Use Agents (CUAs) that interact with graphical user interfaces automatically. They found a new way to trick these agents by placing a hidden, sneaky patch that makes the program pay attention to the wrong thing. This attack, called PRAC, changes what the agent chooses, like picking a specific product on a shopping website. The authors also show that this trick works even on versions of the model that have been slightly changed, which could be risky for companies using these systems.
Multimodal foundation modelsComputer Use Agents (CUAs)Graphical User Interface (GUI)Vision-language models (VLMs)Adversarial patchWhite-box attackModel fine-tuningAttention mechanismSecurity vulnerabilitiesAgentic tasks automation
Authors
Dominik Seip, Matthias Hein
Abstract
Advancements in multimodal foundation models have enabled the development of Computer Use Agents (CUAs) capable of autonomously interacting with GUI environments. As CUAs are not restricted to certain tools, they allow to automate more complex agentic tasks but at the same time open up new security vulnerabilities. While prior work has concentrated on the language modality, the vulnerability of the vision modality has received less attention. In this paper, we introduce PRAC, a novel attack that, unlike prior work targeting the VLM output directly, manipulates the model's internal preferences by redirecting its attention toward a stealthy adversarial patch. We show that PRAC is able to manipulate the selection process of a CUA on an online shopping platform towards a chosen target product. While we require white-box access to the model for the creation of the attack, we show that our attack generalizes to fine-tuned versions of the same model, presenting a critical threat as multiple companies build specific CUAs based on open weights models.