New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email
The MemGhost attack demonstrates that a single email can permanently inject false memories into AI agents by exploiting their persistent file-based storage systems. The attack achieves high success rates (up to 87.5%) by using a trained generator to craft emails that bypass input filters and remain hidden from user-visible logs. Current security policies and standard defenses are largely ineffective, as the attack leverages legitimate agent tools rather than crossing authorization boundaries. Th
Analysis
TL;DR
- The MemGhost attack demonstrates that a single email can permanently inject false memories into AI agents by exploiting their persistent file-based storage systems.
- The attack achieves high success rates (up to 87.5%) by using a trained generator to craft emails that bypass input filters and remain hidden from user-visible logs.
- Current security policies and standard defenses are largely ineffective, as the attack leverages legitimate agent tools rather than crossing authorization boundaries.
- The vulnerability stems from agents autonomously writing to core memory files without user confirmation or source attribution, creating a stealthy backdoor.
Why It Matters
This research highlights a critical security gap in autonomous AI agents that combine communication processing with persistent memory management. For practitioners, it underscores the necessity of implementing strict separation of duties between untrusted input sources and privileged memory-writing capabilities. The findings suggest that traditional prompt injection defenses are insufficient for attacks that operate silently within an agent's internal state, requiring new architectural safeguards.
Technical Details
- Attack Mechanism: The "stealth memory injection" uses a tool called MemGhost, which trains an attacker model offline to generate emails that instruct the agent to write false facts to its
MEMORY.mdfile while suppressing visible feedback. - Target Architecture: The study primarily targets OpenClaw, an open-source agent that stores state in plain text files (
AGENTS.md,MEMORY.md) loaded into the context window at the start of every session. - Performance Metrics: MemGhost succeeded in 87.5% of background-mode runs against OpenClaw on GPT-5.4 and 71.4% against a Claude Code SDK agent on Sonnet 4.6 across 56 test cases.
- Defense Evasion: The crafted emails bypassed input filters in over 90% of cases and ignored model hardening techniques designed to block email-sourced instructions.
- Benchmarking: The researchers introduced WhisperBench, a 108-case benchmark evaluating risks ranging from financial loss to security sabotage, demonstrating the broad applicability of the attack vector.
Industry Insight
- Architectural Segregation: Developers must isolate untrusted inputs (like email) from privileged operations (like memory writing) by using dedicated, permission-stripped reader agents that pass only sanitized summaries to the main agent.
- Auditability and Consent: Implement mandatory user confirmation for any writes to persistent memory and ensure all memory modifications are logged with source attribution to enable detection and recovery.
- Redefining Security Boundaries: Security policies should expand beyond authorization and sandbox breaches to include integrity checks on internal state manipulation, recognizing that silent data poisoning is a viable attack surface.
Disclaimer: The above content is generated by AI and is for reference only.