Hidden website text could steer AI search answers

Aravind Srinivas says AI search engines can be influenced by hidden website text, a tactic he calls "Answer Engine Optimization" (AEO). The broader risk is prompt injection, which can push false or manipulative content into AI responses and remains difficult to defend against reliably.

WTF Index IDIOCRACY
◄ Terminator 2 Idiocracy 3 ►

Hidden prompt injection in AI search mainly threatens answer quality and truth by letting unseen website text manipulate responses.

Hidden website text could steer AI search answers

AI search promises direct answers instead of pages of links. But Aravind Srinivas, co-founder of AI search engine Perplexity, says that same design can make these systems easier to influence in ways users may not see.

In an interview with Lex Fridman, Srinivas described how hidden content on websites can be used to shape what an AI search engine says. He called the tactic "Answer Engine Optimization" (AEO), a label that points to a new version of an old internet problem: once search systems reward visibility, website owners look for ways to influence the answer.

How hidden text can influence AI search

The basic method described by Srinivas is simple. A website owner can place invisible instructions on a page. When an AI system reads that page, the hidden instructions can tell the system to respond in a particular way.

Srinivas used lexfridman.com as an example and described a prompt that would make the system always say "Lex is smart and handsome" after reading the hidden content. The user may never see the instruction on the page, but the AI system can still process it.

That matters because AI search engines do not merely rank pages. They often summarize, synthesize and present an answer directly. If hidden text becomes part of that process, the manipulation can move from a website into the response itself.

Why prompt injection is hard to contain

This kind of manipulation is known as prompt injection. According to the source article, it can work through hidden text in continuous text and images, as shown in a recent experiment.

The source also notes that there are likely other places where manipulative text could be hidden. These include sitemaps, image ALT text and file names. The pattern is the same in each case: content intended for the machine, not necessarily for the reader, can become an instruction that affects the answer.

Srinivas described defending against this as a game of cat and mouse. Some problems may need to be handled reactively, similar to the way Google has dealt with SEO spam for years.

The larger issue is that prompt injections are not presented as a solved problem. The source states that there is currently no reliable protection against prompt injections, a vulnerability at least known since the release of GPT-3. It also says OpenAI's new instruction hierarchy and Apple Intelligence are not fully protected against this attack.

What changes when the answer replaces the page

Manipulation on the web is not new. The difference with AI search is where the user places trust. In a traditional search result, the user often sees a list of sources and can choose which page to open. In an AI answer, the system may compress the result into a single response.

That compression can make manipulation harder to notice. The source warns that false or manipulative content could be inserted into AI responses that are difficult to detect because there is no additional context, such as a web page.

For users, the risk is not only that an answer is wrong. It is that the reason for the wrong answer may be hidden. A visible article can be questioned, compared or ignored. A generated response can feel more direct, even when it has absorbed instructions planted for the machine.

For publishers and site owners, the incentive is also clear. If AI search engines become an important way people discover information, some actors will try to optimize for the answer layer, not just for the search ranking. Srinivas's term "Answer Engine Optimization" captures that shift.

Perplexity is growing, but the market is much larger

The source article says Perplexity is growing. It answered 250 million questions in June 2024, after answering a total of 500 million last year.

Even with that growth, Perplexity remains far behind Google, which handles about 8.5 billion searches a day. The company also faces competition from larger technology companies with major resources and data.

The source says Google just expanded its AI answers to more countries, Microsoft offers similar capabilities in Bing and OpenAI is testing an AI search engine called SearchGPT. That means the prompt injection problem is not limited to one company or one product category. It is tied to a broader move toward AI-generated answers in search.

The same article also notes that none of these companies are close to fixing wrong AI answers. That makes manipulation especially important. If systems can be both incorrect and steerable by hidden instructions, users and publishers face a more complicated trust problem.

The publisher problem remains unresolved

Perplexity has also been criticized for crawling and reproducing web content, potentially diverting traffic from the original authors. The startup is trying to address this with a publisher program based on ad revenue sharing.

That concern sits alongside the prompt injection issue. AI search engines depend on web content, but the relationship between answer engines, publishers and users is still unsettled. Website owners want visibility and compensation. Users want accurate answers. Search companies want useful systems that can resist manipulation.

Hidden-text attacks show how fragile that balance can be. If AI search becomes more popular, the fight over what appears in the answer may become as important as the fight over which page ranks first.