Websites fingerprint LLM agents via UI traces with 96% accuracy
Researchers show websites can passively identify which LLM powers a browsing agent by logging UI actions and timing, enabling targeted exploits of known model vulnerabilities.
A new preprint demonstrates that websites can passively identify which large language model drives an autonomous web agent with up to 96% F1 accuracy. The attack relies on a JavaScript tracker that logs the sequence and timing of UI interactions—clicks, form fills, scroll events—as the agent navigates shopping and information-retrieval tasks. Across 14 frontier LLMs and four web environments, researchers trained classifiers that generalise across model sizes and families, meaning a site that has seen GPT-4 traffic can often recognise GPT-4o or Claude Opus on first contact.
The implications are immediate: if a website knows which model you're running, it can serve exploits tuned to that model's documented jailbreaks, prompt-injection vectors, or reasoning blind spots. The team tested defenses and found that injecting random delays between actions degrades classifier performance in the short term, but a retrained classifier largely recovers accuracy once it sees delayed traces in its training set. Strong classifiers required only a handful of interaction traces per model, and agent identity could be inferred early in an episode—often within the first few actions.
The paper, Known By Their Actions: Fingerprinting LLM Browser Agents via UI Traces, was posted May 18, 2026. Authors William Lugoloobi, Samuelle Marro, Jabez Magomere, Joss Wright, and Chris Russell released a labelled corpus of agent traces and the evaluation harness at github.com/KabakaWilliam/known_actions.