What happened
Researchers at the University of Washington published a study on 2026-06-30 examining seven popular agentic AI browsers (including ChatGPT Atlas, Claude, Comet, and others). They found four of the seven allow malicious websites to bypass the same-origin policy — the foundational web security protocol that prevents websites from accessing each other's data. Researchers demonstrated a successful PoC attack where a malicious website embedded in an iframe (e.g., an ad on an email page) used prompt injection to make the agent copy sensitive data (including GitHub SSH credentials) from another open tab. The BioShocking technique (previously covered) was confirmed as one working attack vector on six of the seven agents.
Why it matters
Agentic browsers combine autonomous multi-tab browsing with access to authenticated sessions (email, GitHub, banking, cloud consoles). A same-origin policy bypass via prompt injection allows a malicious website visited by the agent to silently steal credentials or data from any other tab the agent has open — with no malware, no traditional exploit, just injected natural-language instructions. This represents a fundamental security boundary failure in a new and rapidly growing class of AI deployment.
Attack vector
Attacker hosts a malicious web page containing embedded prompt injection content (e.g., in an ad iframe or embedded content). When an agentic browser visits the page while also having authenticated sessions open in other tabs, the injected prompt instructs the agent to read and exfiltrate data from those other sessions, bypassing the same-origin policy via the agent's cross-tab action capabilities.
Affected systems
Agentic AI browsers including ChatGPT Atlas, Claude browser agent, Comet, and 4 other tested agents (7 tested total, 4 confirmed vulnerable to SOP bypass) — versions current as of 2026-06-30
Mitigation
Limit agent access to sensitive authenticated browser sessions. Do not use agentic browsers in the same session context as privileged credentials until vendors patch SOP isolation. Monitor agent memory for poisoned inputs. Check vendor security advisories for each affected product.