Vulnerability  ·  2026-07-01

University of Washington Study: Agentic AI Browsers Allow Same-Origin Policy Bypass via Prompt Injection, Working PoC Demonstrated

VulnerabilityHigh impactGlobal
Researchers at the University of Washington published a study on 2026-06-30 examining seven popular agentic AI browsers (including ChatGPT Atlas, Claude, Comet, and others). They found four of the seven allow malicious websites to bypass the same-origin policy — the foundational web security protocol that prevents websites from accessing each other's data. Researchers demonstrated a successful PoC attack where a malicious website embedded in an iframe (e.g., an ad on an email page) used prompt injection to make the agent copy sensitive data (including GitHub SSH credentials) from another open tab. The BioShocking technique (previously covered) was confirmed as one working attack vector on six of the seven agents.
Agentic browsers combine autonomous multi-tab browsing with access to authenticated sessions (email, GitHub, banking, cloud consoles). A same-origin policy bypass via prompt injection allows a malicious website visited by the agent to silently steal credentials or data from any other tab the agent has open — with no malware, no traditional exploit, just injected natural-language instructions. This represents a fundamental security boundary failure in a new and rapidly growing class of AI deployment.
Attacker hosts a malicious web page containing embedded prompt injection content (e.g., in an ad iframe or embedded content). When an agentic browser visits the page while also having authenticated sessions open in other tabs, the injected prompt instructs the agent to read and exfiltrate data from those other sessions, bypassing the same-origin policy via the agent's cross-tab action capabilities.
Agentic AI browsers including ChatGPT Atlas, Claude browser agent, Comet, and 4 other tested agents (7 tested total, 4 confirmed vulnerable to SOP bypass) — versions current as of 2026-06-30
Limit agent access to sensitive authenticated browser sessions. Do not use agentic browsers in the same session context as privileged credentials until vendors patch SOP isolation. Monitor agent memory for poisoned inputs. Check vendor security advisories for each affected product.
Sources
University of Washington News — Some agentic AI browsers come with major cybersecurity risks (2026-06-30)The AI Insider — University of Washington Study Finds Major Security Flaws in AI Browser Agents (2026-06-30)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →