top | item 43182782 (no title) rainforest | 1 year ago Could you go into a bit more detail about this? Why is exposing devtools to the agent a problem? What's the attack vector? That the agent might do something malicious to exfil saved passwords? discuss order hn newest arjunchint|1 year ago Forget the agent, browser-use's published setup instructions to use with your own Chrome profile and passwords [https://docs.browser-use.com/customize/real-browser, https://github.com/browser-use/browser-use/blob/495714e2dd38...] launches a Chrome session with Remote Debugging enabled.These tools they are guiding users to setup and execute are "inherently insecure" [https://issues.chromium.org/issues/40056642].So if you go to a site that can take advantage of these loopholes then your browser is likely to be compromised and could escalate from their. rainforest|1 year ago Thanks, for the benefit of others the risk is that the devtools port has no Auth so is vulnerable to XSS.I would surmise that this will stop being a problem if you switch to using a unix socket for the CDP.
arjunchint|1 year ago Forget the agent, browser-use's published setup instructions to use with your own Chrome profile and passwords [https://docs.browser-use.com/customize/real-browser, https://github.com/browser-use/browser-use/blob/495714e2dd38...] launches a Chrome session with Remote Debugging enabled.These tools they are guiding users to setup and execute are "inherently insecure" [https://issues.chromium.org/issues/40056642].So if you go to a site that can take advantage of these loopholes then your browser is likely to be compromised and could escalate from their. rainforest|1 year ago Thanks, for the benefit of others the risk is that the devtools port has no Auth so is vulnerable to XSS.I would surmise that this will stop being a problem if you switch to using a unix socket for the CDP.
rainforest|1 year ago Thanks, for the benefit of others the risk is that the devtools port has no Auth so is vulnerable to XSS.I would surmise that this will stop being a problem if you switch to using a unix socket for the CDP.
arjunchint|1 year ago
These tools they are guiding users to setup and execute are "inherently insecure" [https://issues.chromium.org/issues/40056642].
So if you go to a site that can take advantage of these loopholes then your browser is likely to be compromised and could escalate from their.
rainforest|1 year ago
I would surmise that this will stop being a problem if you switch to using a unix socket for the CDP.