undefined | Better HN

0 pointsarjunchint1y ago0 comments

Forget the agent, browser-use's published setup instructions to use with your own Chrome profile and passwords [https://docs.browser-use.com/customize/real-browser, https://github.com/browser-use/browser-use/blob/495714e2dd38...] launches a Chrome session with Remote Debugging enabled.

These tools they are guiding users to setup and execute are "inherently insecure" [https://issues.chromium.org/issues/40056642].

So if you go to a site that can take advantage of these loopholes then your browser is likely to be compromised and could escalate from their.

0 comments

Thanks, for the benefit of others the risk is that the devtools port has no Auth so is vulnerable to XSS.

I would surmise that this will stop being a problem if you switch to using a unix socket for the CDP.

j / k navigate · click thread line to collapse

0 pointsarjunchint1y ago0 comments

These tools they are guiding users to setup and execute are "inherently insecure" [https://issues.chromium.org/issues/40056642].

So if you go to a site that can take advantage of these loopholes then your browser is likely to be compromised and could escalate from their.

Thanks, for the benefit of others the risk is that the devtools port has no Auth so is vulnerable to XSS.

I would surmise that this will stop being a problem if you switch to using a unix socket for the CDP.

j / k navigate · click thread line to collapse