Frameworks assessed: Browser Use, Playwright MCP
Verified findings on credential exposure, MFA handling, and cloud API risk in Playwright-based and Browser Use automation of bank login flows.
<input type="password"> fields in plaintext. A manually-entered bank password is captured and forwarded verbatim to the cloud model."A test password I filled out manually was serialized as part of the accessibility tree and sent directly to the LLM context window." Proposed fix: ariaSnapshot should censor the value attribute for password-type inputs. The issue is closed but the resolution details were not made public in the issue thread.
— Confirmed: GitHub microsoft/playwright-mcp issue #1566 (April 2026, now closed)Verify whether your version of Playwright MCP has patched this before using it against any login form. Even in the patched state, screenshots (vision mode) remain a separate vector — see Finding 04.
Agent(task="Log in with x_user and x_pass, then download statements", sensitive_data={"https://chase.com": {"x_user": "[email protected]" (LLM sees "x_user" only), "x_pass": "ActualPassword!" (LLM never sees this)}}, browser=Browser(allowed_domains=["chase.com"])). Without allowed_domains → InsecureSensitiveDataError raised.Controller logs (browser_use/controller/service.py) did not apply the same masking as agent logs. Actual values appeared in INFO [controller] Input <plaintext-password> into index 3. A patch was merged; verify your installed version.
— Confirmed gap: GitHub issue #713 (Feb 2025, fixed in PR #724)In some versions, the agent substituted dictionary keys instead of values — meaning the literal string "x_pass" was typed into the password field rather than the real password. Authentication silently failed without credential exposure — but it demonstrates the mechanism is fragile.
— Separate bug: GitHub issue #1907 (credentials substitution failure)Bottom line: When correctly configured, Browser Use does not send plaintext passwords to the LLM. But "correctly configured" means domain-pinning is enabled, vision mode is disabled, and your installed version has both patches above. All three conditions must hold simultaneously.
| MFA method | Can automate? | How |
|---|---|---|
| TOTP (Google Authenticator, Authy) | Yes | Supply the raw TOTP secret. Browser Use generates fresh codes via bu_2fa_code placeholder at input time. Secret is masked from the LLM. |
| Session cookies / saved login profile | Yes | Export Chrome profile or storage_state JSON. MFA is already satisfied; agent inherits the session. Preferred for bank automation — no credential typing at all. |
| SMS / voice OTP | No | Requires human intervention. Browser Run's "Human-in-the-Loop" issues a 5-minute Live View URL; operator completes SMS OTP entry, then automation resumes. |
| Push notification (Duo, MS Authenticator) | No | Agent cannot receive or approve push. Human-in-the-loop required, or use long-lived session to avoid re-triggering. |
| Hardware key (FIDO2 / YubiKey) | No | Cannot be automated by a software agent without physical access to the key. |
Recommended approach for bank automation: Use session cookie export (storage_state='./auth.json') authenticated once by a human. The agent reuses the session — no password or MFA code ever passes through the automation stack. Refresh the session file periodically before it expires.
| Data transmitted to cloud | Credential risk | Mitigation |
|---|---|---|
| Accessibility tree (ARIA snapshot) | Password field values if unpatched (Finding 01). Account numbers, balances, transaction history visible in the tree. | Ensure Playwright MCP is patched. Use Browser Use sensitive_data. |
| Screenshots (vision mode) | Login forms, OTP prompts, account dashboards — all captured as images. Username may be visible; passwords are typically masked by the browser (•••) but depend on the site. | Disable vision mode in Browser Use when handling credentials or financial data screens. |
| Page title / URL | Reveals which bank, which account route, and session state. Low sensitivity alone, but correlated with other data. | Domain-scope the agent; use allowed_domains. |
| Full conversation / task history | If a credential ever appeared in a prior step (e.g., due to a bug), it persists in the LLM context for the remainder of the session. | Use fresh agent sessions per task. Do not reuse long-running sessions across credential operations. |
Key distinction: local model eliminates cloud transmission entirely. Running Browser Use against a local model via Ollama means accessibility trees, screenshots, and DOM snapshots never leave the machine. For bank automation with real credentials, a local model (Llama 3.3, Qwen, Mistral) eliminates the cloud exfiltration surface entirely — at the cost of reduced capability. This is the architecturally safest configuration.
Recommendation: Do not use Browser Use Cloud profile sync for bank or financial institution sessions. Use the open-source local version with storage_state JSON export scoped to the specific domain. Never sync a full browser profile.
Hidden instructions in an email processed by an AI assistant caused it to approve fraudulent wire transfers totaling $2.3 million. Bank automation agents operating with full authenticated sessions present an equivalent or greater attack surface.
— Documented real-world incident (Obsidian Security, 2024)| Control | Effect | Status |
|---|---|---|
| Use session cookies, not passwords | Eliminates credential transmission through the automation stack entirely. Authenticate once as a human; export storage_state.json. | Preferred |
| Run local model (Ollama) | Accessibility trees, screenshots, and DOM snapshots never leave the machine. | Preferred |
| Disable Browser Use vision mode | Prevents screenshot transmission to cloud LLM during credential and account screens. | Required if cloud |
Use sensitive_data with allowed_domains | Domain-pins credentials; raises InsecureSensitiveDataError if misconfigured. | Required |
| Pin Playwright MCP version post-#1566 | Ensures password field values are not serialised in the accessibility snapshot. | Required |
| Never use Browser Use Cloud profile sync for bank sessions | Keeps authenticated session tokens off third-party infrastructure. | Never for banks |
| Separate read-only and write sessions | Limits prompt injection blast radius. An agent that can only download statements cannot transfer funds. | Required |
| Rotate session cookies before each run | Limits window of exposure if session token is exfiltrated. | Recommended |
Verified Sources — 12 primary sources