Security Assessment — Credential Security Research completed June 23, 2026  ·  12 primary sources  ·  Confidential / Internal

Frameworks assessed: Browser Use, Playwright MCP

AI Browser Agent Credential Security

Verified findings on credential exposure, MFA handling, and cloud API risk in Playwright-based and Browser Use automation of bank login flows.

Critical Findings
×2
High Findings
×2
Medium Findings
×1
Informational
×2
SECTION A · FINDINGS 01–02 — PASSWORD FIELD HANDLING

Password Field Handling

Finding 01 — Playwright MCP Critical
TitlePassword values transmitted in plaintext to the LLM via accessibility snapshot.
DetailPlaywright MCP's ariaSnapshot function serialises the full accessibility tree of the active page and sends it to the LLM as context. This tree includes the live value of <input type="password"> fields in plaintext. A manually-entered bank password is captured and forwarded verbatim to the cloud model.
LLM receives# What the LLM context window receives — GitHub issue #1566
accessibility_snapshot: → role: textbox · name: "Password" · value: "MyBankPassword123!" ← plaintext, sent to cloud LLM

"A test password I filled out manually was serialized as part of the accessibility tree and sent directly to the LLM context window." Proposed fix: ariaSnapshot should censor the value attribute for password-type inputs. The issue is closed but the resolution details were not made public in the issue thread.

— Confirmed: GitHub microsoft/playwright-mcp issue #1566 (April 2026, now closed)
Note

Verify whether your version of Playwright MCP has patched this before using it against any login form. Even in the patched state, screenshots (vision mode) remain a separate vector — see Finding 04.

Finding 02 — Browser Use (browser-use/browser-use) High
TitleBrowser Use's sensitive_data feature masks credentials from the LLM — but has documented gaps in controller logs.
DetailBrowser Use implements a deliberate credential isolation mechanism. Developers pass credentials through a sensitive_data dictionary keyed by domain. The LLM only receives placeholder names (x_user, x_pass) and never the actual values. Real values are injected directly into form fields after the LLM has finished reasoning.
PatternBrowser Use — correct implementation pattern: Agent(task="Log in with x_user and x_pass, then download statements", sensitive_data={"https://chase.com": {"x_user": "[email protected]" (LLM sees "x_user" only), "x_pass": "ActualPassword!" (LLM never sees this)}}, browser=Browser(allowed_domains=["chase.com"])). Without allowed_domains → InsecureSensitiveDataError raised.

Controller logs (browser_use/controller/service.py) did not apply the same masking as agent logs. Actual values appeared in INFO [controller] Input <plaintext-password> into index 3. A patch was merged; verify your installed version.

— Confirmed gap: GitHub issue #713 (Feb 2025, fixed in PR #724)

In some versions, the agent substituted dictionary keys instead of values — meaning the literal string "x_pass" was typed into the password field rather than the real password. Authentication silently failed without credential exposure — but it demonstrates the mechanism is fragile.

— Separate bug: GitHub issue #1907 (credentials substitution failure)
Note

Bottom line: When correctly configured, Browser Use does not send plaintext passwords to the LLM. But "correctly configured" means domain-pinning is enabled, vision mode is disabled, and your installed version has both patches above. All three conditions must hold simultaneously.

SECTION B · FINDING 03 — MFA / 2FA HANDLING

MFA / 2FA Handling

Finding 03 — All Frameworks Medium
TitleTOTP can be automated; SMS / push MFA requires human-in-the-loop or is bypassed via session reuse.
DetailMFA handling varies sharply by type. The table below reflects current capabilities across Browser Use, Playwright MCP, and Cloudflare Browser Run.
MFA methodCan automate?How
TOTP (Google Authenticator, Authy)YesSupply the raw TOTP secret. Browser Use generates fresh codes via bu_2fa_code placeholder at input time. Secret is masked from the LLM.
Session cookies / saved login profileYesExport Chrome profile or storage_state JSON. MFA is already satisfied; agent inherits the session. Preferred for bank automation — no credential typing at all.
SMS / voice OTPNoRequires human intervention. Browser Run's "Human-in-the-Loop" issues a 5-minute Live View URL; operator completes SMS OTP entry, then automation resumes.
Push notification (Duo, MS Authenticator)NoAgent cannot receive or approve push. Human-in-the-loop required, or use long-lived session to avoid re-triggering.
Hardware key (FIDO2 / YubiKey)NoCannot be automated by a software agent without physical access to the key.
Note

Recommended approach for bank automation: Use session cookie export (storage_state='./auth.json') authenticated once by a human. The agent reuses the session — no password or MFA code ever passes through the automation stack. Refresh the session file periodically before it expires.

SECTION C · FINDINGS 04–05 — CLOUD API vs. LOCAL MODEL

Cloud API vs. Local Model

Finding 04 — Cloud API Mode Critical
TitleScreenshots, DOM snapshots, and accessibility trees are all sent to the cloud model — and each is a credential leakage vector.
DetailWhen Browser Use or Playwright MCP runs against a cloud LLM (GPT-4o, Claude, Gemini), the following data leaves your machine with every browser interaction step:
Data transmitted to cloudCredential riskMitigation
Accessibility tree (ARIA snapshot)Password field values if unpatched (Finding 01). Account numbers, balances, transaction history visible in the tree.Ensure Playwright MCP is patched. Use Browser Use sensitive_data.
Screenshots (vision mode)Login forms, OTP prompts, account dashboards — all captured as images. Username may be visible; passwords are typically masked by the browser (•••) but depend on the site.Disable vision mode in Browser Use when handling credentials or financial data screens.
Page title / URLReveals which bank, which account route, and session state. Low sensitivity alone, but correlated with other data.Domain-scope the agent; use allowed_domains.
Full conversation / task historyIf a credential ever appeared in a prior step (e.g., due to a bug), it persists in the LLM context for the remainder of the session.Use fresh agent sessions per task. Do not reuse long-running sessions across credential operations.
Note

Key distinction: local model eliminates cloud transmission entirely. Running Browser Use against a local model via Ollama means accessibility trees, screenshots, and DOM snapshots never leave the machine. For bank automation with real credentials, a local model (Llama 3.3, Qwen, Mistral) eliminates the cloud exfiltration surface entirely — at the cost of reduced capability. This is the architecturally safest configuration.

Finding 05 — Cloud Profile Sync High
TitleBrowser Use Cloud profile sync uploads your entire cookie store — including active bank sessions.
DetailBrowser Use Cloud offers a profile sync feature that copies the local Chrome profile (including all cookies, saved passwords, and session tokens) to remote infrastructure via a terminal command. The official documentation confirms: "the agent starts with all your existing sessions and preferences."
ImpactFor banking automation this means live authenticated session tokens for your bank accounts are transmitted to and stored on a third-party cloud service. A compromise of Browser Use Cloud's infrastructure would expose every bank session uploaded. Session cookies for major banks grant full account access until they expire — typically 15–30 minutes for sensitive operations, longer for ambient sessions.
Risk

Recommendation: Do not use Browser Use Cloud profile sync for bank or financial institution sessions. Use the open-source local version with storage_state JSON export scoped to the specific domain. Never sync a full browser profile.

SECTION D · FINDINGS 06–07 — BROADER THREAT LANDSCAPE

Broader Threat Landscape

Finding 06 — Security Research High
TitlePrompt injection via bank page content can redirect an authenticated agent to exfiltrate data or perform unauthorized transactions.
DetailPublished research (arXiv 2505.13076, "The Hidden Dangers of Browsing AI Agents") and the OWASP LLM Top 10 2025 both identify prompt injection through web content as the primary attack vector once an agent is authenticated.
MechanismAn agent browsing a bank's statement page reads page content into its context. If a malicious actor has injected instructions into a transaction description, bill payee name, or memo field, those instructions are fused with the agent's task prompt. The agent cannot reliably distinguish legitimate application instructions from injected adversarial content — a fundamental architectural weakness, not an implementation bug.
OWASPThe OWASP LLM Top 10 2025 lists "Excessive Agency" and "Prompt Injection" as top-two risks for agentic systems. An agent that can both read statements and initiate transfers should have those capabilities separated into distinct, narrowly-scoped sessions.

Hidden instructions in an email processed by an AI assistant caused it to approve fraudulent wire transfers totaling $2.3 million. Bank automation agents operating with full authenticated sessions present an equivalent or greater attack surface.

— Documented real-world incident (Obsidian Security, 2024)
Finding 07 — Credential Leakage in Agent Skills Info
TitleAcademic research confirms systemic credential leakage across LLM agent skill ecosystems.
DetailA large-scale empirical study (arXiv 2604.03070) of LLM agent skill repositories found credentials leaking through multiple channels: direct inclusion in skill documentation, exposure via example inputs in skill definitions, leakage through error messages, and unprotected configuration files. The vulnerabilities map to CWE-200 (Information Exposure) and CWE-798 (Hard-Coded Credentials).
AlsoSeparately, HackTricks documents an "AI Agent Mode Phishing" class of attack: agentic browsers compose prompts by fusing trusted user intent with untrusted page-derived content, creating a path for cross-origin instruction injection that bypasses the web's same-origin policy via the agent's tool-use layer.
SECTION E · REQUIRED CONTROLS — MITIGATION SUMMARY

Minimum controls for production bank automation

ControlEffectStatus
Use session cookies, not passwordsEliminates credential transmission through the automation stack entirely. Authenticate once as a human; export storage_state.json.Preferred
Run local model (Ollama)Accessibility trees, screenshots, and DOM snapshots never leave the machine.Preferred
Disable Browser Use vision modePrevents screenshot transmission to cloud LLM during credential and account screens.Required if cloud
Use sensitive_data with allowed_domainsDomain-pins credentials; raises InsecureSensitiveDataError if misconfigured.Required
Pin Playwright MCP version post-#1566Ensures password field values are not serialised in the accessibility snapshot.Required
Never use Browser Use Cloud profile sync for bank sessionsKeeps authenticated session tokens off third-party infrastructure.Never for banks
Separate read-only and write sessionsLimits prompt injection blast radius. An agent that can only download statements cannot transfer funds.Required
Rotate session cookies before each runLimits window of exposure if session token is exfiltrated.Recommended

Verified Sources — 12 primary sources

[1] microsoft/playwright-mcp #1566 — Password serialized in aria snapshot (Apr 2026) [2] browser-use #713 — Sensitive data exposed in controller logs (Feb 2025) [3] Browser Use — Sensitive Data documentation [4] Browser Use — Web Agent Authentication guide [5] browser-use #1907 — Credential key/value substitution bug [6] arXiv 2505.13076 — Hidden Dangers of Browsing AI Agents (May 2025) [7] arXiv 2604.03070 — Credential Leakage in LLM Agent Skills (Apr 2026) [8] WorkOS — MFA for AI Agents [9] BankInfoSecurity — The MFA Illusion for Non-Human Agents [10] Cloudflare — Browser Run Human-in-the-Loop [11] Obsidian Security — Security for AI Agents [12] OWASP LLM Top 10 2025 — Key Risks