Hijacking OpenAI’s Browsing Agent via the Chrome URL Bar
In late 2025, not long after its release, I found a gap in OpenAI’s Browsing agent that turns a routine checkout flow into a foothold on the agent container. The weak link is the Take it from here feature. When the model hits a task it is not allowed to complete (for example “buy this iPhone on eBay” or “enter my credit card details”), ChatGPT pauses the automation and shows a button that lets the human finish the job. Clicking that button hands you the live Chrome session the agent was using, complete with the same filesystem permissions it relied on during the automated steps. ...