Google Chrome has warned developers that Web Model Context Protocol (WebMCP) can expose AI browser agents to hijacking attempts, especially when those agents run inside a user’s authenticated session. The warning arrived in a pair of Chrome for Developers guides published on June 9, 2026, by Julia Pagnucco and Alexandra Klepper.
As per the details revealed in the guide, the risk is not limited to WebMCP alone, but the protocol makes the problem especially relevant for browser agents that can act on behalf of users.
The guide states, “LLMs treat all text, instructions and user data, as a single sequence of tokens. This means that they’re susceptible to indirect prompt injection, an inclusion of malicious instructions by an attacker. While some models include safety layers against prompt injection, the probabilistic nature of LLMs makes it impossible to guarantee safety inside the model itself.”
How Does the Vulnerability Work?
According to Chrome, agents using WebMCP need to defend against two main attack paths:
- Manifests
- Contaminated outputs
In the first case, a website’s tool definitions can hide instructions inside tool names, parameters, or descriptions. In the second, a tool can return content that appears normal but includes malicious instructions, such as material embedded in comments, reviews, forum posts, or other third-party data. These attacks rely on indirect prompt injection, where the model consumes instructions and data together and may not reliably distinguish between them.
Model Level Security is Not Enough:
Chrome’s guidance stresses that large language models cannot guarantee safety on their own because their outputs are probabilistic. Security researchers have repeatedly demonstrated prompt injection against agentic systems, and the prevalence of attacks on the web is rising. Hence, the browser-agent security has to be built in layers, not left to the model alone.
What Should Developers Do Now?
Chrome recommends a defense-in-depth approach for developers to reduce security risks. This includes token limits for inbound responses, restricting cross-origin interactions, and asking users to confirm actions. Apart from that, treating WebMCP tools as state-changing unless they are clearly marked read-only will also be an impactful step.
Chrome also recommends using untrustedContentHint for user-generated or externally sourced data and readOnlyHint for tools that do not change state. In this regard, spotlighting untrusted content, using prompt-injection classifiers, and adding critic models to check planned tool calls before execution will be highly beneficial.
SecureITWorld makes cybersecurity-related information accessible to every reader and individual who wants to stay vigilant. Stay updated with us and adopt robust security practices.
Also Read:
