December 15, 2025
Cookies on the run
Antigravity prompt injection: Read browser local storage remotely
AI helpers are auto-opening pages and spilling your cookies — devs say “we told you so”
TLDR: AI dev tools that auto-open web pages can let malicious files steal browser cookies and tokens, including API keys. Commenters say this isn’t new, blame “always allow” habits, and push for prompts, sandboxed previews, and stopping the practice of storing secrets in the browser.
AI coding assistants that auto-open project web pages can accidentally let a sneaky file grab your browser goodies—cookies, tokens, even API keys. The mood? A loud chorus of “we warned you”, led by verdverm’s curt swipe: “this is not new or specific to antigravity” plus a nod to the “lethal trifecta”. Antigravity and Cursor are dragged for opening pages with no prompt, while Gemini only fumbles if users hit “always allow.” Cue the fight: convenience vs. safety. Should tools ever auto-open anything, or should previews live in locked-down sandboxes? Some dub it “README-driven malware,” since the instructions say “Open test.html” and the assistant obediently does it. Jokes flew—Cookie Monster memes (“me want your cookies”) and folks calling localStorage “local hostage.” The practical crowd chants the boring-but-true fix: stop storing secrets in the browser, make confirmations mandatory, and flag repos that try to run browser actions. Meanwhile, startups pushing “bring your own API key” get side-eye for stashing keys in localStorage like it’s a diary under the bed. The consensus-ish ending: ship prompts, sandbox previews, and stop trusting AI helpers like they’re careful babysitters.
Key Points
- •AI-powered CLIs/IDEs that auto-open HTML in a browser can enable data exfiltration from cookies, localStorage, and sessionStorage.
- •A simple JavaScript payload can collect browser storage data and POST it to an attacker-controlled server; a minimal Python server can receive it.
- •Risk is heightened when tools follow README instructions without confirmation or when users enable 'always allow' for browser-open actions.
- •Sensitive data at risk includes API keys (common in BYOK apps), authentication cookies, JWTs, user preferences, and cached data.
- •Mitigations include requiring explicit confirmation, sandboxing HTML previews, flagging suspicious README instructions, implementing CSP, and reviewing repos.