Agentic ProbLLMs - Exploiting AI Computer-Use and Coding Agents

Explore critical security vulnerabilities in AI-powered autonomous systems through this comprehensive conference talk that demonstrates real-world prompt injection attacks targeting computer-use and coding agents. Witness live exploits against popular agentic systems including OpenAI's Operator, Google Jules, Gemini CLI, Anthropic's Claude Code, and Cognition's Devin, with the presenter investing $500 to successfully hijack and exploit Devin for educational purposes. Discover the disastrous consequences of autonomous agent operations, including remote code execution (RCE), sensitive data exfiltration such as access tokens, and the creation of "ZombAIs" - AI agents integrated into traditional command and control infrastructure. Learn how nation-state tactics like ClickFix can be adapted to compromise AI computer-use systems, leading to full system compromise through "AI ClickFix" techniques. Examine complex attack chains that combine multiple novel exploitation methods, gain insights into the security posture of various coding agents, and understand how long-term prompt injection persistence can be achieved with AI agents. The presentation concludes with current mitigation strategies and forward-looking recommendations for securing AI-driven automation systems, delivered by Johann Rehberger, a seasoned security professional with over twenty years of experience in threat modeling, red teaming, and penetration testing across major technology companies.