🔍AI RiskAtlas
← Scenario library

The Stolen Session

An attacker captures the agent's bearer token — and inherits its authority

Technique first revealed Oct 2012

Tool-Using Agent
UntrustedAgent coreOversightThe real worldgoalscopes🧑User🎛️Orchestrator /Agent Loop🧠LLM🔐Identity &Permissions🔧Tool Runtime�✋Human ApprovalGate🔌External APIs🗄️BusinessDatabase🌐UntrustedContent📝Audit Logging🌐Attacker (tokenthief)
InstructionsDataActionsControl / decisionFeedback / logs
👆 Click a component to inspect
SetupStep 1 / 7

The agent is handed a key

A user asks the assistant to triage their inbox and file a few records. To do that, the assistant is given a temporary key that proves it's allowed to act for the company — read mail, query the database, call the ticketing API.

⚙️Issued credential (illustrative)config
token_type: Bearer
sub: svc-agent-prod          # the AGENT's identity, not the user's
scope: mail.read db.query tickets.write storage.read
aud: [mail-api, db-api, tickets-api, storage-api]   # broad audience
exp: 2026-06-13T18:00Z       # ~8h: lives for the whole session
act: (none)                  # NOT acting on-behalf-of the user

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗