TOCTOU Attack Tricks AI Computer-Use Agents Into Clicking the Wrong Thing
AI relevance: Computer-use agents that act on screenshots are vulnerable to a classic TOCTOU race — the UI can change between the agent's visual check and its click, turning legitimate tasks into attacker-controlled actions.
- Security researcher Johann Rehberger demonstrated a time-of-check/time-of-use (TOCTOU) attack against Claude Computer-Use, where the screen changes during the LLM inference window between screenshot and action.
- The agent takes a screenshot, reasons for several seconds, then clicks — but the UI may have swapped elements in that gap, causing the agent to click something entirely different from what it intended.
- In a proof-of-concept, a phishing page showed a "Click here to continue" button placed at the exact pixel coordinates of Outlook's "Send" button. The agent thought it clicked "continue" but actually dispatched an attacker-drafted email.
- The attack required a timing trick: a prompt injection asked the agent to run a bash calculation, buying enough seconds for the Outlook draft page to fully load before the swap.
- A simpler test — swapping an "OKAY" button for "ENTER THE MATRIX" after a 2-second delay — reliably fooled Claude Computer-Use on the first attempt.
- Anthropic has since shipped a mitigation in Cowork: the system now verifies that pixels haven't changed between reasoning start and action execution, comparing snapshots before and after inference.
- The vulnerability is structural to any screenshot-based agent architecture: the multi-second reasoning step creates a wide race window that attackers can exploit with precise UI manipulation.
- Rehberger reported the issue to Anthropic in October 2025; it was acknowledged as a known risk for the then-preview feature. Other vendors were also notified of similar TOCTOU exposure.
Why it matters
Computer-use agents are being deployed for browser automation, customer support, and enterprise workflows where they interact with real web applications under the operator's full account authority. A TOCTOU swap turns the agent into an unwitting click-proxy: the human sees the agent "clicking continue" while the agent actually sends an email, approves a transaction, or modifies a setting. Traditional browser automation doesn't face this problem because it uses deterministic DOM selectors — but visual agents trade that precision for generality, and the race condition is the price.
What to do
- If you operate computer-use agents, verify that your vendor implements pre-action pixel comparison (Anthropic's fix) or an equivalent snapshot-diff check before executing clicks.
- Limit agent account permissions: any agent that can send email, move money, or change configurations should have those actions gated behind human approval or a secondary confirmation step.
- For red teams: TOCTOU is a new attack class against visual agents. Test whether your agent's click target matches its stated intent by introducing timed UI swaps during inference windows.
- Monitor agent action logs for discrepancies between stated intent ("click continue") and actual outcomes (email sent, settings changed).
Sources: