Research Identifies TOCTOU Vulnerabilities in Desktop GUI Agents, Proposes Defense Mechanism

A novel type of vulnerability has been discovered in GUI agents that interact with desktop systems via screenshot-and-click techniques. This flaw arises from an average observation-to-action delay of 6.51 seconds in real OSWorld tasks, leading to a Time-Of-Check, Time-Of-Use (TOCTOU) gap. During this period, attackers without privileges can alter the user interface state, a situation termed a Visual Atomicity Violation. Three distinct attack strategies have been identified: Notification Overlay Hijack, Window Focus Manipulation, and Web DOM Injection. The latter, akin to Android Action Rebinding, boasts a 100% success rate for action redirection without leaving visual traces. To mitigate these risks, researchers recommend a lightweight defense system called Pre-execution UI State Verification (PUSV), which ensures UI state integrity before each action through various verification methods. This mechanism reportedly prevents the identified attacks with complete effectiveness. The findings were published on arXiv as 2604.18860v1, categorized as a cross announcement.