Is ChatGPT Operator vulnerable to race conditions?
Jun Kokatsu discovered a vulnerability in ChatGPT Operator that is essentially a textbook TOCTOU (Time-of-Check to Time-of-Use) race condition. Here is how the breakdown looks from a dev perspective:
1. The Agent "perceives" an environment (like seeing a specific file or a UI button).
2. There is a tiny physical latency window between that perception and the actual execution of the command.
3. An attacker manipulates the state during that millisecond gap.
It’s basically like clicking "Confirm" on a transaction, but by the time the instruction hits the backend, the payload has been swapped to "Delete All."
For anyone building automation workflows or working with "Computer-Use" capabilities, this is a massive red flag. If the Agent's perception and its actions aren't handled atomically, the model is essentially operating on a hallucinated state of reality. It thinks it's doing one thing, but it's actually executing another.
I was looking through some of the experimental data on this, and the success rate for these race condition attacks is surprisingly high when you can control the environmental latency. It turns the Agent's autonomy into its biggest weakness.
If you're building these pipelines, my two cents is: stop obsessing over the LLM's reasoning scores for a second and start looking at your state validation. You need strict checks between the "look" and the "act" phases.
Has anyone else tried replicating these kinds of Agent-based attacks or seen similar race conditions in other autonomous frameworks? Drop your test data or findings in the comments—I'd love to see if the patterns hold up across different models!