system: OPERATIONAL
← back to all hacks
AGENTS MEDIUM NEW

When computer-use agents click stale pixels: the screenshot-to-action race

A screenshot is a check; a click is a use. If the screen changes in between, a computer-use agent acts on pixels that no longer exist — a classic TOCTOU race turned into a real exploit.

2026-07-08 // 6 min affects: computer-use-agents, claude-computer-use, chatgpt-operator

What is this?

On June 25, 2026, security researcher Johann Rehberger (Embrace The Red) published Computer-Use and TOCTOU: What You Click Is Not What You Get, a walkthrough of a race-condition class that hits every agent that drives a screen by looking at it. The post reproduces and extends an earlier finding: in 2025, Jun Kokatsu disclosed that OpenAI’s Operator could be made to click on an arbitrary origin by exploiting the delay between what the agent sees and what it does (Google security-research advisory).

The underlying bug is old. TOCTOU — time-of-check to time-of-use (CWE-367) — describes any system that validates a condition and then acts on it as if nothing changed in the gap. Operating systems have fought it for decades. Computer-use agents reintroduce it in a new place: the pixels on the screen.

How it works

A computer-use agent operates in a loop: it takes a screenshot, reasons about what it sees, and then emits an action — click these coordinates, type this text. Reasoning is the check; the click is the use. Crucially, model inference takes seconds, and the screen is free to change during that window. When it does, the action lands on whatever is now at those coordinates, not on what the agent believed was there.

Rehberger first confirmed the effect with a trivial page: a button labelled OKAY that swaps to a different button after two seconds. Claude Computer-Use clicked it anyway, reliably. He then built a genuinely harmful chain. Outlook (and other mail clients) support a deep link that opens a fully pre-drafted email from a single URL — recipient, subject and body all populated, leaving only Send to press. An attacker’s phishing page shows an innocuous “Click here to continue” button positioned at the exact screen coordinates where Outlook’s Send button will appear once the draft loads. The agent, told to click Continue, instead clicks Send on an attacker-drafted email.

One practical detail makes the race reliable rather than lucky: the attacker needs the target UI to finish loading during the reasoning gap. Rehberger’s proof-of-concept used a prompt-injection instruction telling the agent to first compute 1+1 with a shell command — a deliberate stall that buys the four-to-five seconds Outlook needs to render before the click fires. The timing window, in other words, can be widened by the attacker, not just waited on.

Why it matters

This is a coordinate-level confused-deputy problem: the agent’s authority is real, but the target of its action has been silently substituted. Because the click is a genuine, state-changing action — send a message, confirm a payment, change a setting — a safety check that runs after the fact is already too late. And the same mechanism produces ordinary accidents, not just attacks: any agent acting on a stale frame can operate on the wrong object whenever a page reflows, a dialog pops, or content loads late.

It generalizes the broader TOCTOU-in-agents class down to the pixel. Anything that perceives the world, pauses to think, and then acts on the earlier perception is exposed — GUI agents most obviously, but the pattern recurs in browser and tool-driven agents too.

Defenses

The fix is as old as the bug: re-check at time-of-use. Capture the relevant screen region when reasoning begins, and before dispatching the action verify that region has not meaningfully changed; if it has, re-perceive and re-plan rather than committing the stale click. Anthropic confirmed to Rehberger it was already tracking this risk in the Computer-Use preview, and when it shipped Cowork with computer-use, the team stated it now ensures pixels haven’t changed before an action is taken — exactly this pixel-stability check.

Layer additional controls around it. Treat consequential actions — sending, purchasing, deleting, granting access — as checkpoints that require confirmation or a fresh, deliberate observation, not fire-and-forget clicks. Constrain where the agent can act: an agent that only ever operates inside a known application is harder to redirect onto an overlapped attacker element. Keep the reasoning-to-action window short where you can, since a longer gap is a wider race. And remember the injection leg: Rehberger’s chain started with a prompt injection that both steered the agent and stalled it, so untrusted-content handling and stall-resistant loops matter alongside the visual check.

Status

The computer-use TOCTOU race was originally reported by Jun Kokatsu against OpenAI Operator in 2025 and reproduced against Claude Computer-Use by Johann Rehberger, who reported it to Anthropic in October 2025 and to several other vendors. Anthropic acknowledged it, noted Computer-Use was a preview feature at the time, and subsequently added a pixel-stability check in its Cowork computer-use release. Rehberger published the write-up on June 25, 2026, after demonstrating it at the Real-World AI Security conference at Stanford. There is no CVE attached to the Claude reproduction; the original Operator issue is tracked in a Google security-research advisory. Read it as a reminder that hardening computer-use agents means re-importing decades of operating-systems discipline — starting with never trusting a check you made a few seconds ago.

Sources