About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Pwning OpenAI Atlas Through Exposed Browser Internals - 1822

hacktronPosted 3 Months Ago
  • An AI browser agent architecture works by granting a privileged origin control of the browser through an agent interface. In the case of Atlas, the focus of this post, they relied on the Mojo IPC interface. This interface is used for privileged pages, such as *.openai.com, to talk to the Chromium browser process to perform actions like opening browser tabs, navigating URLS, and more.
  • Having access to these Mojo APIs is super scary though. It's really not meant to be exposed to web pages because of its power on those domains. So, they decided to hunt for XSS vulnerabilities on OpenAI subdomains. After a while, they found one on forums.openai.com via postMessage. The post message handler received a URL and opened it from an arbitrary domain. So, you could send the JavaScript URI as a domain, and it would execute in the context of OpenAI. Yikes!
  • The post message listener was only activated on authenticated pages. Lucky for them, the website also had a login CSRF vulnerability. So, we have access to Mojo: now what?
  • The context of the page has a list of tools that can be used. kaur1br5 is the codename for the tool responsible for controlling the browser, including listing tabs, searching browser history and adding bookmarks. They tried adding javascript: bookmarks but this was rejected. They tried navigating to JavaScript URIs but these were rejected as well.
  • Eventually, they settled on list_tabs(). This allows for querying the full URL of the entire tab. This can leak information about browser-navigated URLs, including OAuth codes. The PoC leaks a user's GitHub OAuth token, which is pretty neat.
  • How was this fixed? It's not in the report. I would imagine they fixed the XSS and limited the impact of list_tabs to not include all information about a URL. Alas, this is still bad design and we probably haven't seen the end of this browser.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed