"Our vulnerability lives in the core system itself - no plugins, no marketplace, no user-installed extensions - just the bare OpenClaw gateway, running exactly as documented. The attack assumes a developer has OpenClaw set up and running on their laptop, with its gateway, a local WebSocket server, bound to localhost and protected by a password."
"Any website you visit can open one to your localhost. Unlike regular HTTP requests, the browser doesn't block these cross-origin connections. So while you're browsing any website, JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing."
"Post successful authentication with admin-level permissions, the script stealthily registers as a trusted device, which is auto-approved by the gateway without any user prompt. The attacker gains complete control over the AI agent, allowing them to interact with it, dump configuration data, enumerate connected nodes, and read application logs."
OpenClaw addressed a critical security flaw called ClawJacked that could enable attackers to compromise AI agents running on developers' machines. The vulnerability exploits the gateway's local WebSocket server by allowing malicious JavaScript from visited websites to establish connections to localhost without browser blocking. Attackers can brute-force the gateway password due to missing rate-limiting, then register as trusted devices without user prompts. Once authenticated with admin privileges, attackers gain complete control over the AI agent, accessing configuration data, connected nodes, and application logs. The flaw stems from the gateway relaxing security mechanisms for local connections, creating a significant risk for developers running OpenClaw.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]