Avoid unwanted surveillance by drive-by Ollama attackers on your local conversations. Update immediately
Headline: Critical Vulnerability in Ollama Desktop Exposes Users to Drive-by Attacks
In a recent discovery, GitLab's Chris Moberly uncovered a significant flaw in the popular AI model runner, Ollama Desktop. The vulnerability, a weak cross-origin resource sharing (CORS) control vulnerability, resides in the app's new GUI web service and poses a serious threat to users.
This vulnerability allows attackers to bypass preflight CORS checks, treating malicious POST requests as "simple" requests. This bypass skips the security preflight, enabling requests that change user settings or inject malicious models directly from a website. This setup enables silent drive-by attacks, where attackers can hijack user chats, log conversations remotely, and alter AI-generated responses in real-time, all without any user interaction.
The technical writeup highlights that the app's web service incorrectly allowed cross-origin "simple" requests by omitting certain headers (like ), making the request bypass the CORS preflight check. An attacker's JavaScript running on a malicious webpage could then send POST requests directly to the Ollama Desktop service on localhost. By scanning local ports and issuing fake POST requests, attackers could alter local Ollama Desktop settings remotely, leading to the injection of malicious AI models and monitoring or manipulation of ongoing chat conversations.
Fortunately, this vulnerability did not affect the Ollama core API, only the GUI's web service. Users who installed Ollama Desktop via official packages received the update automatically, but manual updates were needed for Homebrew-installed instances. No evidence currently shows this issue was exploited in the wild before the patch.
Moberly's proof-of-concept exploit involves JavaScript running in a victim's browser, sending crafted POST requests to the local Ollama Desktop web service by removing the header to qualify as a "simple" CORS request. This allows the request to bypass CORS preflight checks entirely, enabling the attacker's script to modify settings endpoints on the local app, inject malicious AI models, and intercept or alter conversations.
In essence, this flaw turned the local Ollama Desktop GUI web service into an attack surface vulnerable to remote code injection and surveillance through drive-by browser access, leveraging CORS misconfiguration as the attack vector. The Ollama team acknowledged Moberly's disclosure and patched the vulnerability within an hour after he reported it, releasing a patched software version (0.10.1) on July 31. Moberly published a technical writeup about the attack and proof-of-concept exploit code on Tuesday.
Read also:
- China's Automotive Landscape: Toyota's Innovative Strategy in Self-Driving Vehicles
- Tesla's Autonomous Taxi: Human Intervention in AI-Driven Vehicles Unveiled as Controversy
- Network Monitoring Tool: Snort - an open-source Intrusion Detection System for data communications and networking
- HPV Link to Breast Cancer, Risk Factors, and Ways to Prevent It
