How the AutoJack Attack Works
Microsoft researchers have documented an exploit chain called AutoJack that targets AI browsing agents running on the same system as AutoGen Studio, an open source prototyping interface for Microsoft’s multi agent framework. The attack requires only that the agent loads a malicious web page. Once rendered, JavaScript on that page communicates with a privileged local service on the machine and executes arbitrary commands on the host. No user credentials or additional interaction is needed once the page loads. The attacker simply needs the agent to visit a crafted URL, which can be delivered through a link, a prompt injection, or a form field.
The vulnerability resides in the Model Context Protocol (MCP) WebSocket handler of AutoGen Studio. Three weaknesses enable the chain: first, the WebSocket trusts connections originating from localhost, meaning any content loaded by a local browsing agent passes this check. Second, authentication middleware skips MCP paths, leaving the handler unprotected regardless of configured security settings. Third, the endpoint accepts and runs commands directly from request parameters with no allowlist restrictions. Together, these flaws allow an attacker to execute code on the developer’s machine under the account running AutoGen Studio.
Impact and Scope
Only specific pre release versions of AutoGen Studio are vulnerable versions 0.4.3.dev1 and 0.4.3.dev2. A standard pip install pulls the stable release 0.4.2.2 which does not include the MCP route. Microsoft reported no active exploitation in the wild and describes the work as research. The proof of concept demonstrated a Web Content Summarizer agent launching calc.exe after loading an attacker controlled URL.
The maintainers have hardened the main branch with commit b047730. The fix moves command parameters to server side storage behind a one time session ID and routes MCP connections through normal authentication. No patched PyPI release exists yet. Users running vulnerable pre releases should pull from GitHub main at or after the fix commit. Until an official release, experts recommend not running AutoGen Studio on the same machine as a browsing agent that accesses untrusted content. If co location is necessary, isolate the components in separate containers or virtual machines and run AutoGen Studio under a low privilege account.
Microsoft expects similar attack patterns to emerge in other agent frameworks that combine a powerful local service with a localhost trust model and an agent that opens arbitrary web pages. The localhost boundary is no longer sufficient as a security control in environments where AI agents browse the open web.
Source: The Hacker News
