CyberSecurity News

AutoJack: Malicious Web Page Hijacks AI Agents to Execute Code

Key Takeaways A critical exploit chain named AutoJack has been uncovered, allowing a malicious webpage to execute arbitrary code on machines running Microsoft’s AutoGen Studio. The attack...

Jennifer sherman
Jennifer sherman
June 20, 2026 4 Min Read
19 0

Key Takeaways

  • A critical exploit chain named AutoJack has been uncovered, allowing a malicious webpage to execute arbitrary code on machines running Microsoft’s AutoGen Studio.
  • The attack leverages three vulnerabilities within AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface, enabling an AI browsing agent to become a remote code execution vector.
  • While the upstream ‘main’ branch of AutoGen Studio has been patched in commit b047730, developers building from source should ensure they are using this version or later.
  • Crucially, the specific vulnerable WebSocket surface was never included in PyPI releases, meaning installations via pip are not exposed to this particular chain.

A sophisticated exploit chain, dubbed AutoJack, has been identified, demonstrating how a single malicious web page can compromise Microsoft’s AutoGen Studio browsing agent. This vulnerability allows for the execution of arbitrary code on a host machine with minimal user interaction, requiring only the submission of a malicious URL.

Table Of Content

AutoJack exploits three distinct weaknesses within AutoGen Studio, Microsoft Research’s open-source prototyping interface for multi-agent AI systems. The technique weaponizes the AI agent’s inherent web-browsing capabilities to bypass the localhost trust boundary, effectively transforming the agent into an unwitting conduit for remote code execution (RCE).

Security researchers promptly reported these findings to the Microsoft Security Response Center (MSRC). Consequently, the upstream main branch of AutoGen Studio was secured in commit b047730. It’s important to note that the vulnerable Model Context Protocol (MCP) WebSocket surface, central to this exploit, was never incorporated into any PyPI release. This means developers installing AutoGen Studio through pip are not susceptible to this specific attack chain.

AutoJack Vulnerability Chain

The AutoJack exploit orchestrates three independent vulnerabilities found within AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface:

  • CWE-1385 – Missing Origin Validation in WebSockets: The MCP WebSocket was designed to accept connections exclusively from http://127.0.0.1 or http://localhost. While this mechanism effectively blocks connections from a human-controlled browser tab on an external domain like evil.com, it fails to prevent JavaScript executed by a headless browser instance belonging to an AutoGen browsing agent. Such an agent inherits the localhost identity, thereby completely circumventing the origin validation check.
  • CWE-306 – Missing Authentication for Critical Function: AutoGen Studio’s authentication middleware deliberately bypassed paths under /api/mcp/*, operating under the incorrect assumption that the WebSocket handler itself would enforce necessary authentication. This oversight meant the MCP WebSocket accepted unauthenticated connections, irrespective of the authentication mode configured for other parts of the application.
  • CWE-78 – OS Command Injection via server_params: The WebSocket endpoint processed a server_params query parameter. This parameter was base64-decoded into a JSON object, parsed into StdioServerParams, and its command and args fields were directly passed to the stdio_client() function. Lacking any executable allowlist, an attacker could supply commands such as calc.exe, powershell.exe -enc …, or bash -c '...' as the “MCP server,” leading to arbitrary command execution.

The end-to-end attack sequence is straightforward. Imagine a developer operating AutoGen Studio on localhost:8081, alongside a browsing agent, perhaps a web summarizer built using MultimodalWebSurfer.

An attacker then sets up a malicious web page or deceives the user into providing an attacker-controlled URL to the agent. When the headless browser navigates to this malicious page, embedded JavaScript initiates a WebSocket connection to ws://localhost:8081/api/mcp/ws/<id>?server_params=<base64_payload>.

Because the browsing agent operates locally, the origin validation check is successfully bypassed. Furthermore, due to the authentication middleware skipping /api/mcp/* routes, no authentication token is required. AutoGen Studio then decodes the payload and executes the attacker-specified command under the developer’s account.

During proof-of-concept testing, calc.exe was observed launching on the developer’s desktop mere seconds after the agent rendered the malicious page. This execution was initiated directly by the AutoGen Studio process, not by the browser itself.

Fixes Applied

Microsoft’s maintainers have comprehensively addressed all three identified issues, as detailed in their security blog:

  • Server-side parameter binding: The server_params are no longer accepted directly via the URL. Instead, these parameters are now stored securely server-side and accessed through UUID-keyed references.
  • Tightened authentication skip list: The /api/mcp routes no longer bypass the standard authentication middleware. All MCP routes are now subject to the application’s regular authentication protocols.

These crucial changes have been implemented and are live on the main branch as of commit b047730 (corresponding to version 0.7.2). It was also confirmed that the published PyPI package (autogenstudio 0.4.2.2) does not contain the mcp.py route file or any references to StdioServerParams, confirming its immunity to this specific exploit chain.

The AutoJack discovery underscores a growing security concern within AI agent frameworks: the dangerous combination of an agent browsing untrusted content and its ability to interact with privileged local services. In such scenarios, the local environment can no longer be considered a secure boundary. Effective mitigation demands consistent control-plane authentication, rigorous action allowlisting, and robust identity isolation, irrespective of the AI framework in use.

What You Should Do

  • If you are building AutoGen Studio from the main branch, ensure your build is at or after commit b047730.
  • Treat any tool parameter that can be influenced by model output as potentially controlled by an attacker.
  • Avoid binding sensitive control planes to localhost without implementing robust authentication mechanisms, as loopback interfaces represent an attack surface for any agent on the machine.
  • Implement strict allowlists for any executables that may be invoked as Model Context Protocol (MCP) servers.
  • Isolate agent identities from developer identities by utilizing containers, separate operating system user accounts, or virtual machines to minimize potential impact.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts