“AutoJack: How a Single Web Page Can Compromise Your AI Agent and Run Malicious Code”

A significant exploit sequence referred to as AutoJack that permits a single malicious webpage to commandeer Microsoft’s AutoGen Studio browsing agent and execute arbitrary code on the local system without any user interaction beyond providing a URL.

AutoJack encompasses three distinct vulnerabilities aimed at AutoGen Studio, Microsoft Research’s open-source prototype UI for multi-agent AI frameworks. This method exploits the agent’s embedded web-browsing features to traverse the localhost trust boundary, converting the AI agent into an unsuspecting conduit for remote code execution (RCE).

Investigators communicated their discoveries to the Microsoft Security Response Center (MSRC), prompting the upstream main branch to be fortified in commit b047730. Importantly, the susceptible MCP WebSocket surface was never incorporated in any PyPI release, indicating that developers who install AutoGen Studio via pip are not vulnerable to this particular exploit sequence.

AutoJack Vulnerability Sequence

AutoJack links three separate flaws in AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface:

• CWE-1385 – Lack of Origin Validation in WebSockets: The MCP WebSocket solely permits connections from http://127.0.0.1 or http://localhost. While this prevents a human browser tab on evil.com, it does not hinder JavaScript executed by a headless browser managed by an AutoGen browsing agent — which assumes localhost identity, entirely bypassing the validation.
• CWE-306 – Absence of Authentication for Key Function: AutoGen Studio’s authentication middleware explicitly ignored /api/mcp/* paths, presuming the WebSocket handler would impose its own validations. It never did. Consequently, the MCP WebSocket permitted unauthenticated connections regardless of the authentication mode established for the remainder of the application.
• CWE-78 – OS Command Injection through server_params: The WebSocket endpoint accepted a server_params query parameter, base64-decoded it into a JSON object, parsed it into StdioServerParams, and sent command + args directly to stdio_client(). Without an executable allowlist in place, an assailant could specify calc.exe, powershell.exe -enc …, or bash -c '...' as the “MCP server.”

The end-to-end process is straightforward. A developer operates AutoGen Studio on localhost:8081 alongside a browsing agent — for instance, a web summarizer created with MultimodalWebSurfer.

An attacker injects a harmful page (or deceives the user into providing an attacker-controlled URL). The headless browser navigates to the page; its JavaScript initiates a WebSocket connection to ws://localhost:8081/api/mcp/ws/?server_params=.

Because the browsing agent operates locally, the origin verification succeeds; since auth middleware bypasses /api/mcp/*, no token is necessitated. AutoGen Studio decodes the payload and executes the command specified by the attacker under the developer’s account.

In proof-of-concept evaluations, calc.exe appeared on the developer’s desktop mere seconds after the agent rendered the malicious page — launched by the AutoGen Studio process itself, not by the browser.

Remedies Implemented

Microsoft’s maintainers resolved all three concerns:

• Server-side parameter binding — server_params is no longer permitted via the URL; parameters are now stored server-side and keyed by UUID.
• Authentication bypass list tightened — /api/mcp no longer evades middleware; all MCP routes now undergo standard authentication procedures.

These modifications are active on the main branch as of commit b047730 (version 0.7.2). The released PyPI package (autogenstudio 0.4.2.2) was verified to contain no mcp.py route file or StdioServerParams references.

To safeguard against AutoJack-like threats generally:

• Consider any tool parameter accessible from model output as attacker-controlled.
• Never link sensitive control planes to localhost without authentication — loopback is a vulnerability for any agent on that machine.
• Allowlist executables that may be invoked as MCP servers.
• Separate agent identity from developer identity using containers, distinct OS users, or VMs.
• If compiling from main, utilize a build at or after commit b047730.

AutoJack underscores a troubling risk pattern that is emerging across AI agent architectures. This challenge arises when an agent is capable of browsing untrusted content while simultaneously having the ability to communicate with privileged local services.

In this instance, the local environment can no longer be regarded as a secure boundary. To effectively address this risk, it is vital to enforce consistent control-plane authentication, impose stringent action allowlisting, and ensure identity separation, irrespective of the framework being used.