top of page

AutoJack Attack: Web Page Hijacking Enables AI Agent Host Code Execution

  • Jun 20
  • 3 min read

Key Findings


  • Microsoft researchers discovered AutoJack, an exploit chain in AutoGen Studio that allows a single web page to execute arbitrary code on a developer's machine

  • The vulnerability exists in the Model Context Protocol (MCP) WebSocket handler and requires no authentication, credentials, or user interaction beyond the agent loading a malicious URL

  • Vulnerable pre-release builds 0.4.3.dev1 and 0.4.3.dev2 were shipped to PyPI, though the stable release 0.4.2.2 is unaffected

  • The attack chains three separate weaknesses: localhost trust, missing authentication, and unrestricted command execution

  • Patches have been deployed to the GitHub main branch but no fixed PyPI release is available yet

  • Microsoft reports no active exploitation in the wild


Background


AutoGen Studio is an open-source prototyping interface for Microsoft Research's AutoGen multi-agent framework, designed to help developers build and test AI agents that can browse the web and interact with services. The vulnerability affects a specific component called the MCP WebSocket, which handles communication with agents. The flaw does not impact users running the stable version from pip, but affects anyone who installed either of two pre-release builds before they were hardened.


How the Attack Works


The exploit leverages three distinct security gaps in the MCP WebSocket handler. First, the system trusts all localhost connections, assuming only local processes would attempt to access it. However, when a browsing agent runs on the same machine and loads an attacker's web page, that page's JavaScript inherits the agent's localhost identity. Second, the authentication middleware was designed to skip MCP routes entirely, assuming the handler itself would verify access. It never did, leaving the socket wide open to unauthenticated requests regardless of configured security settings. Third, the endpoint accepts executable commands directly from URL parameters with no restrictions on what can run.


When combined, these flaws allow a malicious web page loaded by the agent to reach the privileged local service and execute arbitrary commands under the AutoGen Studio process account. Microsoft's proof of concept demonstrated this by having a Web Content Summarizer agent visit an attacker URL, resulting in calc.exe launching on the developer's desktop.


The Packaging and Exposure


The distinction between stable and pre-release builds is critical here. A standard pip install autogenstudio retrieves version 0.4.2.2, the stable release, which lacks the vulnerable MCP WebSocket route entirely. However, the MCP handler did ship in two pre-release versions, 0.4.3.dev1 and 0.4.3.dev2, both still available on PyPI. Since pip does not install pre-releases by default, most users were never exposed. Anyone who explicitly installed a pre-release using the --pre flag or pinned the version number was vulnerable.


The Fix and Current Status


Microsoft's security team hardened the codebase in GitHub commit b047730 through pull request 7362. The patched version no longer reads commands from URL parameters. Instead, commands are stored server-side and accessed via one-time session IDs, with unknown IDs rejected outright. MCP routes now pass through the standard authentication layer. However, this fix remains only in the GitHub main branch and has not been released to PyPI yet, leaving pre-release users without an official patched build to upgrade to.


Mitigation Strategies


Users running the stable release version 0.4.2.2 need not take action. Pre-release users should pull the fixed code directly from GitHub main at or after commit b047730. If upgrading immediately is not possible, the attack surface can be reduced by separating AutoGen Studio from any browsing or code-execution agents that touch untrusted content, since the exploit requires both components on the same localhost. Running each in separate containers or virtual machines provides effective isolation. Running AutoGen Studio under a low-privilege account rather than a developer's full session also limits the impact of successful exploitation.


Broader Pattern Recognition


The AutoJack vulnerability reflects a systemic pattern in agent frameworks that Microsoft expects to see repeated elsewhere. The underlying problems—local services with excessive privileges, localhost treated as a security boundary, and agents accessing untrusted web content—create similar risks across platforms. Microsoft noted comparable vulnerabilities in ChatGPT's page summarization features, which became a phishing vector in the ChatGPhish attack, and in Semantic Kernel components tracked as CVE-2026-26030 and CVE-2026-25592. The security lesson is clear: once an agent can browse the open internet and reach privileged local services, localhost is no longer a trustworthy security boundary. The proper defenses are authentication on the control plane, an allowlist restricting which processes can execute, and giving agents an identity separate from the developer's own session.


Sources


  • https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html

  • https://x.com/TheHackersNews/status/2067994020312473646

  • https://www.reddit.com/r/SecOpsDaily/comments/1ua7lxy/autojack_attack_lets_one_web_page_hijack_ai_agent

  • https://x.com/TheCyberSecHub/status/2068015026565525886

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page