AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code

A critical exploit chain dubbed AutoJack that allows a single malicious web page to hijack Microsoft’s AutoGen Studio browsing agent and execute arbitrary code on the host machine without any user interaction beyond submitting a URL.

AutoJack is a three-vulnerability exploit chain targeting AutoGen Studio, Microsoft Research’s open-source prototyping UI for multi-agent AI systems. The technique weaponizes the agent’s built-in web-browsing capabilities to cross the localhost trust boundary, turning the AI agent into an unwitting delivery vehicle for remote code execution (RCE).

Researchers reported the findings to the Microsoft Security Response Center (MSRC), and the upstream main branch was hardened in commit b047730. Crucially, the vulnerable MCP WebSocket surface was never included in any PyPI release, meaning developers who install AutoGen Studio via pip are not exposed to this specific chain.

AutoJack Vulnerability Chain

AutoJack chains three independent weaknesses in AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface:

• CWE-1385 – Missing Origin Validation in WebSockets: The MCP WebSocket only accepts connections from http://127.0.0.1 or http://localhost. While this blocks a human browser tab on evil.com, it does not block JavaScript rendered by a headless browser owned by an AutoGen browsing agent — which inherits localhost identity, bypassing the check entirely.
• CWE-306 – Missing Authentication for Critical Function: AutoGen Studio’s authentication middleware explicitly skipped /api/mcp/* paths, assuming the WebSocket handler would enforce its own checks. It never did. As a result, the MCP WebSocket accepted unauthenticated connections regardless of the auth mode configured for the rest of the application.
• CWE-78 – OS Command Injection via server_params: The WebSocket endpoint accepted a server_params query parameter, base64-decoded it into a JSON blob, parsed it into StdioServerParams, and passed command + args directly to stdio_client(). With no executable allowlist in place, an attacker could supply calc.exe, powershell.exe -enc …, or bash -c '...' as the “MCP server.”

The end-to-end flow is straightforward. A developer runs AutoGen Studio on localhost:8081 alongside a browsing agent — such as a web summarizer built with MultimodalWebSurfer.

An attacker plants a malicious page (or tricks the user into submitting an attacker-controlled URL). The headless browser navigates to the page; its JavaScript opens a WebSocket to ws://localhost:8081/api/mcp/ws/<id>?server_params=<base64_payload>.

Because the browsing agent runs locally, the origin check passes; because auth middleware skips /api/mcp/*, no token is required. AutoGen Studio decodes the payload and spawns the attacker-specified command under the developer’s account.

In proof-of-concept testing, calc.exe launched on the developer’s desktop within seconds of the agent rendering the malicious page — initiated by the AutoGen Studio process itself, not the browser.

Fixes Applied

Microsoft’s maintainers addressed all three issues:

• Server-side parameter binding — server_params is no longer accepted via the URL; parameters are stored server-side and keyed by UUID.
• Auth skip list tightened — /api/mcp no longer bypasses middleware; all MCP routes now flow through standard authentication.

These changes are live on the main branch as of commit b047730 (version 0.7.2). The published PyPI package (autogenstudio 0.4.2.2) was confirmed to contain no mcp.py route file or StdioServerParams references.

To defend against AutoJack-style attacks broadly:

• Treat any tool parameter reachable from model output as attacker-controlled.
• Never bind sensitive control planes to localhost without authentication — loopback is an attack surface for any agent on that machine.
• Allowlist executables that may be invoked as MCP servers.
• Isolate agent identity from developer identity using containers, separate OS users, or VMs.
• If building from main, use a build at or after commit b047730.

AutoJack highlights a concerning risk pattern that is developing across AI agent frameworks. This issue arises when an agent is able to browse untrusted content while also having the ability to communicate with privileged local services.

In this case, the local environment can no longer be considered a secure boundary. To effectively mitigate this risk, it is essential to implement consistent control-plane authentication, enforce strict action allowlisting, and ensure identity isolation, regardless of the framework being utilized.