Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution.
Steer the agent to load an attacker’s web page, and that page’s JavaScript can reach a privileged local service on the same machine and spawn a process on the host.
No credentials, no sign-in screen, and no further user interaction once the agent loads the page. The attacker only has to get the agent to open it, and a planted link, a URL field, or a prompt injection will do.
The flaw sits in AutoGen Studio, the open-source prototyping interface for Microsoft Research’s AutoGen multi-agent framework. This is not a bug that hits everyone who installs the package, and the packaging detail is worth getting right.
A plain pip install autogenstudio pulls the current stable release, 0.4.2.2, the build Microsoft inspected, and it has no Model Context Protocol (MCP) route at all.
That is the basis for Microsoft’s statement that the vulnerable MCP WebSocket surface “was never included in a PyPI release.” It holds for the stable build. But the vulnerable handler did ship to PyPI, in two pre-release builds, 0.4.3.dev1 and 0.4.3.dev2.
The Hacker News downloaded and inspected both. The MCP WebSocket route is present, the handler takes the command to run straight from the request, and it does not authenticate the caller. Neither build has been yanked.
pip does not install pre-releases unless you pass –pre or pin the version, so a plain install was never exposed. Anyone who installed one of those pre-releases was. There is still no PyPI build carrying the main-branch hardening for them; the fixed code is in GitHub main at commit b047730.
How the chain works
AutoJack chains three weaknesses in the MCP WebSocket.
First, the socket trusted localhost, a check meant to block a normal browser pointed at a malicious site. But a browsing agent running on the same box is localhost, so anything it loads inherits that localhost identity and passes the check.
Second, the authentication middleware skipped MCP paths on the assumption that the handler would verify tokens itself. It never did, so the socket accepted unauthenticated connections regardless of the configured auth mode.
Third, the endpoint took a command straight from a request parameter and ran it, with no allowlist on which executable could launch.
Put together, a page on the open internet, rendered by a local agent, could run an attacker-chosen command under the account running AutoGen Studio.
Microsoft describes this as research, not an active campaign, and reported no exploitation in the wild. The proof of concept used a “Web Content Summarizer” agent that, when fed an attacker URL, pops calc.exe on the developer’s desktop, launched by the AutoGen Studio process.
Microsoft reported the behavior to the Microsoft Security Response Center, and the maintainers hardened the main branch in commit b047730 (PR #7362). The fixed handler no…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
