Forensic Summary
Microsoft researchers disclosed AutoJack, an exploit chain targeting AutoGen Studio's MCP WebSocket endpoint that allows a single malicious web page to execute arbitrary commands on a developer's host machine via an AI browsing agent. The attack chains three distinct weaknesses — localhost trust bypass, missing authentication on MCP paths, and unsanitised command execution — requiring no credentials or user interaction beyond the agent loading the attacker's URL. While the vulnerable handler was not included in stable PyPI releases, it shipped in two pre-release builds that remain unyanked, leaving anyone who installed those versions exposed.
Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/autojack-exploit-chain-turns-ai-browsing-agent-into-remote-code-execution-vector/
Top comments (0)