Microsoft researchers have identified a critical exploit chain named 'AutoJack' affecting pre-release builds of AutoGen Studio. The vulnerability allows a malicious webpage, when visited by an AI browsing agent, to execute arbitrary code on the host machine by exploiting a privileged local Model Context Protocol (MCP) WebSocket service. This bypasses security boundaries because the agent running on the machine is treated as 'localhost', inheriting inherent trust and bypassing authentication middleware that was incorrectly configured.
The flaw is specific to AutoGen Studio versions 0.4.3.dev1 and 0.4.3.dev2, which included an unauthenticated MCP handler. While the stable PyPI release (0.4.2.2) remains unaffected, users of the development builds are urged to pull the latest hardening from the GitHub repository (commit b047730). Microsoft emphasizes that as AI agents gain more autonomy to browse the web and access local services, the traditional 'localhost' trust boundary must be replaced with robust authentication and command allowlisting.
Top comments (0)