AutoJack: A single page can RCE the host running your AI agent
6 hours ago
- #AI Security
- #AutoGen Studio
- #Exploit Chain
- A security exploit chain named AutoJack was discovered in AutoGen Studio, allowing untrusted web content accessed by a browsing agent to spawn arbitrary processes via a local MCP WebSocket.
- The chain exploits three weaknesses: an origin allowlist trusting localhost, missing authentication for MCP paths, and improper neutralization of command parameters leading to arbitrary code execution.
- The issue was fixed in the development branch before any PyPI release, so users installing from PyPI are not affected, but the broader lesson highlights the risk of agents browsing untrusted content while accessing privileged local services.
- Recommendations include isolating development environments, using authentication for control planes, running agents under low-privilege accounts, and leveraging Microsoft security tools for detection and protection.
- Microsoft offers various security measures, such as Azure AI Content Safety Prompt Shields, Defender for Cloud AI threat protection, and Entra Agent ID, to help secure agentic systems and mitigate similar risks.