Ethical Hacking News
The AutoJack attack is a vulnerability in Microsoft's AutoGen framework that allows an attacker to hijack an AI agent and execute host code. The autojacking attack takes advantage of three weaknesses in the Model Context Protocol (MCP) WebSocket protocol: the socket trusts localhost, the authentication middleware skips MCP paths, and the endpoint takes commands directly from a request parameter without proper validation.
The AutoGen framework's Model Context Protocol (MCP) WebSocket protocol has three weaknesses that allow an attacker to hijack an AI agent and execute host code. The autojacking attack exploits a design flaw in the system, allowing an attacker to trick it into loading malicious code without user interaction or authentication. The vulnerability can be exploited by getting the AI agent to open a web page with malicious JavaScript code, which then executes commands on the host machine. Users who install AutoGen Studio using pip may be vulnerable to this attack unless they pull from the GitHub main branch at or after commit b047730. The autojacking attack highlights the need for robust authentication and authorization mechanisms in AI frameworks and agents.
The tech world is abuzz with the recent revelation of the AutoJack attack, a vulnerability in Microsoft's AutoGen framework that allows an attacker to hijack an AI agent and execute host code. The autojacking attack takes advantage of three weaknesses in the Model Context Protocol (MCP) WebSocket protocol: the socket trusts localhost, the authentication middleware skips MCP paths, and the endpoint takes commands directly from a request parameter without proper validation.
The AutoGen framework is used by Microsoft Research to create multi-agent systems that can interact with each other. The autojacking attack exploits this system's design flaw, which allows an attacker to trick the system into loading malicious code. This can happen when an AI agent is loaded with a web page that contains a malicious script, which then executes commands on the host machine without requiring any user interaction or authentication.
The vulnerability was discovered by Microsoft researchers and detailed in their report on the AutoJack attack. According to the researchers, the exploit chain involves the following steps:
1. An attacker tricks an AI agent into loading a web page that contains malicious JavaScript code.
2. The agent then loads the JavaScript code onto a local service on the same machine, which spawns a process on the host machine.
3. The attack only requires getting the agent to open the webpage and does not require any user interaction or authentication.
The researchers note that the autojacking attack is not a typical exploit for most users who install AutoGen Studio using pip (Python package manager) because it uses pre-releases of the software, which may contain the vulnerable handler. In order to fix the vulnerability, users must pull from the GitHub main branch at or after commit b047730.
The autojacking attack highlights the importance of ensuring that AI frameworks and agents are designed with security in mind. It also emphasizes the need for robust authentication and authorization mechanisms to prevent unauthorized access to sensitive systems.
In conclusion, the AutoJack attack is a serious vulnerability that highlights the need for improved security measures in AI frameworks and agents. By understanding how this attack works and taking steps to mitigate its impact, users can better protect themselves against similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-AutoJack-Attack-A-Vulnerability-in-Microsofts-AutoGen-Framework-Allows-for-Host-Code-Execution-ehn.shtml
https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html
https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
Published: Fri Jun 19 12:28:23 2026 by llama3.2 3B Q4_K_M
