Microsoft security researchers have disclosed a new attack technique called AutoJack that exploits a vulnerability in AutoGen Studio's MCP (Model Context Protocol) WebSocket — found in pre-release builds of the framework — to achieve remote code execution on a host machine. The attack requires only a single malicious web page and zero user interaction beyond the initial page load.
How AutoJack Works
AutoGen Studio, Microsoft's open-source framework for building multi-agent AI systems, uses an MCP WebSocket to allow its browsing agent to communicate with local tools and services. Researchers found that this communication channel creates a dangerous trust boundary violation: the same WebSocket that grants the agent elevated local access can be reached by JavaScript running on a web page the agent visits.
An attacker simply needs to lure the AI browsing agent into loading a crafted web page. Embedded JavaScript on that page can then reach a privileged local service running on the same machine via the exposed MCP WebSocket, effectively using the agent as a bridge between the open internet and internal system processes. The end result is the ability to spawn arbitrary processes on the host — full remote code execution without stolen credentials, phishing screens, or any further human involvement.
The vulnerability was identified in pre-release builds of AutoGen Studio, meaning the affected code had not yet undergone the full hardening process typically applied to production releases.
Why Traditional Browser Security Falls Short
Standard browser security models — same-origin policies, process isolation, sandboxed rendering engines — were designed for a world where the user navigates manually and the browser acts as a passive window. AI agents fundamentally break that model. They interpret page content autonomously, make decisions about what to interact with, and often operate with elevated local privileges to deliver on their productivity promises.
AutoJack demonstrates that this inheritance of local trust is not a theoretical concern. When an AI agent's communication channel — such as AutoGen Studio's MCP WebSocket — is accessible to web content loaded by the agent, a single untrusted page can weaponize the agent against its own host.
Implications for AI Agent Deployments
The disclosure is particularly relevant for organisations that deploy AI agents in high-throughput, web-facing workflows. Social media management platforms, marketing automation tools, and customer engagement bots increasingly rely on AI agents to browse, scrape, and interact with third-party web content at scale. In these environments, an agent may routinely visit dozens or hundreds of URLs — including shortened links, user-submitted content, and redirected pages — any of which could be a delivery vector for an AutoJack-style attack.
More broadly, the finding highlights a critical gap in how many organisations evaluate AI agent tools. Functionality and cost often dominate procurement decisions, while the security posture of the agent's browsing execution environment — including the exposure of local service endpoints like MCP WebSockets — goes unexamined.
Recommended Mitigations
Security practitioners advising on AI agent deployments should consider the following steps:
- Audit local service exposure. Identify any privileged daemons or services — including protocol-specific channels like MCP WebSockets — that could be reachable from the agent's execution context, and ensure they are bound to inaccessible interfaces or ports.
- Enforce strict sandboxing. Deploy AI browsing agents within dedicated containers or virtual machines, isolating the agent from the host operating system to contain potential compromise.
- Adopt a zero-trust input model. Treat every web page an agent visits as potentially malicious. Frameworks governing agent behaviour must validate and scope permitted actions with this assumption.
- Mandate security evaluation. Shift procurement criteria for AI agent tools to prioritise security posture — sandboxing, permission models, audit trails — alongside functionality and cost.
A Systemic AI-Native Threat
AutoJack is not an isolated vulnerability — it is part of a growing class of attacks that exploit the unique properties of AI systems, alongside prompt injection and data exfiltration techniques. The pattern suggests that adapting legacy security models to AI agents will not be sufficient. Purpose-built security frameworks for autonomous AI tools are becoming an urgent necessity as these systems move from experimental deployments into core business infrastructure.
Microsoft's disclosure serves as a timely reminder: as AI agents become more capable and more tightly integrated with local system resources, the blast radius of a single compromised web page grows dramatically.
微軟安全研究人員揭露了一種名為 AutoJack 的新型攻擊技術,該技術利用 AutoGen Studio MCP(Model Context Protocol)WebSocket 中的一個漏洞——存在於該框架的預先發佈版本中——以在主機上實現遠端程式碼執行。攻擊者只需一個惡意網頁,且除了初始頁面載入外,無需任何用戶互動。
AutoJack 運作原理
AutoGen Studio 是微軟用於構建多代理程式人工智能系統的開源框架,它使用 MCP WebSocket 讓其瀏覽代理程式與本地工具和服務進行通訊。研究人員發現,此通訊通道造成了一個危險的信任邊界違規:授予代理程式提升本地存取權限的同一個 WebSocket,可被代理程式所訪問網頁上運行的 JavaScript 所觸及。
攻擊者只需誘使人工智能瀏覽代理程式載入一個精心製作的網頁。該網頁內嵌的 JavaScript 即可透過暴露的 MCP WebSocket 連接到同一台機器上運行的高權限本地服務,有效地將代理程式用作開放互聯網與內部系統進程之間的橋樑。最終結果是,攻擊者能在主機上產生任意進程——無需竊取的憑證、釣魚界面或任何進一步的人為干預,即可實現完整的遠端程式碼執行。
該漏洞是在 AutoGen Studio 的預先發佈版本中被發現的,這意味著受影響的代碼尚未經過通常應用於正式發佈版本的完整強化程序。
為何傳統瀏覽器安全防護不足
標準的瀏覽器安全模型——同源策略、進程隔離、沙箱化渲染引擎——是為一個用戶手動導航、瀏覽器作為被動窗口的世界而設計的。人工智能代理程式從根本上打破了這一模型。它們自主解讀頁面內容,決定與哪些內容互動,並且為了兌現其生產力承諾,常常以提升的本地權限運行。
AutoJack 表明,這種本地信任的繼承並非理論上的擔憂。當人工智能代理程式的通訊通道——例如 AutoGen Studio 的 MCP WebSocket——可被代理程式載入的網頁內容所存取時,單個不受信任的網頁即可將代理程式轉化為對抗其自身主機的武器。
對人工智能代理程式部署的影響
此次披露對於那些在高吞吐量、面向網絡的工作流程中部署人工智能代理程式的組織尤為重要。社交媒體管理平台、營銷自動化工具和客戶互動聊天機器人,日益依賴人工智能代理程式大規模瀏覽、抓取並與第三方網頁內容互動。在此類環境中,一個代理程式可能例行訪問數十甚至數百個 URL——包括縮短連結、用戶提交的內容以及重定向頁面——其中任何一個都可能成為 AutoJack 式攻擊的傳播載體。
更廣泛而言,此發現凸顯了許多組織在評估人工智能代理程式工具時的一個關鍵缺口。採購決策往往以功能和成本為主導,而代理程式瀏覽執行環境的安全態勢——包括 MCP WebSocket 等本地服務端點的暴露情況——則未獲審視。
建議的緩解措施
為人工智能代理程式部署提供諮詢的安全從業人員應考慮以下步驟:
- 審計本地服務暴露情況。 識別任何可能從代理程式的執行環境被觸及的特權守護程序或服務——包括 MCP WebSocket 等特定協議通道——並確保它們綁定到無法訪問的介面或端口。
- 執行嚴格沙箱隔離。 將人工智能瀏覽代理程式部署在專用的容器或虛擬機內,使其與主機操作系統隔離,以遏制潛在的入侵。
- 採用零信任輸入模型。 將代理程式訪問的每個網頁都視為潛在惡意。規範代理程式行為的框架必須基於此假設來驗證和限定允許的操作。
- 強制執行安全評估。 將人工智能代理程式工具的採購標準轉變為優先考慮安全態勢——沙箱機制、權限模型、審計記錄——與功能和成本並重。
一種系統性的人工智能原生威脅
AutoJack 並非孤立漏洞——它是日益增長的一類攻擊的一部分,這類攻擊利用人工智能系統的獨特屬性,與提示詞注入和數據竊取技術並列。這一模式表明,將傳統安全模型調整應用於人工智能代理程式是不夠的。隨著這些系統從實驗性部署轉向核心業務基礎設施,為自主人工智能工具打造專用安全框架正變得日益緊迫。
微軟的披露是一個及時的提醒:隨著人工智能代理程式能力增強,並與本地系統資源更緊密地整合,單個被入侵網頁的破壞範圍將急劇擴大。