Researchers are discovering new security threats that extend well beyond traditional prompt manipulation as artificial intelligence agents acquire the capability of browsing websites, interacting with local services, executing tools, and automating complex workflows.
AutoJack, the newest example of malware that can be exploited by trusted AI-powered browsers to compromise systems unintentionally, demonstrates how a single malicious web page can be used to manipulate the browser.
A number of vulnerabilities combine to bypass assumptions surrounding localhost security.
A number of vulnerabilities combine to bypass assumptions surrounding localhost security.
The exploit chain targets Microsoft’s AutoGen Studio, an open-source environment designed to develop and test multi-agent AI systems, utilizing multiple weaknesses. Using the agent’s native web browsing functionality and the agent’s interaction with locally exposed services, the attack allows the execution of arbitrary code on the host machine by simply submitting a URL by the user.
It has been demonstrated that AI security is becoming increasingly problematic as agents are integrated into browsers, developer tools, and operating systems.
It has been demonstrated that AI security is becoming increasingly problematic as agents are integrated into browsers, developer tools, and operating systems.
As a result, the boundary between untrusted internet content and privileged local resources is becoming increasingly difficult to enforce. As a result of the analysis, the attack does not require stolen credentials, bypasses of user authentication, or repeated actions by the user to proceed. The attack therefore does not require stolen credentials or bypasses of user authentication.
An attacker-controlled webpage can be accessed by browsing agents once they have been directed there, whether they have been directed there by a submitted URL, a malicious link, or prompt-injected content embedded in a workflow. This issue centers around AutoGen Studio’s implementation of the Model Context Protocol (MCP) WebSocket, which was included in the development builds 0.4.3.dev1 and 0.4.3.dev2, but was absent from Microsoft’s stable version 0.4.2.2.
According to Microsoft, the exposed MCP WebSocket surface did not appear in a stable PyPI release. Researchers have however identified three different weaknesses that combine to form a viable remote code execution path within the development branch. As a result of inadequate origin validation, WebSocket connections were limited to localhost origins, but JavaScript executed within the AI-controlled headless browser on the same machine was not considered.
The second stemmed from authentication controls that intentionally excluded /api/mcp/* routes, allowing access to the MCP WebSocket without verification. One of the most critical security issues arose from the handling of the server_params argument, which accepted attacker-supplied commands and arguments, decoded them into execution parameters, and passed these parameters directly to the process spawning functionality without any meaningful restrictions.
When a developer uses AutoGen Studio on localhost:8081 along with a browsing agent, the agent could unintentionally trigger the chain by allowing the agent to browse a carefully crafted webpage. By leveraging authentication and origin validation gaps, the embedded JavaScript would create a WebSocket connection with the local MCP endpoint and instruct the application to launch an attacker-defined executable with the logged-in user’s privileges.
As a result of the responsible disclosure to the Microsoft Security Response Center, the affected co
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: