- Microsoft’s Defender Security Research Team Reveals “AutoJack”, a Chain of Vulnerability in AutoGen Studio That Enables RCE Via Malicious Websites
- The flaws included local host channel abuse, skipped login checks, and arbitrary code execution, which allowed agents to run attacker-delivered programs
- The issue only existed in early GitHub builds, fixed before release; highlights the need for strict authentication and isolation of local control planes
Microsoft’s Defender Security Research Team has uncovered a vulnerability chain in AutoGen Studio that lets a single malicious website achieve remote code execution (RCE) on a device running an AI agent.
AutoGen Studio is a program built by Microsoft Research for developing AI agents. Dubbed “AutoJack,” the chain of vulnerabilities consists of three flaws that, when viewed separately, are not particularly worrisome. Chained together, however, is a completely different story.
“The technique, which we call AutoJack, causes the agent to become the attacker’s last-mile delivery vehicle by crossing the local-host trust boundary that many developer tools rely on,” Microsoft explained in its report.
Patching the bugs
First, AutoGen Studio had a local control channel that only accepted connections from “localhost”, which is a good way to block external attackers.
However, an AI agent’s web browser also counts as “localhost”, meaning that those connections will also be accepted. Then login checks were skipped for this particular channel.
The app had several ways to require a username and password, but the part of the code that handled this specific local channel was left wide open.
Finally, the channel would run almost anything it was asked to run. Microsoft researchers managed to get an arbitrary program to run, meaning threat actors could do the same, but with malicious code instead.
In theory, the attack would work like this: the victim would instruct their AI agent to digest a specific website. Doing so would prompt the agent to download and run malicious code, which could be anything from backdoor malware to info stealers.
The good news is that Microsoft found this issue and reported it before the bug ever reached regular users. The official downloadable version of AutoGen Studio never had this problem as it only existed in an early, under-development version on GitHub. The AutoGen team managed to fix it since then.
“If an agent can browse untrusted pages and also talk to privileged local services, loopback can become an attack surface, and control planes must be authenticated, authorized, and isolated,” Microsoft concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
