AutoJack turns AI browsing agents into a path to host code execution
Microsoft researchers detailed AutoJack, an attack that turns an AI browsing agent into a route for running code on the user's machine. If the agent is steered to open an attacker's web page, that page's JavaScript can reach a privileged local service on the same host and spawn a process, with no credentials and no further interaction once the page loads. A planted link, poisoned URL field, or prompt injection is enough to trigger it. The demonstrated flaw sits in AutoGen Studio, the prototyping interface for Microsoft's AutoGen agent framework. The lesson: once an agent browses the open web and can reach local services, localhost is no longer a trust boundary.
- Check
- Inventory AI agents and assistants that can both browse the web and reach local services, and check whether any expose privileged localhost endpoints, such as AutoGen Studio, without authentication.
- Affected
- Developers and teams running web-browsing AI agents that can reach unauthenticated local services on the same host; the public demonstration targets Microsoft's AutoGen Studio prototyping interface.
- Fix
- Authenticate local control-plane services rather than trusting localhost, keep agent process execution behind an allowlist, give agents their own least-privilege identity, and isolate agent runtimes from sensitive hosts and developer sessions.