AI Agents Turned Into Weapons: ‘AutoJack’ Exploit Shows How One Web Page Can Hijack Code
Microsoft has detailed “AutoJack,” a vulnerability that let a single malicious web page push unauthenticated commands through AutoGen Studio’s MCP WebSocket when opened by an AI browsing agent. The flaw shows how autonomous AI tools can become an unexpected attack path, exposing companies that thought only humans could be phished.
The quiet automation revolution in corporate networks has opened a new front in cyber risk: not just phishing people, but phishing their AI assistants.
Microsoft has disclosed technical details of a vulnerability dubbed “AutoJack” that allowed attackers to execute code via AutoGen Studio’s MCP WebSocket whenever an AI browsing agent opened a booby‑trapped web page. In essence, the exploit chain turned a single piece of content into a remote‑control channel, bypassing the assumption that only authenticated, human‑initiated actions could trigger sensitive operations.
The weakness lay in how AutoGen Studio — a framework for building multi‑agent AI workflows — handled WebSocket connections between its Model Context Protocol (MCP) components. According to Microsoft’s analysis, the system trusted commands delivered through content loaded by an AI browsing agent without proper authentication. That meant an attacker who could entice or redirect an autonomous agent to visit a crafted page could send arbitrary instructions back through the pipe, potentially interacting with tools or data the agent had been authorized to access.
For organizations experimenting with AI agents that read documentation, execute scripts, or interface with internal APIs, the implications are concrete. An assistant designed to “help” with server maintenance or data retrieval could, under AutoJack‑style exploitation, be steered into running commands, exfiltrating files or altering configurations — all under the guise of normal automation. The human operator might only see a helpful summary, while the real work happened silently in the background.
This is not a mass‑scale worm or ransomware outbreak, but it exposes a structural weakness in the way many early AI tools are being wired into production environments. Security reviews often focus on user authentication, network segmentation and traditional web input validation. The assumption has been that content consumed by AI agents is passive, not a live control channel. AutoJack shatters that assumption by demonstrating that a web page can, in effect, reach back through the agent into whatever it is plugged into.
For security teams, the operational stakes are immediate. Companies that deploy internet‑facing AI agents tied to source‑code repositories, ticketing systems or infrastructure dashboards must now treat those agents as potential remote access points. The fact that an exploit can be triggered by the agent merely loading a page — no user click required — makes it closer to a drive‑by compromise than to traditional social engineering.
Regulators and policymakers watching the rapid integration of generative AI into critical sectors will see AutoJack as an early warning. As banks, utilities, and government agencies experiment with autonomous agents, the line between “assistant” and “privileged user” is blurring. If those agents can be hijacked through routine browsing tasks, then AI safety is no longer only about model bias or hallucinations; it is about whether an AI can be turned, in effect, into an insider threat.
The most memorable lesson from AutoJack is stark: in an AI‑enabled network, any content your agents can read is also a place an attacker can write instructions — unless you design against it.
The key signals to watch now are how quickly vendors of agent frameworks and orchestration tools harden their WebSocket and tool‑calling mechanisms, whether industry standards emerge for authenticating AI‑originated actions, and if major breaches are eventually traced back to AI agents that quietly did exactly what a malicious web page told them to do.
Sources
- OSINT