AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

Microsoft researchers detailed an exploit chain named AutoJack on March 19, 2024, which allows a single web page to hijack an AI browsing agent for host code execution. The attack works by directing the AI agent to load a malicious web page. Once loaded, the page's JavaScript can access a privileged local service on the same machine, enabling the attacker to spawn a process on the host system without requiring credentials, a sign-in screen, or further user interaction. This vulnerability leverages the AI agent's ability to interact with local services, which are often assumed to be secure due to their local nature. The researchers demonstrated that this exploit could be used to execute arbitrary commands on the user's machine, posing a significant security risk for AI agents designed to browse the web and interact with local resources. The AutoJack exploit chain highlights a critical security gap in the architecture of AI browsing agents, which often operate with elevated privileges to perform tasks efficiently. The researchers emphasized that the exploit does not require any user authentication or additional steps from the user once the AI agent has navigated to the compromised webpage. This discovery underscores the need for robust security measures and sandboxing techniques for AI agents that interact with potentially untrusted web content and local system services.