MCP security vulnerabilities and attack vectors

https://forgecode.dev/blog/prevent-attacks-on-mcp/

159•tested1•6mo ago

Comments

Arindam1729•6mo ago

Truly, S in MCP stands for Security!

dotancohen•6mo ago

The S in SFTP?

The S in SSH?

The S in HTTPS?

The S in MCP?

All stand for the same thing!

I remember when this joke was first applied to IoT.

iotku•6mo ago

I do love the joke, but it is worth remembering as well that all of those S were to a certain extent afterthoughts to fix otherwise insecure protocols.

Given how old FTP and HTTP are it's fairly understandable that they weren't initially designed with security in mind, but I think it's valid to question why we're still designing insecure systems in 2025.

amitksingh1490•6mo ago

Totally agree, If we have made a mistakes in past we must have learnt from it and when designing a standard specially with AI where the outcome is non deterministic we got be more careful.

dotancohen•6mo ago

That's quite the point of the joke. Even today, we still design things that will need an S tacked onto it at some point in the future.

postalrat•6mo ago

And P in WFH stands for productive.

amitksingh1490•6mo ago

MCP new spec has to an extent covered auth. But the MCPs are yet to adopt to that.

simonw•6mo ago

Auth doesn't protect against confused deputy attacks, which is a common problem exposed by MCP and other LLM tool systems. https://en.m.wikipedia.org/wiki/Confused_deputy_problem

bitweis•6mo ago

100% - especially when Auth stands for just Authentication. Simple RBAC authorization also won't take us far. But Fine-grained Permissions(e.g. OPA, Cedar, OpenFGA, Permit.io) with ReBAC giving ai-agents Zero standing permissions, and only deriving on the fly the least privilege they need / got consent for, can dramatically reduce the problem

aviralb20•6mo ago

MCP adoption is picking up fast.

bigyabai•6mo ago

This post is an obvious victim of upvote manipulation. HN should ban the forgecode domain if it's going to abuse submissions like this.

dayjah•6mo ago

Can you provide some context for your position? I’m not particularly familiar with ForgeCode. I’m interested in why you think there’s manipulation, and what you mean by “submissions like these”.

tomhow•6mo ago

It's true that there were many inorganic upvotes on this submission, made within the first 10-20 minutes by a bot. Maybe bigyabai could see that there was an unusually high vote count for a story that was submitted so recently.

But this just goes to show how futile – indeed counter-productive – this kind of activity is. These votes are easily detected and were ignored, and the submission had enough legit upvotes to make it onto the front page organically. We've penalized the users involved and the domain, as we can't let this kind of attempted abuse go without any consequence.

But also, public callouts like this are against the guidelines and we ask that people let us know via email at hn@ycombinator.com. This allows us to know about it sooner and investigate it thoroughly before making a public comment about it.

joshwarwick15•6mo ago

Same root causes again - check out https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

OldfieldFund•6mo ago

This can be easily used to search for seeds/private keys when AI coding agents are in YOLO mode.

ethan_smith•6mo ago

The "lethal trifecta" refers to default configurations, excessive permissions, and inadequate authentication - three factors that plague MCP implementations just as they did with earlier technologies.

rvz•6mo ago

We have not learned anything from the hundreds of open MongoDB databases without passwords floating around the internet waiting to be breached.

We now have the same with MCP servers in the AI era as documented in [0].

[0] https://news.ycombinator.com/item?id=44604453

spiritplumber•6mo ago

MCP clearly needs an independent monitoring program to safeguard it. Let's call it Tron.

chokominto•6mo ago

What are the actual exploits that should be tested though?

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models