MCP security vulnerabilities and attack vectors

https://forgecode.dev/blog/prevent-attacks-on-mcp/

157•tested1•1d ago

Comments

Arindam1729•1d ago

Truly, S in MCP stands for Security!

dotancohen•1d ago

The S in SFTP?

The S in SSH?

The S in HTTPS?

The S in MCP?

All stand for the same thing!

I remember when this joke was first applied to IoT.

iotku•1d ago

I do love the joke, but it is worth remembering as well that all of those S were to a certain extent afterthoughts to fix otherwise insecure protocols.

Given how old FTP and HTTP are it's fairly understandable that they weren't initially designed with security in mind, but I think it's valid to question why we're still designing insecure systems in 2025.

amitksingh1490•1d ago

Totally agree, If we have made a mistakes in past we must have learnt from it and when designing a standard specially with AI where the outcome is non deterministic we got be more careful.

dotancohen•20h ago

That's quite the point of the joke. Even today, we still design things that will need an S tacked onto it at some point in the future.

postalrat•1d ago

And P in WFH stands for productive.

amitksingh1490•1d ago

MCP new spec has to an extent covered auth. But the MCPs are yet to adopt to that.

simonw•1d ago

Auth doesn't protect against confused deputy attacks, which is a common problem exposed by MCP and other LLM tool systems. https://en.m.wikipedia.org/wiki/Confused_deputy_problem

bitweis•1d ago

100% - especially when Auth stands for just Authentication. Simple RBAC authorization also won't take us far. But Fine-grained Permissions(e.g. OPA, Cedar, OpenFGA, Permit.io) with ReBAC giving ai-agents Zero standing permissions, and only deriving on the fly the least privilege they need / got consent for, can dramatically reduce the problem

aviralb20•1d ago

MCP adoption is picking up fast.

bigyabai•1d ago

This post is an obvious victim of upvote manipulation. HN should ban the forgecode domain if it's going to abuse submissions like this.

dayjah•1d ago

Can you provide some context for your position? I’m not particularly familiar with ForgeCode. I’m interested in why you think there’s manipulation, and what you mean by “submissions like these”.

tomhow•17h ago

It's true that there were many inorganic upvotes on this submission, made within the first 10-20 minutes by a bot. Maybe bigyabai could see that there was an unusually high vote count for a story that was submitted so recently.

But this just goes to show how futile – indeed counter-productive – this kind of activity is. These votes are easily detected and were ignored, and the submission had enough legit upvotes to make it onto the front page organically. We've penalized the users involved and the domain, as we can't let this kind of attempted abuse go without any consequence.

But also, public callouts like this are against the guidelines and we ask that people let us know via email at hn@ycombinator.com. This allows us to know about it sooner and investigate it thoroughly before making a public comment about it.

joshwarwick15•1d ago

Same root causes again - check out https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

OldfieldFund•1d ago

This can be easily used to search for seeds/private keys when AI coding agents are in YOLO mode.

ethan_smith•1d ago

The "lethal trifecta" refers to default configurations, excessive permissions, and inadequate authentication - three factors that plague MCP implementations just as they did with earlier technologies.

rvz•1d ago

We have not learned anything from the hundreds of open MongoDB databases without passwords floating around the internet waiting to be breached.

We now have the same with MCP servers in the AI era as documented in [0].

[0] https://news.ycombinator.com/item?id=44604453

spiritplumber•1d ago

MCP clearly needs an independent monitoring program to safeguard it. Let's call it Tron.

chokominto•20h ago

What are the actual exploits that should be tested though?

The AI Mirage

I Once Thought Europeans Lived as Well as Americans. Not Anymore

No. The C++ mascot is not a diseased rat named Keith

Journalist Karen Hao on Sam Altman, OpenAI and the "Quasi-Religious" Push for AI [video]

A curated directory for developers to discover and showcase tech products

Python Maps

Show HN: Rate Reddit – before you get your feelings hurt

The Inerter: A Retrospective

China Moves Forward with $167bn, 70 Gigawatt Dam

AI model converts hospital records into text for better emergency care decisions

The future of climate change may not be what you think

Show HN: NetXDP – Kernel-Level DDoS Protection and Traffic Manager with eBPF/XDP

HTTP/1.1 Must Die – The Desync Endgame Begins

The Epic Battle for AI Talent–With Exploding Offers, Secret Deals and Tears

Hi guys, any thought on this project?

Geocities Backgrounds

How Higher education failed America's poor

this let you deploy your LLM agents into production with one click

Stem cells prioritize wound healing over hair growth

Using Virtual Machines on macOS/Linux with Tart

Ask HN: What is the biggest waste of money?

Transfer.it – effortless file sharing, powered by MEGA

Maybe(?) Composable Continuation in C

Log by time, not by count

Thingiverse is cracking down on gun-related models using a new automated system

China breakthrough in indium selenide (InSe) wafers with perfect stoichiometry

Optics Are Monoids (2021)

Scaling Internationalization in Nuxt and Vue.js: A New Approach with Intlayer

Europe has more heat deaths per year than the United States loses to gun deaths

We don't notice slow improvement