frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Chatto is now Open Source

https://www.hmans.dev/blog/chatto-is-open-source
337•speckx•3h ago•82 comments

Mistral's Robostral Navigate: a state of the art robotics navigation model

https://mistral.ai/news/robostral-navigate/
288•ottomengis•4h ago•64 comments

What Do We Know About the Microplastics Inside Us?

https://e360.yale.edu/features/cassandra-rauert-interview
28•speckx•56m ago•1 comments

GPT‑Live

https://openai.com/index/introducing-gpt-live/
296•logickkk1•1h ago•217 comments

Decoding the obfuscated bash script on a Uniqlo t-shirt

https://tris.sherliker.net/blog/obfuscated-self-evaluating-bash-script-by-cdn-akamai-being-suppli...
1092•speerer•9h ago•183 comments

SWE-1.7 Reach Near GPT 5.5 and Opus Intelligence

https://cognition.com/blog/swe-1-7
118•mekpro•2h ago•79 comments

Grok 4.5

https://x.ai/news/grok-4-5
110•BoumTAC•39m ago•68 comments

Show HN: Microsoft releases Flint, a visualization language for AI agents

https://microsoft.github.io/flint-chart/#/
22•chenglong-hn•53m ago•9 comments

Cloudflare Meerkat - Globally distributed consensus

https://blog.cloudflare.com/meerkat-introduction/
152•bobnamob•5h ago•31 comments

EU now one step away from reviving private message scanning rules

https://cyberinsider.com/eu-now-one-step-away-from-reviving-private-message-scanning-rules/
105•ggirelli•1h ago•15 comments

OpenBSD has a use-after-free allowing local privilege escalation to root

https://nvd.nist.gov/vuln/detail/cve-2026-57589
159•linggen•5h ago•80 comments

GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
459•ColinEberhardt•13h ago•177 comments

TypeScript 7

https://devblogs.microsoft.com/typescript/announcing-typescript-7-0/
168•DanRosenwasser•2h ago•47 comments

Show HN: Follow London Trains in 3D

https://ride.nexttrain.london/
91•mgranados•4d ago•30 comments

Understanding B-Tree Indexes in PostgreSQL: A Comprehensive Guide– Part 1

https://medium.com/@devli0/b-tree-indexes-in-postgresql-part-1-theory-eb2668c52520
7•corvus-cornix•2d ago•0 comments

EVE Online's Carbon engine is now open source: Fenris Creations explains why

https://www.gamesindustry.biz/eve-onlines-carbon-engine-is-now-open-source-fenris-creations-expla...
298•Stevvo•4d ago•101 comments

TabFont – guitar tabs rendered as you type

https://philatype.com/tabfont/
42•ChrisArchitect•3d ago•8 comments

Apple to increase spend with Broadcom to produce billions more U.S. chips

https://www.apple.com/newsroom/2026/07/apple-to-increase-spend-with-broadcom-to-produce-billions-...
246•soheilpro•7h ago•199 comments

Japan's Hayabusa2 probe to conduct flyby of Torifune asteroid

https://www3.nhk.or.jp/nhkworld/en/news/20260705_01/
118•dvh•3d ago•14 comments

PlayStation can delete all your digital games after 3 years of inactivity (EU)

https://www.flatpanelshd.com/news.php?subaction=showfull&id=1783340582
24•thewebguyd•54m ago•6 comments

How to Build a Minimal ZFS NAS Without Synology, QNAP, TrueNAS (2024)

https://neil.computer/notes/how-to-setup-minimal-zfs-nas-without-truenas/
311•4diii•14h ago•209 comments

NoiseLang: Where N = 5 is a Dirac delta

https://manualmeida.dev/articles/noiselang/
89•manucorporat•2d ago•43 comments

Geosql: A Claude/Codex skill for geospatial data

https://github.com/dekart-xyz/geosql
105•rzk•10h ago•13 comments

Tenda firmware (multiple versions) contains hidden authentication backdoor

https://kb.cert.org/vuls/id/213560
323•miniBill•18h ago•111 comments

Catastrophe theory; geniuses and maniacs (2011)

http://glassbottomblog.blogspot.com/2011/01/catastrophe-theory-geniuses-and-maniacs.html
15•mbustamanter•3d ago•1 comments

Structure and Interpretation of Computer Programs Video Lectures (1986)

https://ocw.mit.edu/courses/6-001-structure-and-interpretation-of-computer-programs-spring-2005/v...
295•gjvc•18h ago•41 comments

Copy That Floppy – Cambridge guide for preserving data from fragile floppy disks

https://www.digipres.org/the-floppy-guide/
163•whiteblossom•15h ago•63 comments

Every postcard tells a story

https://observer.co.uk/style/features/article/every-postcard-tells-a-story
26•NaOH•3d ago•20 comments

Ants: Who looks after the injured in a colony?

https://www.uni-wuerzburg.de/en/news-and-events/news/detail/news/ameisen-kolonie-verletzte-pflegt/
95•hhs•4d ago•45 comments

GAO: DOE Is Prematurely Excluding Less Expensive Options for Nuclear Cleanup

https://www.gao.gov/products/gao-26-108193
263•Jimmc414•20h ago•140 comments
Open in hackernews

Trust Me, I'm Local: Chrome Extensions, MCP, and the Sandbox Escape

https://blog.extensiontotal.com/trust-me-im-local-chrome-extensions-mcp-and-the-sandbox-escape-1875a0ee4823
148•el_duderino•1y ago

Comments

npace12•1y ago
I built little-rat (chrome extension) a couple of years ago that can track and block traffic from other extensions:

https://github.com/dnakov/little-rat

euazOn•1y ago
Hey, thanks for that, Anon Kode, Anon Codex and other projects, very cool!
npace12•1y ago
also check out the claude-mcp extension, very much related to this post :)
binarymax•1y ago
Wow thanks for building this! Any idea the effort it would take for someone to port this to Firefox?
npace12•1y ago
it's not possible in firefox, that traffic is not visible (at least as of the last time I tried 1.5 years ago)
binarymax•1y ago
Thanks for the info. That's unfortunate, but I can somewhat understand why FF takes that approach.
fluffet•1y ago
Woah, I had no idea. Thanks for the article.

I feel like some cycle phenomenon has been reached here..

The first protocols of the internet were very naive. Why'd you need to encrypt traffic? What do you mean exploit DNS, why would anyone do that?

Then people realised that the internet is a really, really wild place and that won't do.

I suddenly feel old, because this new AI tool era seems to have forgotten that lesson.

I feel it's like watching crypto learn by any% speedrunning why regulations and oversight might be a good in the first place (FTX and such).

I hope the next generation of AI tech/protocols are more robust, trust just doesn't cut it, or we'll see plenty of fingers being burnt at the stove.

deadbabe•1y ago
In early days it's always best to push security risk onto users in a bid to gain as much market share as possible. By the time they realize they've been screwed, technology will have matured and you can hand wave those old criticisms away, and even trumpet them as new innovations and upgrades.
dowager_dan99•1y ago
I did a presentation on AI Agents from the perspective of an AI newbie and one of my comments/conclusions was that it felt like releasing a browser from 2000 in the middle of today's scary 2025 environment. MCP and similar are missing 20+ years of responding to new and emerging threats, and the hype men (executives everywhere) don't realize, care or have the ability to respond.
outworlder•1y ago
Is the presentation public?
esafak•
OsrsNeedsf2P•1y ago
https://archive.is/HQMBa
telotortium•1y ago
Literally nothing here is specific to MCP - it all has to do with the fact that Chrome extensions can make HTTP connections to localhost ports, which could be running any kind of server. This is not an unrestricted backdoor either - Chrome extensions already need permissions in the manifest to talk to localhost, except via content scripts, which run in the context of the website and so could be served by the website without any extension installed.
kypro•1y ago
Yeah, that's exactly what I took away from this too... I get why it's worth noting MCP servers in the article since these could provide a large attack vector, but it seems odd to focus on that as if that is the core security vulnerability here.

I guess the bit I'm more surprised about is why Chrome extensions are even allowed to make localhost connections without requesting user approval? Is the assumption that everything running locally must be safe? What am I missing here?

nightpool•1y ago
I mean, the core security vulnerability explained here is that MCP does not expose / allow for any kind of authentication or user consent before accessing your computer's most sensitive resources, like a terminal or list of private Slack messages. Spotify, 1Password, or other services on your computer that use `localhost` do not have the same issue.

This would be a non-issue if some kind of simple origin-authenticated token exchange was built into the protocol itself.

cruffle_duffle•1y ago
How could it? The agent calling into the MCP server is the one exposing an interface to the end user. It’s the agents job to prompt the user (and both Claude desktop and cursor do).

It’s the “system administrator”’s job to make sure the MCP is running at the right privilege level with correct data access levels. The MCP server can’t stop somebody from running it as root the same way any other program can’t.

At the end of the day the MCP should be treated as an extension of the user. Whatever the user can do, so too can the MCP server. (I mean, this isn’t technically true.. you can run the MCP under its own account or inside some sandbox… this will probably start to happen soon enough)

OsrsNeedsf2P•1y ago
Lots of people think MCP is a case of "wow, how did we forget basic security", but I wonder if there were other competitors that MCP beat _because_ they had security friction.
rvz•1y ago
Every time a startup uses an MCP server in their product software offering or even offers their own, I can only see the number of security consultants waiting for a massive payout when an LLM causes a security incident.
brap•1y ago
I still don’t understand why we even need a new protocol when we already have something like the OpenAPI spec, which can also be used to describe common authentication mechanisms like OAuth2. And it supports almost every existing API out of the box.

Granted it doesn’t separate between “resources”, “tools” and “prompts” but I think the line is blurry anyway.

And yes it can be used locally.

cruffle_duffle•1y ago
I think people who consider Open API to be a “competitor” to MCP haven’t really played with MCP.

MCP is a tool calling protocol. Models are trained on it as a way to do stuff outside their sandbox. OpenAPI isn’t a tool calling protocol but more of a schema to describe interfaces.

You could write an MCP that exposes an OpenAPI compatible set of interfaces, but you couldn’t write an OpenAPI thing to call… well… anything. OpenAPI doesn’t cover the actual tool calling.

In addition, even if OpenAPI would work it’s massive and contains a ton of extra “stuff” that would overwhelm the models precious context window. Unless the OpenAPI schema was explicitly intended for LLM consumption, the results will be a mixed bag as the LLM will have to spend half its time making sense of the schema. A well designed MCP might take an OpenAPI endpoint suite and wrap it in thoughtful tool calls so the LLM doesn’t have to parse a giant schema doc (also… the LLM actually needs to make the HTTP call and guess how it will do that? Why though MCP of course!)

By contrast, MCP tools expose a slender LLM optimized interface that requires little “thought” to call.

Honestly though, comparing OpenAPI to MCP is a bit like comparing an xml schema to curl. They are completely different. MCP is for tool calling. It’s how you expose… well… anything from calling into your shell to looking something up in your database. The only similarity is that MCP exposes a schema to the model to tell it what kinds of tool calls the model can make. And did you read the spec I’d imagine said schema looks a wee bit like OpenAPI (wouldn’t know as I haven’t looked though).

Seriously. Go write an MCP for something you think would be cool. Like go write an MCP for Claude that connects to your logging and lets Claude search the logs in a more structured way. Make something like “find_request(request_id)” and then let your code do all the searching and have it return the relevant logs. Watch as the model doesn’t have to spend a billion tokens figuring out your database schema, how to grep, etc… good MCP’s do all the grunt work so the LLM can focus on your task and not spend tons of time bootstrapping. The entire exercise won’t even take a half day and you’ll have yourself a cool new tool that saves you time.

In short, MCP and OpenAPI are two entirely different concepts.

bhelx•1y ago
This is the first i've heard of people using the SSE transport locally. What purpose what that serve? Is this by design because the chrome extension could not talk to it otherwise?

BTW, you should really run your MCP servers in a sandboxed environment, esp if they don't need to do things like `exec` or read from the filesystem. We do this with the https://mcp.run ecosystem by wrapping them in wasm. Because they are wasm you could also run them right in the chrome extension!

olalonde•1y ago
So do we add authentication to MCP servers or does Chrome fix this by restricting unauthorized calls to localhost?
gitroom•1y ago
bruh this stuff honestly makes my head spin - feels like were all relearning the same old security lessons
_pdp_•1y ago
Also, credentials scattered in clear text inside the MCP configuration. They forgot how to do security!
babyshake•1y ago
Is it correct that this exploit would not be possible with streamable HTTP MCP servers? I'd imagine that fairly soon every MCP server that does not need filesystem access will use this transport method unless there is some reason why STDIO/SSE would be needed instead. Can anyone confirm if this is the case and if they agree or disagree with this assessment?
fpoling•1y ago
Any service running on local should reject HTTP requests with Origin header as those are generated from browser JS API. In addition requests with UserAgent should also be typically be rejected.
rafram•1y ago
> In addition requests with UserAgent should also be typically be rejected.

No, all HTTP clients set User-Agent.

happyopossum•1y ago
This isn’t an MCP issue though - if you were running a webserver, or any application that listens on localhost that happens to have vulnerabilities, an extension could hit those too.

Literally nothing about MCP makes this easier or worse

skybrian•1y ago
I guess the security hole is that “allow connecting to localhost” might sound like an innocuous permission, but it becomes increasingly risky as you run more servers on local ports that have no other protection.

The permission itself doesn’t tell you anything about what powers it might grant. You need to know how all your local processes work to determine that, and most people have no idea.

It’s too generic for users to make reasonable decisions about. And that means that servers on localhost really should have authentication. Connecting client A to server B should be explicit.

zharknado•1y ago
Great observation! The legibility or the permission grant matters a lot.
ttoinou•1y ago
Sooo we just need a new standard MCPS (MCP Secure connections), right ?
ramoz•1y ago
The cyber industry is having a ball exposing standard security practice issues under the guise of “new zero day AI vulnerabilities” - esp with MCP.

Nothing here is new. If you run local apps with open connections and no CORS then anything on your device and potentially network can talk to that app.

vovkasm•1y ago
There is nothing specific to MCP here. But that doesn’t mean there’s no problem. The real problem is that OS does not contain a convenient for users and reliable access control mechanism for local TCP connections (at least at the per-application level of granularity). Would such a mechanism existed, the user could allow connections to its MCP only to the necessary applications. There is already many apps providing local servers, all of them is potential point of attack for bad actors in system: ollama, syncthing, adb, gradle, various torrent clients with web interface, media players, etc...
1y ago
It's a new technology so it is understandable that practitioners are not aware of the security best practices, like https://genai.owasp.org/

Also, the security tooling is still nascent.

Dylan16807•1y ago
The problem isn't the permissions the MCP has, it's about whose orders it obeys.

Many other programs on the system aren't an extension of the user. And they can access ports.

How could it do authentication? Easily. The most basic option is for the server to put a secret token in your user folder, so only code with access to that token can talk to it.

On Linux it can be even simpler. Don't attach the server to a port, attach it to a socket file.

marcus_holmes•1y ago
It's crazy that, after all our experience with this, we're implementing another protocol that doesn't have any auth built in.

You'd think the last 30+ years of regret and hacky attempt to add auth to email and http (as just the top two to come to mind) hadn't happened.

maple3142•1y ago
I think the reason is that MCP also works over a pipe (stdio), which does not need authentication.
nightpool•1y ago
It doesn't need it if this vulnerability is the only one you're worried about (remote websites), but it'd be nice to have it before letting it use e.g. your Github account. This is how VS Code extensions work, for example, and it's pretty nice
fluffet•1y ago
I take away that the combination is the problem. Bleach and ammonia isn't so bad on their own, but mixing the two is not a good idea. MCP would provide crazy attack vectors.

Especially if you could ask another AI "I have access to an MCP running on a Victim computer with these tools. What can you do with them?" => "Well, start by reading .ssh/id_rsa and I'd look for any crypto wallets. Then you can move on to reading personal files for blackmailing or sniff passwords..." and just let it "do its thing" as an attacking agent in an automated way. It could be automated which creeps me out!

eMPee584•1y ago
Don't you give THEM ideas!
im3w1l•1y ago
My intuition tells me that blackmailing at scale has the potential to be quite terrifying if you ask for favors that each seem innocent enough on their own. E.g. one favor may be as simple as asking the guy walking his dog to delay it for half an hour. He will surely comply without hesitation. But hidden reason was that he would otherwise witness a murder.