As is the article feels a bit light on details. I'm not surprised that there are open servers out there, but if you're writing an article about that, at least provide interesting details.

Here we go again.

Before we had seen (and there still) MongoDB databases exposed all over the internet with zero credentials protecting them. (you can just connect to them and you are in.)

Now we have exposed MCP servers waiting to be prompt injected and their data to be exfiltrated from say, a connected service or database if they are connected to any. [0]

So now you can just talk to anyone's exposed MCP server and ask for the secret passwords, environment variables and sensitive data.

And the AI will just hand it all over.

[0] https://news.ycombinator.com/item?id=44507024

In that case, limiting the remote IPs would also be useful. I haven't played around with MCP, but it's on my todo list.

That said, it’s still surprising (and a little funny) to see how fast these things end up public. Probably lots of default setups left running without realizing they’re wide open.

I mean, MCP servers have tons of sec vulnerabilities but "showing you their schema" and "having bugs" aren't vulns.

The tool listings are not necessarily a secret, so not sure how this is "exposed". We have a public MCP, anyone can read our tool listings, but to actually use the tools you need to authenticate.

At this point I'm convinced it's not possible to predict this with MCP servers (or LLMs generally). You just don't know what it's definitively going to do when you poke it, even with a simple question like "What do you do".