MCP security vulnerabilities and attack vectors

https://forgecode.dev/blog/prevent-attacks-on-mcp/

159•tested1•6mo ago

Comments

Arindam1729•6mo ago

Truly, S in MCP stands for Security!

dotancohen•6mo ago

The S in SFTP?

The S in SSH?

The S in HTTPS?

The S in MCP?

All stand for the same thing!

I remember when this joke was first applied to IoT.

iotku•6mo ago

I do love the joke, but it is worth remembering as well that all of those S were to a certain extent afterthoughts to fix otherwise insecure protocols.

Given how old FTP and HTTP are it's fairly understandable that they weren't initially designed with security in mind, but I think it's valid to question why we're still designing insecure systems in 2025.

amitksingh1490•6mo ago

Totally agree, If we have made a mistakes in past we must have learnt from it and when designing a standard specially with AI where the outcome is non deterministic we got be more careful.

dotancohen•6mo ago

That's quite the point of the joke. Even today, we still design things that will need an S tacked onto it at some point in the future.

postalrat•6mo ago

And P in WFH stands for productive.

amitksingh1490•6mo ago

MCP new spec has to an extent covered auth. But the MCPs are yet to adopt to that.

simonw•6mo ago

Auth doesn't protect against confused deputy attacks, which is a common problem exposed by MCP and other LLM tool systems. https://en.m.wikipedia.org/wiki/Confused_deputy_problem

bitweis•6mo ago

100% - especially when Auth stands for just Authentication. Simple RBAC authorization also won't take us far. But Fine-grained Permissions(e.g. OPA, Cedar, OpenFGA, Permit.io) with ReBAC giving ai-agents Zero standing permissions, and only deriving on the fly the least privilege they need / got consent for, can dramatically reduce the problem

aviralb20•6mo ago

MCP adoption is picking up fast.

bigyabai•6mo ago

This post is an obvious victim of upvote manipulation. HN should ban the forgecode domain if it's going to abuse submissions like this.

dayjah•6mo ago

Can you provide some context for your position? I’m not particularly familiar with ForgeCode. I’m interested in why you think there’s manipulation, and what you mean by “submissions like these”.

tomhow•6mo ago

It's true that there were many inorganic upvotes on this submission, made within the first 10-20 minutes by a bot. Maybe bigyabai could see that there was an unusually high vote count for a story that was submitted so recently.

But this just goes to show how futile – indeed counter-productive – this kind of activity is. These votes are easily detected and were ignored, and the submission had enough legit upvotes to make it onto the front page organically. We've penalized the users involved and the domain, as we can't let this kind of attempted abuse go without any consequence.

But also, public callouts like this are against the guidelines and we ask that people let us know via email at hn@ycombinator.com. This allows us to know about it sooner and investigate it thoroughly before making a public comment about it.

joshwarwick15•6mo ago

Same root causes again - check out https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

OldfieldFund•6mo ago

This can be easily used to search for seeds/private keys when AI coding agents are in YOLO mode.

ethan_smith•6mo ago

The "lethal trifecta" refers to default configurations, excessive permissions, and inadequate authentication - three factors that plague MCP implementations just as they did with earlier technologies.

rvz•6mo ago

We have not learned anything from the hundreds of open MongoDB databases without passwords floating around the internet waiting to be breached.

We now have the same with MCP servers in the AI era as documented in [0].

[0] https://news.ycombinator.com/item?id=44604453

spiritplumber•6mo ago

MCP clearly needs an independent monitoring program to safeguard it. Let's call it Tron.

chokominto•6mo ago

What are the actual exploits that should be tested though?

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The Waymo World Model

How we made geo joins 400× faster with H3 indexes

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Monty: A minimal, secure Python interpreter written in Rust for use by AI

Unseen Footage of Atari Battlezone Arcade Cabinet Production

Show HN: I spent 4 years building a UI design tool with only the features I use

Microsoft open-sources LiteBox, a security-focused library OS

Dark Alley Mathematics

Sheldon Brown's Bicycle Technical Info

Hackers (1995) Animated Experience

Delimited Continuations vs. Lwt for Threads

Show HN: If you lose your memory, how to regain access to your computer?

PC Floppy Copy Protection: Vault Prolok

An Update on Heroku

What Is Ruliology?

How to effectively write quality code with AI

Why I Joined OpenAI

Show HN: ARM64 Android Dev Kit

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Learning from context is harder than we thought

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

I spent 5 years in DevOps – Solutions engineering gave me what I was missing

Introducing the Developer Knowledge API and MCP Server

Understanding Neural Network, Visually

I now assume that all ads on Apple news are scams

Zlob.h 100% POSIX and glibc compatible globbing lib that is faste and better

FORTH? Really!?

Show HN: Smooth CLI – Token-efficient browser for AI agents

WebView performance significantly slower than PWA