This MCP Server Trick Can Steal Your API Keys and more—Watch Out!

Key Concepts

• Model Context Protocol (MCP)
• MCP Client and Server Architecture
• Tool Poisoning Attacks
• Shadowing Attacks
• MCP Rug Pulls
• Tool Descriptions
• LLM Context Injection
• Client-Side Security
• Server-Side Security
• Sanitization
• Tool and Packaging Pinning
• Cross-Server Protection

MCP Security Risks: Tool Poisoning Attacks

Introduction to MCP Architecture

The video discusses security risks associated with Model Context Protocol (MCP) servers. MCP consists of two main components: a client and a server. The server provides access to tools, resources, and prompts (predefined templates for AI interactions). The most critical aspect is the "tool definition," which allows tools to perform actions like API calls and code execution, making them vulnerable to malicious activities.

Understanding the Interaction Between Host and MCP Server

The interaction involves three components:

1. AI Assistant/Host: Runs the AI application.
2. MCP Client: Manages communication.
3. MCP Server: Contains tool definitions, resources, and prompts.

The process involves sending a connection request to the MCP server. The server returns a list of tools with their definitions. Malicious instructions can be hidden within these tool descriptions, instructing the LLM to retrieve sensitive information (API keys, SSH keys, etc.). This malicious tool description is then injected into the LLM's context.

Tool Poisoning Attack Explained

The video highlights a "tool poisoning" attack, as described in Luca's blog post. This attack exploits the LLM's tendency to trust tool descriptions.

Example: A tool designed to add two numbers includes a hidden instruction to read a file (e.g., cursor/mcp.json) and pass its contents as a side note. The user, seeing a seemingly benign addition operation, might approve the action without realizing that sensitive information (e.g., RSA keys) is being transmitted in the background.

MCP Security Notification: Tool Poisoning Attacks

The video references a blog post that details tool poisoning attacks, which occur when malicious instructions are embedded within MCP tool descriptions, invisible to the user but visible to the AI model. The MCP security model assumes tool descriptions are trustworthy, but attackers can craft descriptions that instruct AI models to access and transmit sensitive data while concealing these actions.

Attack Vectors and Examples

• Retrieving Sensitive Information: The attack can access SSH private keys and transmit the data via a side parameter.
• Attacking Cursor with Tool Poisoning: The video demonstrates how the same tool description can be used to attack cursor, modifying the sidenote description to transmit sensitive information (SSH keys).
• MCP Rug Pulls: Malicious actors can change tool descriptions after the client has already approved them. This means that even if a user initially trusts a server, they can still be vulnerable to attacks if the server later modifies the tool description to include malicious instructions.
• Shadowing Tool Description with Multiple Servers: This attack allows a malicious actor on one MCP server to access data on another MCP server. This makes authentication hijacking possible, where credentials from one server are secretly passed to another one.

Example: A trusted server provides a tool for sending emails, while a malicious server provides a bogus tool for adding numbers. The "add numbers" tool contains a shadowing attack in its tool description, modifying the behavior of the "send email" tool to send all emails to a specific address.

Mitigation Strategies

The video outlines several mitigation strategies:

1. Clear UI Patterns: Expose the tool description to the user so they know what the tool is supposed to do. Use different UI elements or colors to indicate which parts of the tool description are visible to the AI model.
2. Tool and Packaging Pinning: Clients should pin the version of the MCP server and its tools to prevent unauthorized changes. Use a hash or checksum to verify the integrity of the tool description before executing it.
3. Cross-Server Protection: Implement stricter boundaries and data flow controls between different MCP servers.

Additional Security Considerations

• Vetting MCP Servers and Tools: Thoroughly vet every MCP server and tool before interacting with it.
• Cursor Rules: Be cautious when downloading cursor rules from different sources, as they may contain security vulnerabilities.
• Prompt Injection: Be aware of prompt injection attacks, which are a real problem with LLMs.
• Good Software Security Practices: Adhere to good software security practices to mitigate risks.

Notable Quotes

• "MCP is all fun until you add this one malicious MPCB server and forget about it" - Luca
• "MCP security model assumes the tool descriptions are trustworthy and benign"
• "Combined with the MCP rugpool this means that a malicious server can hijack an agent without ever appearing explicitly in agents userfacing interaction log in which only trusted tools would be used"

Technical Terms Explained

• Model Context Protocol (MCP): A protocol that enables users to add new tools and capabilities into agentic systems using a plug-in-like architecture based on MCP servers.
• Tool Definition: A description of what a tool does, including its inputs, outputs, and any side effects.
• LLM Context: The information that an LLM uses to understand and respond to a user's request.
• Prompt Injection: A type of attack where an attacker injects malicious prompts into an LLM to manipulate its behavior.
• Sanitization: The process of removing or modifying potentially harmful data from a tool description or other input.
• Shadowing Attack: An attack where a malicious tool modifies the behavior of a trusted tool.
• MCP Rug Pull: An attack where a malicious server changes the tool description after the client has already approved it.

Synthesis/Conclusion

The video emphasizes the significant security risks associated with MCP servers, particularly tool poisoning and shadowing attacks. It highlights the importance of client-side security measures, including sanitization, tool pinning, and cross-server protection. By implementing these strategies and adhering to good software security practices, developers can mitigate the risks and leverage the opportunities presented by MCPs. The key takeaway is to be vigilant and thoroughly vet all MCP servers and tools before integrating them into applications.