New AI Protocol Exposes Major Security Risks
The Model Context Protocol (MCP), now a standard for AI agent integration with 50 million monthly downloads, is creating significant security risks according to the Tech Lead Journal podcast. Adoption is outpacing security, with thousands of vulnerable live servers and real-world incidents of credential leaks and unauthorized email forwarding via compromised MCP agents.
Originally developed by Anthropic in November 2024 and since adopted by major players like OpenAI and Google DeepMind, the Model Context Protocol (MCP) was created to be a universal standard—the "USB-C for AI"—for connecting large language models to external tools and data. The goal was to replace the fragmented, custom-integration landscape with a single, open protocol, solving the "N×M" data integration problem where every AI model needed a custom connector for every data source. The protocol's core design, however, prioritized functionality and interoperability over security. MCP lacks fundamental, built-in security features, including standard authentication mechanisms, integrity checks for tools, or encrypted context between its components. This "not secure by default" architecture places the full burden of security on the teams implementing the protocol. This has resulted in a wide range of critical vulnerabilities being discovered in live MCP implementations. Security researchers have demonstrated high-severity exploits including remote code execution (RCE), path traversal to read arbitrary server files, and SQL injection to exfiltrate database information. One analysis of popular MCP servers found 43% contained command injection flaws. Attack vectors extend beyond direct server attacks to include "tool poisoning," where a tool's function is maliciously altered after approval, and "prompt injection," where an agent is tricked by malicious data from an external source. Real-world scenarios have been conceptualized for tools like a `whatsapp-mcp` server, where an attacker could silently change a message recipient or exfiltrate entire conversation histories. Specific packages and developer tools in the MCP ecosystem have been found with critical flaws. For instance, the `gemini-mcp-tool` package contained a vulnerability allowing for remote code execution with a CVSS score of 9.8, while a flaw in the Cursor AI IDE allowed attackers to inject malicious MCP servers and achieve RCE. Other vulnerabilities enable DNS rebinding attacks, allowing external websites to interact with locally running MCP servers.
