[HN Gopher] MCP Security Vulnerabilities and Attack Vectors
       ___________________________________________________________________
        
       MCP Security Vulnerabilities and Attack Vectors
        
       Author : tested1
       Score  : 130 points
       Date   : 2025-07-19 18:14 UTC (4 hours ago)
        
 (HTM) web link (forgecode.dev)
 (TXT) w3m dump (forgecode.dev)
        
       | Arindam1729 wrote:
       | Truly, S in MCP stands for Security!
        
         | dotancohen wrote:
         | The S in SFTP?
         | 
         | The S in SSH?
         | 
         | The S in HTTPS?
         | 
         | The S in MCP?
         | 
         | All stand for the same thing!
         | 
         | I remember when this joke was first applied to IoT.
        
           | iotku wrote:
           | I do love the joke, but it is worth remembering as well that
           | all of those S were to a certain extent afterthoughts to fix
           | otherwise insecure protocols.
           | 
           | Given how old FTP and HTTP are it's fairly understandable
           | that they weren't initially designed with security in mind,
           | but I think it's valid to question why we're still designing
           | insecure systems in 2025.
        
       | amitksingh1490 wrote:
       | MCP new spec has to an extent covered auth. But the MCPs are yet
       | to adopt to that.
        
         | simonw wrote:
         | Auth doesn't protect against confused deputy attacks, which is
         | a common problem exposed by MCP and other LLM tool systems.
         | https://en.m.wikipedia.org/wiki/Confused_deputy_problem
        
           | bitweis wrote:
           | 100% - especially when Auth stands for just Authentication.
           | Simple RBAC authorization also won't take us far. But Fine-
           | grained Permissions(e.g. OPA, Cedar, OpenFGA, Permit.io) with
           | ReBAC giving ai-agents Zero standing permissions, and only
           | deriving on the fly the least privilege they need / got
           | consent for, can dramatically reduce the problem
        
       | aviralb20 wrote:
       | MCP adoption is picking up fast.
        
       | bigyabai wrote:
       | This post is an obvious victim of upvote manipulation. HN should
       | ban the forgecode domain if it's going to abuse submissions like
       | this.
        
         | dayjah wrote:
         | Can you provide some context for your position? I'm not
         | particularly familiar with ForgeCode. I'm interested in why you
         | think there's manipulation, and what you mean by "submissions
         | like these".
        
       | joshwarwick15 wrote:
       | Same root causes again - check out
       | https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
        
         | OldfieldFund wrote:
         | This can be easily used to search for seeds/private keys when
         | AI coding agents are in YOLO mode.
        
         | ethan_smith wrote:
         | The "lethal trifecta" refers to default configurations,
         | excessive permissions, and inadequate authentication - three
         | factors that plague MCP implementations just as they did with
         | earlier technologies.
        
       | rvz wrote:
       | We have not learned anything from the hundreds of open MongoDB
       | databases without passwords floating around the internet waiting
       | to be breached.
       | 
       | We now have the same with MCP servers in the AI era as documented
       | in [0].
       | 
       | [0] https://news.ycombinator.com/item?id=44604453
        
       | spiritplumber wrote:
       | MCP clearly needs an independent monitoring program to safeguard
       | it. Let's call it Tron.
        
       ___________________________________________________________________
       (page generated 2025-07-19 23:00 UTC)