Serious security risks are associated with MCP servers
MCP is really taking off online, and for good reason — people are finding all sorts of uses for it. But here’s the thing: lately, folks have started to notice that MCP servers aren’t as secure as they seemed.
Data Science in Your Pocket – No Rocket Science
As a matter of fact, MCP servers are not at all secure
if you are still new to MCP servers, here is a good read:
What is the Model Context Protocol (MCP)?
But why are MCP servers dangerous?
To understand the perils, you first need to understand what is an MCP server is and how it works.
What Are MCP Servers?
MCP Servers are like specialized butlers that act as bridges between AI models and external resources. They provide specific capabilities, such as accessing files, interacting with databases, or using APIs. Each MCP server focuses on a particular task, making it easy for AI to use these tools without needing custom code for every service.
How MCP Servers Work
Connection: The AI (acting as an MCP client) connects to an MCP server.
Tool Discovery: The server tells the AI what tools or data sources it can access.
Communication: They communicate using a lightweight protocol called JSON-RPC 2.0, which allows fast and dynamic exchanges.
For example, if an AI needs to fetch data from a database:
The AI asks the MCP server for the latest sales data.
The MCP server translates the request into a database query.
It executes the query and sends the results back to the AI.
1. Hidden Malicious Instructions in Tools (Tool Poisoning)
Attackers can hide harmful commands in the MCP tool descriptions. These instructions are invisible to users but can trick AI models into doing dangerous things.
- A tool description might look normal (e.g., “Analyze this file”), but the AI could secretly copy sensitive files (like passwords or customer data) and send them to hackers.
- Attackers might hide code to delete files or steal data behind a simple-sounding task like “Update settings.”
2. Users Can’t See Hidden Risks
People only see short, simple tool descriptions, while AI models see the full, possibly harmful instructions. Worse, many MCP tools don’t check for hidden dangers.
- A tool described as “Organize files” might actually delete important documents when the AI runs it. Users wouldn’t know unless they inspect the code.
3. Fake Updates After Approval (MCP Rug Pulls)
Hackers can modify a tool’s description after you approve it, adding harmful code once it’s installed.
- Imagine a calculator tool you install. Later, hackers update it to steal credit card numbers entered into the app. This is like a “fake update” scam.
4. Hijacking Trusted Tools (Cross-Server Attacks)
A malicious server can override tools from safe servers. These attacks leave no traces in user logs.
- A hacked server might change a trusted email-sending tool to forward all emails to a hacker’s address, even if you type in the correct recipient.
5. Real-World Exploits That Worked
- Cursor AI Exploit: A tool named “add()” seemed harmless, but secretly stole login details (like passwords) from a settings file.
- Fake Email Tool: A malicious tool pretended to send messages to your contact list but sent them to a hacker instead.
6. MCP’s Built-In Weaknesses
MCP trusts tool descriptions completely, even if they’re dangerous. One hacked server can infect others.
- If a hacker compromises one tool, they could use it to attack all connected tools, like a chain reaction.
7. Weak Protections Today
Most users don’t know how risky MCP servers can be. Tools also lack basic safeguards.
- If a tool is updated with harmful code, users won’t know unless the client checks for changes (many don’t).
How to Stay Safe
Though MCP as a concept is great, but there lie some hidden perils that everyone should know. You can follow these steps to be safe:
- Avoid untrusted MCP servers until security improves.
- Use strong protections like:
Tool Pinning: Lock tools to specific, verified versions.
User-Friendly Warnings: Clearly show what tools do before they run.
Cross-Server Isolation: Separate tools so a hacked one can’t affect others.
- For critical tasks, consider solutions like Invariant’s security stack, which adds extra layers of protection.
Conclusion,
Look, MCP servers aren’t all bad — they can be useful. But let’s be real: they’re like driving without a seatbelt. Sure, convenient, but one wrong move and you’re toast. Hackers can hide nasties in tool descriptions, trick AI into leaking your secrets, or “update” tools after you’ve already trusted them.
Here’s how to survive:
Treat every MCP server like a sketchy app download — avoid the ones nobody trusts.
Lock tools down tight with pinning (so hackers can’t sneak in later).
If you must use MCP, isolate it like it’s radioactive — keep it away from your important stuff.
Bottom line? MCP’s cool tech, but it’s still a work in progress. Use it sparingly, protect yourself hard, and maybe wait for the “safety updates” to roll out before you trust it fully.
MCP Servers are not safe! was originally published in Data Science in Your Pocket on Medium, where people are continuing the conversation by highlighting and responding to this story.
