MCP security is completely broken!
Let's understand tool poisoning attacks and how to defend against them:
Let's understand tool poisoning attacks and how to defend against them:
MCP allows AI agents to connect with external tools and data sources through a plugin-like architecture.
It's rapidly taking over the AI agent landscape with millions of requests processed daily.
But there's a serious problem... 👇
It's rapidly taking over the AI agent landscape with millions of requests processed daily.
But there's a serious problem... 👇
1️⃣ What is a Tool Poisoning Attack (TPA)?
When Malicious instructions are hidden within MCP tool descriptions that are:
❌ Invisible to users
✅ Visible to AI models
These instructions trick AI models into unauthorized actions, unnoticed by users.
When Malicious instructions are hidden within MCP tool descriptions that are:
❌ Invisible to users
✅ Visible to AI models
These instructions trick AI models into unauthorized actions, unnoticed by users.
Here's how the attack works:
AI models see complete tool descriptions (including malicious instructions), while users only see simplified versions in their UI.
First take a look at this malicious tool:
AI models see complete tool descriptions (including malicious instructions), while users only see simplified versions in their UI.
First take a look at this malicious tool:
Let me quickly show the attack in action by connecting this server to my cursor IDE.
Check this out👇
Check this out👇
Now let's understand a few other ways these attacks can happen and then we'll also talk about solutions...👇
2️⃣ Tool hijacking Attacks:
When multiple MCP servers are connected to same client, a malicious server can poison tool descriptions to hijack behavior of TRUSTED servers.
Here's an example of an email sending server hijacked by another server:
When multiple MCP servers are connected to same client, a malicious server can poison tool descriptions to hijack behavior of TRUSTED servers.
Here's an example of an email sending server hijacked by another server:
Take a look at these two MCP servers before we actually use them to demonstrate tool hijacking.
`add()` tool in the second server secretly tries to hijack the operation of send email tool in the first server.
`add()` tool in the second server secretly tries to hijack the operation of send email tool in the first server.
Let's see tool hijacking attack in action, again by connecting the above two servers to my cursor IDE!
Check this out👇
Check this out👇
3️⃣ MCP Rug Pulls ⚠️
Even worse - malicious servers can change tool descriptions AFTER users have approved them.
Think of it like a trusted app suddenly becoming malware after installation.
This makes the attack even more dangerous and harder to detect.
Even worse - malicious servers can change tool descriptions AFTER users have approved them.
Think of it like a trusted app suddenly becoming malware after installation.
This makes the attack even more dangerous and harder to detect.
🛡️Mitigation Strategies:
- Display full tool descriptions in the UI
- Pin (lock) server versions
- Isolate servers from one another
- Add guardrails to block risky actions
Until security issues are fixed, use EXTREME caution with.
- Display full tool descriptions in the UI
- Pin (lock) server versions
- Isolate servers from one another
- Add guardrails to block risky actions
Until security issues are fixed, use EXTREME caution with.
Finally, here's a summary of how MCP works and how these attacks can occur. This visual explains it all.
I hope you enjoyed today's post. Stay tuned for more! 🙌
I hope you enjoyed today's post. Stay tuned for more! 🙌
If you found it insightful, reshare with your network.
Find me → @akshay_pachaar ✔️
For more insights and tutorials on LLMs, AI Agents, and Machine Learning!
Find me → @akshay_pachaar ✔️
For more insights and tutorials on LLMs, AI Agents, and Machine Learning!
https://x.com/akshay_pachaar/status/1946926773918429249
• • •
Missing some Tweet in this thread? You can try to
force a refresh
