A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic’s official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.
GPT Researcher is a research agent, just one of many AI tools.
I think the idea is that these tools let users configure mcp servers, and because mcp doesn’t necessarily use the network but can also just mean directly spawning a process, users can get the tool to execute arbitrary commands (possibly circumventing some kind of protection).
This is all fine if you’re doing this yourself on your computer, but it’s not if you’re hosting one of these tools for others who you didn’t expect to be able to run commands on your server, or if the tool can be made to do this by hostile input (e.g. a web page the tool is reading while doing a task).
Still looks like nonsense.
Why would you blame MCP for skipping good sense and allowing a stranger to run a remote shell in your machine? Because your description of an MCP that can run any process without any limits is for all purposes a remote shell.
No one is blaming ssh if you publish your server’s login and password on social media.
I personally wouldn’t blame MCP, it’s just a protocol. My theory is the feature was vibe coded in the vulnerable tools and nobody thought about it much.
Yep, and the article was vibe slopped as well
For some reason I missed that sentence trekking what "GPT Researcher "is, my bad.
I totally agree with what you said, and that confirms it’s not a vulnerability. Handing access to others comes with risks, and tools are not responsible for security measures. This is the job of virtualisation or things like LSM.