A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic’s official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.
Still looks like nonsense.
Why would you blame MCP for skipping good sense and allowing a stranger to run a remote shell in your machine? Because your description of an MCP that can run any process without any limits is for all purposes a remote shell.
No one is blaming ssh if you publish your server’s login and password on social media.
I personally wouldn’t blame MCP, it’s just a protocol. My theory is the feature was vibe coded in the vulnerable tools and nobody thought about it much.
Yep, and the article was vibe slopped as well