AI
Four Attacks on MCP Authorization
Cecchetti opened with a metaphor from Dr. Seuss. The Cat in the Hat spawns sub-agents (little cats A, B, C, D) without attenuated permissions. Chaos ensues. She mapped this to four MCP attacks. The first is silent tool injection. An MCP server approved for weather checking silently updates itself to send emails, delete data, or run exploits. The client does not re-check the tool manifest or require re-consent.
Malicious Elicitation and Uncontrolled Delegation
A malicious MCP server can ask the LLM for passwords, MFA codes, API keys, or SSNs. Users trust their LLM and are not trained to distrust it. The third attack is uncontrolled delegation. A Service Now bot delegates a sub-agent to check Okta, which delegates to AD, which delegates to reconfigure AD security settings. Every sub-agent has the same permissions as the parent. None have attenuated permissions.
Sampling Exfiltration Breaks OAuth
OAuth is a one-way protocol. Data flows from the protected resource to the application to the human. MCP’s sampling feature reverses that flow. An MCP server can pull medical conditions, vulnerability research, or divorce lawyer conversations from the LLM’s session, long-term memory, or other servers. Cecchetti called this the attack that should keep you up at night. Tobin South from Anthropic and Claudrey both built proof-of-concept exploits.
Four Recommendations for the MCP Spec
Cecchetti proposed four changes. First, remove sampling and elicitation from the MCP spec. OAuth is not mTLS. Second, add signed server metadata with publisher identity, tool definitions, and version pinning. Third, add an authorization details required flag so sub-agents carry a JWT with a policy mandate. Fourth, add an “escalate” tool response beyond allow and deny, so a tool can tell the orchestrating agent to replan.
Q&A
How should ephemeral agents get dynamically created identities? Spiffe is part of the solution, but more work is needed for short-lived agents. ▶ Watch (20:15)
Should signed server metadata be self-signed or signed by a third party? A third-party signer like OpenID Foundation or a federation registry would add trust. ▶ Watch (22:51)
Is there a move to integrate verifiable credentials? Yes, Spiffe provides cryptographically signed identities. Zero-knowledge proofs and selective disclosure are interesting for clients. ▶ Watch (23:27)
Notable Quotes
So this is not the way that OOTH was intended to work. Oath is intended to only go the other way. It has no uh ability, no mechanism to do policy enforcement in the other direction. Sarah Cecchetti · ▶ Watch (8:55)
And then attack four is sampling xfiltration. This is the one that should keep you up at night. Sarah Cecchetti · ▶ Watch (7:34)
So every cat, regardless of how much context they have, has the same permissions. Sarah Cecchetti · ▶ Watch (6:28)
Key Takeaways
- MCP’s sampling feature breaks OAuth by allowing data exfiltration from the LLM to the server.
- Sub-agents need attenuated permissions, not the full authority of their parent agent.
- Signed server metadata with version pinning prevents silent tool injection attacks.
About the Speaker(s)
Sarah Cecchetti is Director of Product Management for Semperis, a Series C startup. She chairs the AI threat modeling group in the OpenID Foundation. Prior to that she spent five years at AWS where she led the open-sourcing of Cedar. She co-founded IDPro and co-authored NIST SP…