Hacker News new | ask | show | jobs
by lunw 342 days ago
Co-founder of General Analysis here. Technically this is not a responsibility of Supabase MCP - this vulnerability is a combination of:

1. Unsanitized data included in agent context

2. Foundation models being unable to distinguish instructions and data

3. Bad access scoping (cursor having too much access)

This vulnerability can be found almost everywhere in common MCP use patterns.

We are working on guardrails for MCP tool users and tool builders to properly defend against these attacks.
3 comments
aprilthird2021 342 days ago
How is it not a responsibility of the MCP provider to ensure that they don't leak the data they are entrusted with? They should know how any app that will interface with their MCP can work and lock down any unauthorized access, otherwise it's not really a database provider is it? I mean, if it can't meet that bar, why pay for it?
link
6thbit 342 days ago
In the non-AI world, a database server mostly always just executes any query you give it to, assuming right permissions.

They are not responsible only in the way they wouldn't be responsible for an application-level sql injection vulnerability.

But that's not to say that they wouldn't be capable of adding safeguards on their end, not even on their MCP layer. Adding policies and narrowing access to whatever comes through MCP to the server and so on would be more assuring measures than what their comment here suggest around more prompting.

link
dventimi 342 days ago
> But that's not to say that they wouldn't be capable of adding safeguards on their end, not even on their MCP layer. Adding policies and narrowing access to whatever comes through MCP to the server and so on would be more assuring measures than what their comment here suggest around more prompting.

This is certainly prudent advice, and why I found the GA example support application to be a bit simplistic. I think a more realistic database application in Supabase or on any other platform would take advantage of multiple roles, privileges, Row Level Security, and other affordances within the database to provide invariants and security guarantees.

link
gmerc 341 days ago
Good luck sanitizing code. This is an unfixable problem in transformer architecture and goes a long way past just blunt instructions
link