Everyone thinks MCP is for making AI assistants smarter. You know, "Claude, please read my files and understand my soul." And sure, it does that. But here's what they put in the documentation that made me spit out my morning tea:
"MCP provides a standardized way to connect AI models to different data sources and tools."
Okay but. But. What if you just... removed the AI part? What if it's just "a standardized way to connect AI models literally anything to different data sources and tools"?
ArticleM.R.E.A.M - MCP Rules Everything Around Me
A short but very thought provoking article on other potential uses for MCP outside of it's intended use for AI models. The example the author gives is an Spotify MCP server being used autonomously by a workout app to create playlists for the user. Seeing as MCP allows for the connection of
anything to data sources and tools, the potential applications (both good and bad) are actually endless.
I recently
responded to a post by
Simon Wilson in which he highlighted an MCP related vuln with Supabase. I think we are going to see A LOT more of these types of vulns as MCP gains widerspread adoption. I think this problem stems from the fact that most devs see security as an afterthought when building software.
One thing I do when I'm building or evaluating projects is that I'm constantly asking myself how the system can be abused. This comes from the fact that I got into computers via cybersecurity so I cut my teeth on trying to figure out how to use various tools in novel ways that would gain me access to areas of the program or system that I shouldn't have. This particular line of thinking is the gift that just keeps on giving.
I recently deployed a misconfigured Redis server that ended up becoming part of a botnet. It took a bit of digging to figure out exactly had happened. But, because I was familiar with tools like netstat and wireshark I knew within a few hours what was likely the cause. I did some more digging (reading the container logs and stderr logs) and confirmed that it indeed was being hijacked. I quickly setup the right configs (in this case adding a password to the containerized Redis deploy) and the issue stopped immediately.
I think more devs should strengthen their cybersecurity chops. It's not something that you're gonna use everyday (if you're using frameworks with good defaults) but overlooking it has dire, asymetrical effects. No one will give you a pat on the back for hardening your system against intruders but if they do find a way in, you'll wish you had a time machine.
Thanks for reading and as always, all comments, critiques and questions are highly appreciated. Here's a link to the
previous article response.