The Protocol Behind the Curtain: What MCP Really Exposes
Unknown
BSides Las Vegas 2025 · Day 1
Srajan Gupta and Vinkumar use **Model Context Protocol (MCP)** as a lens on why **AI agents** struggle to integrate safely with deterministic **APIs**. They argue **LLM** probabilism clashes with rigid request/response contracts, error handling, and parsing—**MCP** is presented as standardizing discovery and usage of tools to make integrations more reliable and to preserve conversational context across services (examples: **Slack**, **Google Docs**). The talk balances architecture education with **offensive** scenarios: **tool description poisoning**, **tool squatting**, **line jumping** across host clients, **version drift**/**rug pull** updates, and **indirect prompt injection** via fetched content (e.g., **Reddit**). Vinkumar introduces **Drift Cop** (renamed from “MCP Drift Cop”), a **static analysis** / drift-tracking tool for MCP server definitions, demonstrated against a vulnerable sample repository.
AI review
Timely MCP threat modeling with demos that actually exercise cross-client context poisoning, silent metadata drift, and indirect injection via fetched posts—plus a pragmatic drift-tracking tool direction. A few cited statistics need external verification, but the attack mechanics are sound.