Core Insights - The article highlights a significant security risk associated with the use of MCP (Multi-Channel Protocol) in AI applications, particularly the potential for SQL database leaks through a "lethal trifecta" attack pattern involving prompt injection, sensitive data access, and information exfiltration [1][4][19]. Group 1: MCP Deployment and Popularity - MCP has rapidly gained traction since its release in late 2024, with over 1,000 servers online by early 2025 and significant interest on platforms like GitHub, where related projects received over 33,000 stars [3]. - The simplicity and lightweight nature of MCP have led to a surge in developers creating their own MCP servers, allowing for easy integration with tools like Slack and Google Drive [3][4]. Group 2: Security Risks and Attack Mechanisms - General Analysis has identified a new attack mode stemming from the widespread deployment of MCP, which combines prompt injection with high-privilege operations and automated data return [4][19]. - An example of this vulnerability was demonstrated through an attack on Supabase MCP, where an attacker could extract sensitive integration tokens by submitting a seemingly benign customer support ticket [5][11]. Group 3: Attack Process Breakdown - The attack process involves five steps: setting up an environment, creating an attack entry point through a crafted support ticket, triggering the attack via a routine developer query, agent hijacking to execute SQL commands, and finally, data harvesting [7][9][11]. - The attack can occur without privilege escalation, as it exploits the existing permissions of the MCP agent, making it a significant threat to any team exposing production databases to MCP [11][13]. Group 4: Architectural Issues and Security Design Flaws - The article argues that the vulnerabilities are not merely software bugs but rather architectural issues inherent in the MCP design, which lacks adequate security measures [14][19]. - The integration of OAuth with MCP has been criticized as a mismatch, as OAuth was designed for human user authorization, while MCP is intended for AI agents, leading to fundamental security challenges [21][25]. Group 5: Future Considerations and Industry Implications - The ongoing evolution of MCP and its integration into various platforms necessitates a reevaluation of security protocols and practices within the industry [19][25]. - Experts emphasize the need for a comprehensive understanding of the security implications of using MCP, as the current design does not adequately address the risks associated with malicious calls [25].