Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah, that's exactly what I took away from this too... I get why it's worth noting MCP servers in the article since these could provide a large attack vector, but it seems odd to focus on that as if that is the core security vulnerability here.

I guess the bit I'm more surprised about is why Chrome extensions are even allowed to make localhost connections without requesting user approval? Is the assumption that everything running locally must be safe? What am I missing here?



I mean, the core security vulnerability explained here is that MCP does not expose / allow for any kind of authentication or user consent before accessing your computer's most sensitive resources, like a terminal or list of private Slack messages. Spotify, 1Password, or other services on your computer that use `localhost` do not have the same issue.

This would be a non-issue if some kind of simple origin-authenticated token exchange was built into the protocol itself.


It's crazy that, after all our experience with this, we're implementing another protocol that doesn't have any auth built in.

You'd think the last 30+ years of regret and hacky attempt to add auth to email and http (as just the top two to come to mind) hadn't happened.


I think the reason is that MCP also works over a pipe (stdio), which does not need authentication.


It doesn't need it if this vulnerability is the only one you're worried about (remote websites), but it'd be nice to have it before letting it use e.g. your Github account. This is how VS Code extensions work, for example, and it's pretty nice


How could it? The agent calling into the MCP server is the one exposing an interface to the end user. It’s the agents job to prompt the user (and both Claude desktop and cursor do).

It’s the “system administrator”’s job to make sure the MCP is running at the right privilege level with correct data access levels. The MCP server can’t stop somebody from running it as root the same way any other program can’t.

At the end of the day the MCP should be treated as an extension of the user. Whatever the user can do, so too can the MCP server. (I mean, this isn’t technically true.. you can run the MCP under its own account or inside some sandbox… this will probably start to happen soon enough)


The problem isn't the permissions the MCP has, it's about whose orders it obeys.

Many other programs on the system aren't an extension of the user. And they can access ports.

How could it do authentication? Easily. The most basic option is for the server to put a secret token in your user folder, so only code with access to that token can talk to it.

On Linux it can be even simpler. Don't attach the server to a port, attach it to a socket file.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: