Skip to content

Known Security Issues With WebMCP

Jump to bottom
Alex Nahas edited this page Sep 7, 2025 · 1 revision

1. Cross-Origin Data Leakage

  • Issue: The browser extension can share data between different websites at the agent's discretion, bypassing the Same-Origin Policy (SOP) and CORS protections
  • Concern: Data from a banking app could be shared with a malicious site if both are MCP-B enabled
  • Action needed: Implement guardrails when domain shifts happen via elicitation, enforce data isolation between origins

2. OAuth Delegation vs Session Hijacking

  • Issue: MCP-B essentially allows backdooring apps by using existing user session credentials
  • Concern: All MCP app actions are logged under the same scope as user access, making audit trails indistinguishable
  • Action needed: Consider implementing OAuth delegation (RFC 8693) or similar mechanisms to distinguish agent actions from direct user actions

3. Automatic Connection to MCP Servers

  • Issue: The extension automatically seeks out and attaches to MCP servers when pages load
  • Risk: Malicious sites that end up in browser tabs (through redirects, pop-ups, etc.) could steal data from other web apps
  • Action needed: Implement opt-in consent mechanism - e.g., popup asking "Website X has an MCP server, do you trust it to connect?"

4. Tool Permission Granularity

  • Issue: Users have no control over what tools/permissions the agent gets - it's entirely up to the website owner
  • Comparison: With traditional MCP, users explicitly grant OAuth scopes; with MCP-B, websites decide what access to expose
  • Action needed: Consider user-controllable permission system for tools, ability to restrict agent access below user's own permissions

5. Tool Auditing and Verification

  • Issue: Users can't audit what tools a website exposes until after connection
  • Risk: Malicious tools could appear after initial connection
  • Action needed:
    • Show full tool list at connection time
    • Warn if new tools appear that weren't in the initial list
    • Allow users to selectively enable/disable specific tools

6. Prompt Injection Vulnerabilities

  • Issue: Directives to execute dangerous actions (like "delete all data") can come from sources other than the user
  • Concern: Traditional security assumes user intent behind actions; with agents, this assumption breaks
  • Action needed: Robust prompt injection defenses, clear separation of user intent vs agent suggestions

7. Compliance and Audit Trail Issues

  • Issue: From a compliance perspective, agent actions being indistinguishable from user actions is problematic
  • Concern: Legal/regulatory requirements often need clear audit trails of who/what performed actions
  • Action needed: Implement clear logging/identification of agent-initiated vs user-initiated actions

8. Zero-Config Trust Model

  • Issue: The zero-configuration nature means users are implicitly trusting both the model and website owners
  • Comparison: Like "putting your SSN into a website" - requires significant trust
  • Action needed: Clear communication of risks to users, possibly implement trust levels or reputation system

Proposed Solutions to Implement:

  1. Connection Consent UI: Show popup for each new MCP server connection
  2. Tool Inspection: Pre-connection tool audit with ability to selectively enable/disable
  3. Domain Isolation: Enforce data isolation between different origins, require explicit permission for cross-origin data sharing
  4. Agent Identity: Clear identification in logs/actions when agent is acting vs direct user action
  5. Permission Scoping: Allow users to grant agents reduced permissions compared to their own access
  6. Security Warnings: Alert users when sensitive operations are requested or when crossing trust boundaries
Clone this wiki locally