top | item 45397308

(no title)

afrisch | 5 months ago

How is this different from a backdoor in, say, a Thunderbird extension? I've maintained an extension for Thunderbird and, when I was no longer interested in it, a guy pushed hard to take over the project after sending a few legitimate contributions. I declined because it seemed crazy to give the keys to tens of thousands mailbox to a guy I didn't really know. I also found it crazy that people would trust me initially, but well, I know I'm a good guy :-)

discuss

SoftTalker|5 months ago

Yeah I thought the same thing. This has nothing to do with MCP really, the same flaw is there in all software: you have to trust the author and the distributor. Nothing stops Microsoft from copying all your Outlook mail. Nothing stops Google from copying all your gmail. Nothing stops the Mutt project from copying all your email. Open source users like to think that "many eyes" keep the code clean and they probably do help, especially on popular projects where all commits get reviewed in detail, but the chance is still there. And the rest of us just trust the developers. This problem is as old as software.

PantaloonFlames|5 months ago

> Nothing stops Microsoft.... Nothing stops Google...

Not really true. They have skin in the game. They have legitimate revenue at stake. If they betray trust on such a scale, and we find out, they'll be out of business.

phatskat|5 months ago

> This problem is as old as software.

Sure, I agree, and the problem is absolutely magnified by AI. If a back door gets into Thunderbird, or Google decides to start scanning and sharing all of your email, that’s one point of failure.

An MCP may connect to any number of systems that require a level of trust, and if any one thing abuses that trust it puts the entire system at risk. Now you’re potentially leaking email, server keys, recovery codes, private documents, personal photos, encrypted chats - whatever you give your AI access to becomes available to a single rogue actor.

thaumasiotes|5 months ago

> Open source users like to think that "many eyes" keep the code clean and they probably do help, especially on popular projects where all commits get reviewed in detail, but the chance is still there.

The https://en.wikipedia.org/wiki/XZ_Utils_backdoor bears mentioning here.

latexr|5 months ago

> How is this different from a backdoor in, say, a Thunderbird extension?

I don’t get the argument. Had this been a backdoor in a Thunderbird extension, would it not have been worth reporting? Of course it would. The value of this report is first and foremost that it found a backdoor. That it is on an MCP server is secondary, but it’s still relevant to mention it for being the first, so that people who don’t believe or don’t understand these systems can be compromised (those people exist) can update their mental model and be more vigilant.

dpflan|5 months ago

I recall the noted Zuckerberg comments regarding the situation you describe of why people are willing to trust you with their privacy and data...

EasyMark|5 months ago

I have helped many extremely drunk people this way, given them a lift, but point out to them that getting a lift from a stranger you just met is a really bad idea. they're just lucky they met an honest guy with some free time because I keep weird hours and like the neighborhood hole-in-the-wall pub.

latexr|5 months ago

> getting a lift from a stranger you just met is a really bad idea.

Giving a lift to a drunk stranger you just met is also a bad idea. Not a criticism—what you’re doing is positive—but it’s also a risk for you.