Researchers Expose MCP Protocol Security Flaws, Cross-Tenant AI Data Leaks, and a New CSAM Detection Method
The Model Context Protocol (MCP) went under the microscope today in two independent studies. One uncovered a structural confused deputy problem: the protocol provides no origin, authorship, or integrity verification for tool results, enabling injection, DNS rebinding, and misrepresentation of safety hints like readOnlyHint. A compromised server can easily spoof destructive permissions, leaving LLMs to trust unverifiable content. The second study introduced MCPZoo, the largest dynamic-analysis collection of MCP servers, with 64,611 unique instances. Security scanners meant to assess them were found to be largely ineffective, highlighting a gap between the protocol's rapid adoption and its tooling.
A separate source review of over 200 multi-tenant AI and SaaS products revealed a widespread pattern: authorization checks are enforced on write endpoints but skipped on the corresponding read endpoints. This led to 84 confirmed cross-tenant data exposures across 78 products, with 31 GitHub Security Advisories filed. The findings, verified on self-hosted Docker instances using synthetic data and an open-source isolation checker, expose a dangerous blind spot in how AI tools handle multi-tenancy.
In a breakthrough for online safety, MIT and child protection nonprofit Thorn developed Gaussian probing, a technique that detects models fine-tuned to produce child sexual abuse material with 100% accuracy—without generating a single illegal image. The method works by analyzing shifts in a model's internal representations caused by LoRA adaptors, circumventing the legal paradox that previously blocked safety testing. The work was presented at ICML.
On the engineering side, teams found practical ways to rein in AI costs and risks. One engineer cut Claude Code review token bills 8–49× by feeding the model only the code within two hops of a diff on a Tree-sitter–built call graph, a “blast radius” approach. Separately, a deep dive into automated COBOL-to-Java translation warned that mere compilation success is not migration completeness—silent arithmetic shifts (e.g., fixed-point to floating-point) can compound into audit-level discrepancies. Differential equivalence verification is needed to catch such regressions.
Finally, reliability of LLM evaluations in CI was questioned: only two out of six frameworks survived a real merge queue, as LLM-as-judge scores drifted unpredictably near thresholds, while deterministic checks never flaked. And a post-mortem on AI agent memory loss catalogued four distinct causes—from key mismatches and lossy memory compaction to concurrency races—showing that a single symptom can mask multiple root origins.
» Statistics
- Posts
- 226
- Reads
- 0
- Avg. score
- 7.7
» Top scored
- The four hidden causes behind an AI agent's vanishing memory writes
- Source review of 200 self-hosted AI tools finds 78 leak tenant data
- Claude Code Review Token Bills Cut 8-49x With Tree-sitter Call Graphs
- AI Migrates COBOL to Java Fast — Proving It's Correct Is Hard
- We gated CI on six LLM eval frameworks — only two survived
- MCP's Confused Deputy Problem: Provenance Gaps, Injection, DNS Rebinding
- MIT Method Detects AI Models Fine-Tuned for CSAM Without Generating It
- SirixDB: A bitemporal JSON database with sub-page versioning
- Five-Paper Series Formalizes Cohesion, Arrives at the IVP
- Rethinking MCP Security: A Large-Scale Study of 64K Runtime Servers