Skills
Unit 42 Demonstrates Three MCP Sampling Attack Vectors: Resource Theft, Conversation Hijacking, and Covert Tool Invocation via Malicious Servers
Palo Alto Networks Unit 42 published proof-of-concept exploits showing that MCP's sampling feature — where servers can request LLM completions from clients — has no built-in security controls and operates on implicit trust. Three attack vectors demonstrated: resource theft (hidden instructions appended to prompts cause invisible content generation), conversation hijacking (servers manipulate ongoing conversations), and covert tool invocation (servers trigger tool calls without user awareness). The disconnect between what users see and what the LLM processes creates cover for resource-exhaustion attacks. Affected: any MCP implementation with sampling enabled.
Source
↳ Follow the thread