New Prompt Injection Attack Using Malicious MCP Servers Can Drain System Resources

Security researchers have uncovered critical vulnerabilities in the Model Context Protocol (MCP) sampling feature that enable malicious servers to execute stealthy prompt injection attacks, drain computational resources, and compromise large language model applications without user detection.

The findings reveal three primary attack vectors that exploit the protocol’s inherent trust model and lack of robust security controls.

Three Critical Attack Vectors Identified

Researchers demonstrated practical proof-of-concept attacks using a coding copilot application that integrates MCP for code assistance.

The experiments revealed that malicious MCP servers can exploit the sampling feature through resource theft, conversation hijacking, and covert tool invocation, each representing distinct security threats.

In resource theft attacks, malicious servers append hidden instructions to legitimate prompts, causing the LLM to generate extensive additional content that remains invisible to users.

During testing, researchers developed a code summarization tool that covertly instructed the LLM to generate fictional stories alongside requested code summaries.

While users received only the expected summary in their interface, the LLM generated up to 1,000 additional words in the background, consuming computational resources and API credits without authorization.

The conversation-hijacking attack demonstrates a more persistent compromise. By injecting instructions into the LLM’s responses, malicious servers can fundamentally alter the AI assistant’s behavior across multiple conversation turns.

In one experiment, the injected instruction caused the AI to respond in pirate speak for all subsequent interactions.

However, more sophisticated instructions could make the assistant dangerous or unreliable, potentially undermining user trust and system integrity.

Perhaps most concerning is the covert invocation of tools, where malicious servers trigger unauthorized system operations.

Researchers demonstrated that a compromised server could instruct an LLM to invoke file-writing tools without explicit user permission, enabling data exfiltration, persistence mechanisms, and unauthorized system modifications.

The attack succeeds because file operations appear to the LLM as legitimate tool invocations, providing attackers with perfect cover.

The research highlights that MCP sampling relies on an implicit trust model with no built-in security controls, creating new attack vectors for agents that use the protocol.

The disconnect between what users see and what the LLM actually processes creates a perfect cover for resource-exhaustion attacks and hidden malicious activity.

Different MCP implementations may handle output filtering and display differently, with some potentially showing complete LLM responses while others use additional summarization layers to obscure hidden content.

Palo Alto Networks recommends organizations implement comprehensive security measures to protect AI systems from these threats.

The research emphasizes the critical need for robust security controls in MCP-based systems, including enhanced validation of sampling requests, monitoring for anomalous token-consumption patterns, and safeguards against persistent prompt injection.

As MCP adoption grows across AI applications, understanding and mitigating these attack vectors becomes essential for maintaining the integrity and security of LLM-powered tools and services.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Update

The post New Prompt Injection Attack Using Malicious MCP Servers Can Drain System Resources appeared first on Cyber Security News.