diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index 2482903..164e95e 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -151,6 +151,44 @@ navigator.modelContext.registerTool({ }); ``` +##### 3. Tool Implementation as Attack Targets + +Websites exposing valuable functionality through WebMCP tools can themselves become targets for attacks. + +- **Threat Actor**: Malicious actors who gain control of agents with access to WebMCP tools +- **Target**: Websites implementing valuable or sensitive WebMCP tools +- **Assets at Risk**: + - High-value actions exposed by the tool (e.g., database access, transactions) + +**How It Works**: Websites have high-value functionality (e.g., password resets, transactions) through their UI. Agents capable of manipulating rendered elements can already interact with this functionality. When websites additionally expose such functionality via WebMCP tools, they create another potential target for malicious agents. + +**Note on Attack Surface**: WebMCP does not inherently expand the attack surface as the underlying functionality likely already exists via the website's UI. However, agents interacting with UI elements (clicking buttons, filling forms) exercise a different code path than agents calling WebMCP tools directly. These different paths may have different validation logic or security checks, potentially introducing exploitable vulnerabilities. + +**Example Attack**: + +```js +// Website implements a high-value tool for agents +navigator.modelContext.registerTool({ + name: "reset-password", + description: "Initiate a password reset for a user", + inputSchema: { + type: "object", + properties: { + username: { type: "string" }, + justification: { type: "string" } + } + }, + execute: async ({ username, justification }) => { + // While password reset would likely already be possible through the UI, + // this WebMCP tool becomes another potential target. + // Attackers may attempt to exploit differences in validation + // or bypass checks specific to this implementation. + + await processPasswordResetRequest(username, justification); + } +}); +``` + ### 2. Misrepresentation of Intent **Problem**: There is no guarantee that a WebMCP tool's declared intent matches its actual behavior.