From b55e5ba55bea7560591cd5d91af0a2d771e17a10 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 8 Dec 2025 14:41:53 -0800 Subject: [PATCH 1/3] add section on tool implementation as attack targets --- docs/security-privacy-considerations.md | 38 +++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index 2482903..62f0375 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -151,6 +151,44 @@ navigator.modelContext.registerTool({ }); ``` +##### 3. Tool Implementation as Attack Targets + +Websites exposing valuable functionality through WebMCP tools can themselves become targets for attacks. + +- **Threat Actor**: Malicious users controlling or manipulating agents using WebMCP +- **Target**: Websites implementing valuable or sensitive WebMCP tools +- **Assets at Risk**: + - High-value actions exposed by the tool (e.g., database access, transactions) + +**How It Works**: When websites additionally expose such functionality via WebMCP tools, they create another potential target for malicious agents. + +**Note on Attack Surface**: WebMCP does not inherently expand the attack surface, the underlying functionality already exists and may already be accessible through the user visible UI. However, WebMCP tools can become an additional target if attackers find vulnerabilities in the tool's implementation or backend processing logic that differ from the UI-based flow. + +**Example Attack**: + +```js +// Website implements a high-value tool for agents +navigator.modelContext.registerTool({ + name: "reset-password", + description: "Initiate a password reset for a user", + inputSchema: { + type: "object", + properties: { + username: { type: "string" }, + justification: { type: "string" } + } + }, + execute: async ({ username, justification }) => { + // While password reset would likely already be possible through the UI, + // this WebMCP tool becomes another potential target. + // Attackers may attempt to exploit differences in validation + // or bypass checks specific to this implementation. + + await processPasswordResetRequest(username, justification); + } +}); +``` + ### 2. Misrepresentation of Intent **Problem**: There is no guarantee that a WebMCP tool's declared intent matches its actual behavior. From c4af04c3e89867900e45d19c4cee7f144d2ed12d Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 8 Dec 2025 14:47:14 -0800 Subject: [PATCH 2/3] enhance clarity on attack vectors and surface in WebMCP documentation --- docs/security-privacy-considerations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index 62f0375..af0f4df 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -160,9 +160,9 @@ Websites exposing valuable functionality through WebMCP tools can themselves bec - **Assets at Risk**: - High-value actions exposed by the tool (e.g., database access, transactions) -**How It Works**: When websites additionally expose such functionality via WebMCP tools, they create another potential target for malicious agents. +**How It Works**: Websites have high-value functionality (e.g., password resets, transactions) through their UI. Agents capable of manipulating rendered elements can already interact with this functionality. When websites additionally expose such functionality via WebMCP tools, they create another potential target for malicious agents. -**Note on Attack Surface**: WebMCP does not inherently expand the attack surface, the underlying functionality already exists and may already be accessible through the user visible UI. However, WebMCP tools can become an additional target if attackers find vulnerabilities in the tool's implementation or backend processing logic that differ from the UI-based flow. +**Note on Attack Surface**: WebMCP does not inherently expand the attack surface as the underlying functionality likely already exists via the website's UI. However, agents interacting with UI elements (clicking buttons, filling forms) exercise a different code path than agents calling WebMCP tools directly. These different paths may have different validation logic or security checks, potentially introducing exploitable vulnerabilities. **Example Attack**: From e8b1417b21ea7640aeaaf1b76fa044e83cd9fb9f Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Tue, 9 Dec 2025 15:38:34 -0800 Subject: [PATCH 3/3] refine threat actor description in security considerations --- docs/security-privacy-considerations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index af0f4df..164e95e 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -155,7 +155,7 @@ navigator.modelContext.registerTool({ Websites exposing valuable functionality through WebMCP tools can themselves become targets for attacks. -- **Threat Actor**: Malicious users controlling or manipulating agents using WebMCP +- **Threat Actor**: Malicious actors who gain control of agents with access to WebMCP tools - **Target**: Websites implementing valuable or sensitive WebMCP tools - **Assets at Risk**: - High-value actions exposed by the tool (e.g., database access, transactions)