Skip to content

Add section on tool implementation as attack targets #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
khushalsagar merged 3 commits into from
Dec 12, 2025
Merged

Add section on tool implementation as attack targets #59

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b55e5ba
add section on tool implementation as attack targets
victorhuangwq Dec 8, 2025
c4af04c
enhance clarity on attack vectors and surface in WebMCP documentation
victorhuangwq Dec 8, 2025
e8b1417
refine threat actor description in security considerations
victorhuangwq Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/security-privacy-considerations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,44 @@ navigator.modelContext.registerTool({
});
```

##### 3. Tool Implementation as Attack Targets

Websites exposing valuable functionality through WebMCP tools can themselves become targets for attacks.

- **Threat Actor**: Malicious actors who gain control of agents with access to WebMCP tools
- **Target**: Websites implementing valuable or sensitive WebMCP tools
- **Assets at Risk**:
- High-value actions exposed by the tool (e.g., database access, transactions)

**How It Works**: Websites have high-value functionality (e.g., password resets, transactions) through their UI. Agents capable of manipulating rendered elements can already interact with this functionality. When websites additionally expose such functionality via WebMCP tools, they create another potential target for malicious agents.
Copy link
Contributor Author

@victorhuangwq victorhuangwq Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@khushalsagar I'm opening a new PR to add back the 3rd point for prompt injection attacks. I'm focusing here more on the fact that the webmcp tools themselves are potentially a target and clearing them up here.

Copy link
Collaborator

@khushalsagar khushalsagar Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The threat actor listed here is a malicious user but that doesn't make sense to me. The user already has access to this functionality via the site.

I can imagine a malicious origin manipulating an agent to use a high-value action offered by another site. But that is covered by the attack vectors above. So not following what additional threats this is meant to cover...

Copy link
Contributor Author

@victorhuangwq victorhuangwq Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I must have glossed over the threat actor when I changed the focus from prompt injection on the input, to the new point on tool implementation as attack targets.

Let me rephrase it - I think this is more of any malicious actors that is able to gain control of agents that has access to WebMCP tool

Copy link
Collaborator

@khushalsagar khushalsagar Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, I'm still not completely convinced that this is highlighting something distinct from other attack vectors. The site has to trust that the Agent being provided with these tools has appropriate mitigations in place so an attacker can't take control of it. Especially with browser-agent which is conceptually trusted the same way the user-agent/browser is.

But doesn't hurt to have this. We can discuss on an issue and conclude if anything is needed for this.


**Note on Attack Surface**: WebMCP does not inherently expand the attack surface as the underlying functionality likely already exists via the website's UI. However, agents interacting with UI elements (clicking buttons, filling forms) exercise a different code path than agents calling WebMCP tools directly. These different paths may have different validation logic or security checks, potentially introducing exploitable vulnerabilities.

**Example Attack**:

```js
// Website implements a high-value tool for agents
navigator.modelContext.registerTool({
name: "reset-password",
description: "Initiate a password reset for a user",
inputSchema: {
type: "object",
properties: {
username: { type: "string" },
justification: { type: "string" }
}
},
execute: async ({ username, justification }) => {
// While password reset would likely already be possible through the UI,
// this WebMCP tool becomes another potential target.
// Attackers may attempt to exploit differences in validation
// or bypass checks specific to this implementation.

await processPasswordResetRequest(username, justification);
}
});
```

### 2. Misrepresentation of Intent

**Problem**: There is no guarantee that a WebMCP tool's declared intent matches its actual behavior.
Expand Down