undefined | Better HN

0 pointsrenewiltord8mo ago0 comments

Did you? It beggars belief how stupid this is. Yes, if you hook up your Claude client to an email MCP and a shell MCP then it's like you're piping emails to your shell.

0 comments

NitpickLawyer8mo ago

The underlying cause can be applied in other contexts. There was recently a flow where this vulnerability was exploited through an IDE working on customer tickets.

Don't dismiss the root cause because the usecase is silly. The moment some user provided input reaches an LLM context, all bets are off. If you're running any local tools that provide shell access, then it's RCE, if you're running a browser / fetch tool that's data exfil, and so on.

The root cause is that LLMs receive both commands and data on the same shared channel. Until (if) this gets fixed, we're gonna see lots and lots of similar attacks.

simonw8mo ago

Lots of people are doing that though.

MCP enabled software gives you a list of options. If you check the Gmail one and the shell one you are instantly vulnerable to this kind of attack.

shakna8mo ago

Stupid? Yes.

Common? Also, yes.

This one targets Claude. But we've already seen it with Copilot and I expect we'll soon see it hit Gemini, and others.

AI is being forcibly integrated across all major systems. Your email provider will set this up, if they haven't already.

simonw8mo ago

Have you seen an "official" MCP directly provided by an email service yet?

I had assumed they weren't doing this precisely because of the enormous risk - if you have the ability to both read and send email you have all three legs of the lethal trifecta in one MCP!

So far, I have only seen unofficial MCPs for things like Gmail that work using their existing APIs.

shakna8mo ago

"Since Copilot is integrated with Microsoft 365, the scope of risk included files, contracts, communications, financial data, and more."

https://windowsforum.com/threads/echoleak-cve-2025-32711-cri...

"At Microsoft, we believe in creating tools that empower you to work smarter and more efficiently. That’s why we’re thrilled to announce the first release of Model Context Protocol (MCP) support in Microsoft Copilot Studio. With MCP, you can easily add AI apps and agents into Copilot Studio with just a few clicks."

https://www.microsoft.com/en-us/microsoft-copilot/blog/copil...

1 more reply

j / k navigate · click thread line to collapse

0 comments

NitpickLawyer8mo ago

The underlying cause can be applied in other contexts. There was recently a flow where this vulnerability was exploited through an IDE working on customer tickets.

The root cause is that LLMs receive both commands and data on the same shared channel. Until (if) this gets fixed, we're gonna see lots and lots of similar attacks.

simonw8mo ago

Lots of people are doing that though.

MCP enabled software gives you a list of options. If you check the Gmail one and the shell one you are instantly vulnerable to this kind of attack.

shakna8mo ago

Stupid? Yes.

Common? Also, yes.

This one targets Claude. But we've already seen it with Copilot and I expect we'll soon see it hit Gemini, and others.

AI is being forcibly integrated across all major systems. Your email provider will set this up, if they haven't already.

simonw8mo ago

Have you seen an "official" MCP directly provided by an email service yet?

I had assumed they weren't doing this precisely because of the enormous risk - if you have the ability to both read and send email you have all three legs of the lethal trifecta in one MCP!

So far, I have only seen unofficial MCPs for things like Gmail that work using their existing APIs.

shakna8mo ago

"Since Copilot is integrated with Microsoft 365, the scope of risk included files, contracts, communications, financial data, and more."

https://windowsforum.com/threads/echoleak-cve-2025-32711-cri...

https://www.microsoft.com/en-us/microsoft-copilot/blog/copil...

1 more reply

j / k navigate · click thread line to collapse