What it is
The Model Context Protocol is Anthropic’s open standard for letting an LLM call tools: read files, query a database, send mail, push to GitHub. An MCP server is a small process that lists “tools” (functions with JSON schemas) over a server-sent-events connection; any compatible client (Claude Desktop, Cursor, Cline) can connect, enumerate the catalogue, and invoke tools on the model’s behalf. It’s an elegant design: a single protocol for all of agentic tool-calling. And it has spread fast.
What goes wrong
The protocol assumes the network boundary handles authentication. A tremendous
amount of operator effort goes into the tool definitions and almost none into
the transport: most deployments expose /sse directly to the public internet
with no auth at all. The first message a client sends is tools/list, and the
server answers with the entire tool catalogue in plaintext: names,
descriptions, parameter schemas. From there an attacker calls anything they
want, with the operator’s credentials baked into the server-side handlers.
How we test
Our deep MCP enumerator opens an SSE channel, walks the JSON-RPC handshake, captures the tool list, and probes each tool’s schema with synthetic arguments to confirm reachability. We classify the catalogue by sensitivity (file-system access, mail/IM connectors, IAM/cluster operations) and follow up with single high-signal invocations to validate exploitability. We then map the tool implementations back to the operator (often via leaked tokens, repository references, or Claude Desktop config patterns) so the disclosure reaches the actual maintainer rather than the abuse desk of an unrelated cloud.