Data Exfiltration via an MCP Server used by Cursor - AI Case Study
AI Case StudyThe Backslash Security Research Team demonstrated that a Model Context Protocol (MCP) tool can be used as a vector for an indirect prompt injection attack on Cursor, potentially leading to the execution of malicious shell commands. The Backslash Security Research Team created a proof-of-concept MCP server capable of scraping webpages. When a user asks Cursor to use the tool to scrape a site containing a malicious...
Overview
Risk patterns
Patterns found in the case record and its linked vulnerabilities.
- 1Dominant ATLAS tactic. Resource Development appears in 3 case steps.
- 2Multiple attack methods. The case connects to 9 unique AI attack methods.
Procedure timeline
Search the case steps or filter them by attacker goal.
-
Resource Development
Step 1
LLM Prompt Crafting
The researchers crafted a malicious prompt containing an instruction to execute the malicious shell command to exfiltrate the victim’s AI agent credentials.
-
Resource Development
Step 2
Stage Capabilities
The researchers created a malicious web site containing the malicious prompt.
-
Defense Evasion
Step 3
LLM Prompt Obfuscation
The malicious prompt was hidden in the title tag of the webpage.
-
Resource Development
Step 4
Stage Capabilities
The researchers launched a web server to receive data exfiltrated from the victim.
-
Initial Access
Step 5
Drive-by Compromise
When a user asked Cursor to use an MCP tool to scrape the malicious website, the contents of the malicious prompt was retrieved and ingested into Cursor’s context window.
-
Execution
Step 6
Indirect
When the MCP server scraped the malicious web site, it returned the injected prompt to the MCP client and poisoned the context of the Cursor LLM. Cursor executed the malicious prompt embedded in the website scraped by the MCP tool.
-
Privilege Escalation
Step 7
AI Agent Tool Invocation
The prompt injection invoked Cursor’s ability to call command line tools via the
run_terminal_cmdtool. Cursor prompted the user before executing a shell command, potentially mitigating this attack. -
Defense Evasion
Step 8
LLM Prompt Obfuscation
When the MCP server scraped the malicious web site, it returned the injected prompt to the MCP client and poisoned the context of the Cursor LLM. The shell command in the malicious prompt was obscured via base64 encoding, making it less clear to the user that something malicious may be executed.
-
Credential Access The shell command located the
.openapi.apiKeyand.cursor/mcp.jsoncredentials files that were part of the Cursor’s configuration. -
Exfiltration The credentials files were exfiltrated to the researcher’s server via a
curlcommand invoked by Cursor'srun_terminal_cmdtool. -
Impact
Step 11
Financial Harm
A bad actor could use the stolen credentials cause financial damage and could also steal other sensitive information from the victim user.
Mitigations
Defenses connected to the attack methods in this case.
AI Agent Tools Permissions Configuration
When deploying tools that will be shared across multiple AI agents, it is important to implement robust policies and controls on permissions for the tools. These controls include applying the principle of least privilege along with delegated access, where the tools receive the permissions, identities, and restrictions of the AI agent calling them. These configurations may be implemented either in MCP servers which connect the agents to the tools calling them or, in more complex cases, directly in the configuration files of the tool.
AI Telemetry Logging
Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts.
Additionally, having logging enabled can discourage adversaries who want to remain undetected from utilizing AI resources.
Generative AI Guardrails
Guardrails are safety controls that are placed between a generative AI model and the output shared with the user to prevent undesired inputs and outputs. Guardrails can take the form of validators such as filters, rule-based logic, or regular expressions, as well as AI-based approaches, such as classifiers and utilizing LLMs, or named entity recognition (NER) to evaluate the safety of the prompt or response. Domain specific methods can be employed to reduce risks in a variety of areas such as etiquette, brand damage, jailbreaking, false information, code exploits, SQL injections, and data leakage.
Generative AI Guidelines
Guidelines are safety controls that are placed between user-provided input and a generative AI model to help direct the model to produce desired outputs and prevent undesired outputs.
Guidelines can be implemented as instructions appended to all user prompts or as part of the instructions in the system prompt. They can define the goal(s), role, and voice of the system, as well as outline safety and security parameters.
Showing 4 of 10
Source evidence
Original public records and references for this case.
Original source
Original source links
Open the MITRE ATLAS data and public references used for this case study.
