Unit 42 Identifies Three MCP Sampling Attack Vectors: Resource Theft, Conversation Hijacking, and Covert Tool Invocation — With Three-Layer Defense Framework
Palo Alto Unit 42 published research showing that MCP sampling's implicit trust model enables malicious servers to append hidden prompts that drain compute (resource theft), inject persistent instructions that alter all subsequent responses (conversation hijacking), and trigger unauthorized file writes without user awareness (covert tool invocation). Defense requires three layers: request sanitization with strict templates separating user content from server modifications, response filtering with explicit user approval for all tool executions, and access controls with capability declarations and rate limiting. Detection indicators include injection markers like [INST], zero-width characters, and Base64 encoding in prompts.
Source
↳ Follow the thread