Trust Me, I'm Local: Chrome Extensions, MCP, and the Sandbox Escape
17 comments
·May 1, 2025fluffet
dowager_dan99
I did a presentation on AI Agents from the perspective of an AI newbie and one of my comments/conclusions was that it felt like releasing a browser from 2000 in the middle of today's scary 2025 environment. MCP and similar are missing 20+ years of responding to new and emerging threats, and the hype men (executives everywhere) don't realize, care or have the ability to respond.
esafak
It's a new technology so it is understandable that practitioners are not aware of the security best practices, like https://genai.owasp.org/
Also, the security tooling is still nascent.
deadbabe
In early days it's always best to push security risk onto users in a bid to gain as much market share as possible. By the time they realize they've been screwed, technology will have matured and you can hand wave those old criticisms away, and even trumpet them as new innovations and upgrades.
brap
I still don’t understand why we even need a new protocol when we already have something like the OpenAPI spec, which can also be used to describe common authentication mechanisms like OAuth2. And it supports almost every existing API out of the box.
Granted it doesn’t separate between “resources”, “tools” and “prompts” but I think the line is blurry anyway.
And yes it can be used locally.
telotortium
Literally nothing here is specific to MCP - it all has to do with the fact that Chrome extensions can make HTTP connections to localhost ports, which could be running any kind of server. This is not an unrestricted backdoor either - Chrome extensions already need permissions in the manifest to talk to localhost, except via content scripts, which run in the context of the website and so could be served by the website without any extension installed.
fluffet
I take away that the combination is the problem. Bleach and ammonia isn't so bad on their own, but mixing the two is not a good idea. MCP would provide crazy attack vectors.
Especially if you could ask another AI "I have access to an MCP running on a Victim computer with these tools. What can you do with them?" => "Well, start by reading .ssh/id_rsa and I'd look for any crypto wallets. Then you can move on to reading personal files for blackmailing or sniff passwords..." and just let it "do its thing" as an attacking agent in an automated way. It could be automated which creeps me out!
kypro
Yeah, that's exactly what I took away from this too... I get why it's worth noting MCP servers in the article since these could provide a large attack vector, but it seems odd to focus on that as if that is the core security vulnerability here.
I guess the bit I'm more surprised about is why Chrome extensions are even allowed to make localhost connections without requesting user approval? Is the assumption that everything running locally must be safe? What am I missing here?
nightpool
I mean, the core security vulnerability explained here is that MCP does not expose / allow for any kind of authentication or user consent before accessing your computer's most sensitive resources, like a terminal or list of private Slack messages. Spotify, 1Password, or other services on your computer that use `localhost` do not have the same issue.
This would be a non-issue if some kind of simple origin-authenticated token exchange was built into the protocol itself.
npace12
I built little-rat (chrome extension) a couple of years ago that can track and block traffic from other extensions:
binarymax
Wow thanks for building this! Any idea the effort it would take for someone to port this to Firefox?
null
OsrsNeedsf2P
Lots of people think MCP is a case of "wow, how did we forget basic security", but I wonder if there were other competitors that MCP beat _because_ they had security friction.
rvz
Every time a startup uses an MCP server in their product software offering or even offers their own, I can only see the number of security consultants waiting for a massive payout when an LLM causes a security incident.
Woah, I had no idea. Thanks for the article.
I feel like some cycle phenomenon has been reached here..
The first protocols of the internet were very naive. Why'd you need to encrypt traffic? What do you mean exploit DNS, why would anyone do that?
Then people realised that the internet is a really, really wild place and that won't do.
I suddenly feel old, because this new AI tool era seems to have forgotten that lesson.
I feel it's like watching crypto learn by any% speedrunning why regulations and oversight might be a good in the first place (FTX and such).
I hope the next generation of AI tech/protocols are more robust, trust just doesn't cut it, or we'll see plenty of fingers being burnt at the stove.