Skip to content

Commit 7ac293c

Browse files
pcarletonlocalden
andauthored
Apply suggestions from code review
Co-authored-by: Den Delimarsky 🌺 <[email protected]>
1 parent 7f98a4e commit 7ac293c

File tree

2 files changed

+4
-4
lines changed

2 files changed

+4
-4
lines changed

docs/specification/draft/basic/authorization.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -299,7 +299,7 @@ Authorization servers **SHOULD** only automatically redirect the user agent if i
299299

300300
### 3.4 Confused Deputy Problem
301301

302-
An attacker can exploit configurations where an MCP server acts as an intermediary between MCP clients and a protected third-party API, leading to the confused deputy problem. The attacker can acquire and exchange a stolen authorization code for access tokens for the MCP server without the user's consent. Consult [Security Best Practices section 2.1](/specification/draft/basic/security_best_practices) for a more detailed description.
302+
Attackers can exploit MCP servers acting as intermediaries to third-party APIs, leading to confused deputy vulnerabilities. By using stolen authorization codes, they can obtain access tokens without user consent. See [Security Best Practices 2.1](/specification/draft/basic/security_best_practices) for details.
303303

304304
MCP proxy servers that use a static client ID for third-party services MUST require explicit
305305
approval for each dynamically registered client before forwarding requests to the

docs/specification/draft/basic/security_best_practices.mdx

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ This section gives a detailed description of attacks on MCP implementations, alo
1616

1717
### 2.1 Confused Deputy Problem
1818

19-
An attacker can exploit configurations where an MCP server operates as a proxy in front of another resource server, leading to the confused deputy problem.
19+
Attackers can exploit MCP servers proxying other resource servers, creating "[confused deputy](https://en.wikipedia.org/wiki/Confused_deputy_problem)" vulnerabilities.
2020

2121
#### 2.1.1 Terminology
2222

@@ -89,9 +89,9 @@ authorization server that does not support dynamic client registration, the foll
8989
attack becomes possible:
9090

9191
1. A user authenticates normally through the MCP proxy server to access the third-party API
92-
2. During this legitimate flow, the third-party authorization server sets a cookie on the user agent
92+
2. During this flow, the third-party authorization server sets a cookie on the user agent
9393
indicating consent for the static client ID
94-
3. An attacker later sends the user a malicious link containing a crafted authorization request
94+
3. An attacker later sends the user a malicious link containing a crafted authorization request which contains a malicious redirect URI along with a new dynamically registered client ID
9595
4. When the user clicks the link, their browser still has the consent cookie from the previous legitimate request
9696
5. The third-party authorization server detects the cookie and skips the consent screen
9797
6. The MCP authorization code is redirected to the attacker's server (specified in the crafted redirect_uri during dynamic client registration)

0 commit comments

Comments
 (0)