alt Hacker NewsExposed MCP servers across the internet
Comments
> We identified a total of 1,862 MCP servers exposed to the internet. From this set, we manually verified a sample of 119. All 119 servers granted access to internal tool listings without authentication.
The tool listings are not necessarily a secret, so not sure how this is "exposed". We have a public MCP, anyone can read our tool listings, but to actually use the tools you need to authenticate.
It's like 2010 all over again: People would put api.domain.com up and no auth - great times for builders..and ill-intentioned folks!
I’m with @NitpickLawyer on this; the scan is cool, but I was hoping for a bit more detail on what’s actually being exposed. Even something like a breakdown of common tool names or clustering by function type would’ve been really insightful.
That said, it’s still surprising (and a little funny) to see how fast these things end up public. Probably lots of default setups left running without realizing they’re wide open.
Hmmm. I thought that's the idea of MCP server - give LLM an interface to use your service. Why would it require authentication? One of the tools could be to authenticate. Please destroy this position if I'm wrong.
Yep, if you put something on the open internet it needs authentication or it is public to everyone. This isn't a vulnerability unique to MCP - plenty of databases, REST APIs, S3 buckets, and other sorts of resources have been left open before. MCP is just the latest shiny thing people can leave unsecured.
Do major LLM providers, which allow the user of remote MCP to my own servers announce the IP ranges from which they will contact my servers?
In that case, limiting the remote IPs would also be useful. I haven't played around with MCP, but it's on my todo list.
> At no point did we use tools/call or any command that could trigger actions, incur API usage costs, or alter data.
At this point I'm convinced it's not possible to predict this with MCP servers (or LLMs generally). You just don't know what it's definitively going to do when you poke it, even with a simple question like "What do you do".
MCP is not mature enough to put servers in an Internet facing position. Unless you put gateways (inspecting JWTs, filtering out sensitive data) in front of them. Spec still has a long way to go, especially on the Streamable HTTP/SSE + OAuth front.
Not that surprising when looking at the quality of 99% of the MCP projects. Vibe hacks that are just for github stars.
What happened to best practices? Starting a demo locally is something but opening it up to the internet irresponsibly is something else.
In what way were the not "secure"? Showing you their schema is literally what they are supposed to do.
I mean, MCP servers have tons of sec vulnerabilities but "showing you their schema" and "having bugs" aren't vulns.
> We identified a total of 1,862 MCP servers exposed to the internet. From this set, we manually verified a sample of 119. All 119 servers granted access to internal tool listings without authentication.
Here we go again.
Before we had seen (and there still) MongoDB databases exposed all over the internet with zero credentials protecting them. (you can just connect to them and you are in.)
Now we have exposed MCP servers waiting to be prompt injected and their data to be exfiltrated from say, a connected service or database if they are connected to any. [0]
So now you can just talk to anyone's exposed MCP server and ask for the secret passwords, environment variables and sensitive data.
And the AI will just hand it all over.
Sure, but I was expecting more details on what was available. At least some analysis (perhaps using embeddings) on common function names, types, etc. What are people exposing? Is there overlap? What % of the open servers looked the same (indicating a common example / tutorial deployment)? What's the proportion of read/write functions (again using embeddings / word cloud maybe?)...
As is the article feels a bit light on details. I'm not surprised that there are open servers out there, but if you're writing an article about that, at least provide interesting details.