←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
780 points rexpository | 1 comments | 08 Jul 25 17:46 UTC | HN request time: 0.253s | source
Show context
tptacek ◴[08 Jul 25 19:15 UTC] No.44503091[source]
This is just XSS mapped to LLMs. The problem, as is so often the case with admin apps (here "Cursor and the Supabase MCP" is an ad hoc admin app), is that they get a raw feed of untrusted user-generated content (they're internal scaffolding, after all).

In the classic admin app XSS, you file a support ticket with HTML and injected Javascript attributes. None of it renders in the customer-facing views, but the admin views are slapped together. An admin views the ticket (or even just a listing of all tickets) and now their session is owned up.

Here, just replace HTML with LLM instructions, the admin app with Cursor, the browser session with "access to the Supabase MCP".

replies(4): >>44503182 #>>44503194 #>>44503269 #>>44503304 #
1. wrs ◴[08 Jul 25 19:25 UTC] No.44503182[source]
SimonW coined (I think) the term “prompt injection” for this, as it’s conceptually very similar to SQL injection. Only worse, because there’s currently no way to properly “escape” the retrieved content so it can’t be interpreted as part of the prompt.