←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
780 points rexpository | 8 comments | 08 Jul 25 17:46 UTC | HN request time: 1.504s | source | bottom
1. raspasov ◴[08 Jul 25 22:44 UTC] No.44504711[source]
The MCP hype is real, but top of HN?

That's like saying that if anyone can submit random queries to a Postgres database with full access, it can leak the database.

That's like middle-school-level SQL trivia.

replies(3): >>44504731 #>>44505108 #>>44505154 #
2. gtirloni ◴[08 Jul 25 22:50 UTC] No.44504731[source]
Yes, but some lessons need to be re-learned over and over so it's seems totally fine that this is here considering how MCP is being promoted as the "integration to rule them all".
replies(1): >>44504756 #
3. raspasov ◴[08 Jul 25 22:54 UTC] No.44504756[source]
MCP is the new GraphQL.
4. vidarh ◴[09 Jul 25 00:01 UTC] No.44505108[source]
The fact that a fairly established company made a mistake like this makes it newsworthy.
replies(1): >>44506738 #
5. simonw ◴[09 Jul 25 00:10 UTC] No.44505154[source]
> That's like saying that if anyone can submit random queries to a Postgres database with full access, it can leak the database.

The problem as more subtle than that.

Here, we are saying that if the developer of a site - who can already submit random queries to Postgres any time they like - rigs up an LLM-powered assistant to help them do that, an attacker can trick that assistant into running queries on the attacker's behalf by sneaking malicious text into the system such that it is visible to the LLM in one of the database tables.

replies(1): >>44505387 #
6. raspasov ◴[09 Jul 25 01:01 UTC] No.44505387[source]
I don't understand how that's more subtle than allowing random queries. It only feels different due to the additional probabilistic layer of indirection (the LLM), but the ability is still there.

> who can already submit random queries to Postgres any time they like

A predefined, static set of queries curated by a human with common sense. LLMs have no common sense. They have context.

An LLM that takes user input and has access to a database can generate and run any query. We don't understand what queries might be generated and under what input, and I don't think we will anytime soon.

7. raspasov ◴[09 Jul 25 05:59 UTC] No.44506738[source]
I see no mistake (not associated with Supabase).
replies(1): >>44508319 #
8. vidarh ◴[09 Jul 25 10:37 UTC] No.44508319{3}[source]
Well, I see one that would categorically prevent me from being willing to enable MCP use with Supabase, namely the lack of sufficiently fine grained permissions.

And they've confirmed they're working on more fine grained permissions as one of several mitigations.