Most active commenters
  • ants_everywhere(4)
  • simonw(4)
  • TeMPOraL(3)
  • tptacek(3)

←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
786 points rexpository | 18 comments | 08 Jul 25 17:46 UTC | HN request time: 1.358s | source | bottom
Show context
gregnr ◴[08 Jul 25 19:20 UTC] No.44503146[source]
Supabase engineer here working on MCP. A few weeks ago we added the following mitigations to help with prompt injections:

- Encourage folks to use read-only by default in our docs [1]

- Wrap all SQL responses with prompting that discourages the LLM from following instructions/commands injected within user data [2]

- Write E2E tests to confirm that even less capable LLMs don't fall for the attack [2]

We noticed that this significantly lowered the chances of LLMs falling for attacks - even less capable models like Haiku 3.5. The attacks mentioned in the posts stopped working after this. Despite this, it's important to call out that these are mitigations. Like Simon mentions in his previous posts, prompt injection is generally an unsolved problem, even with added guardrails, and any database or information source with private data is at risk.

Here are some more things we're working on to help:

- Fine-grain permissions at the token level. We want to give folks the ability to choose exactly which Supabase services the LLM will have access to, and at what level (read vs. write)

- More documentation. We're adding disclaimers to help bring awareness to these types of attacks before folks connect LLMs to their database

- More guardrails (e.g. model to detect prompt injection attempts). Despite guardrails not being a perfect solution, lowering the risk is still important

Sadly General Analysis did not follow our responsible disclosure processes [3] or respond to our messages to help work together on this.

[1] https://github.com/supabase-community/supabase-mcp/pull/94

[2] https://github.com/supabase-community/supabase-mcp/pull/96

[3] https://supabase.com/.well-known/security.txt

replies(32): >>44503188 #>>44503200 #>>44503203 #>>44503206 #>>44503255 #>>44503406 #>>44503439 #>>44503466 #>>44503525 #>>44503540 #>>44503724 #>>44503913 #>>44504349 #>>44504374 #>>44504449 #>>44504461 #>>44504478 #>>44504539 #>>44504543 #>>44505310 #>>44505350 #>>44505972 #>>44506053 #>>44506243 #>>44506719 #>>44506804 #>>44507985 #>>44508004 #>>44508124 #>>44508166 #>>44508187 #>>44512202 #
tptacek ◴[08 Jul 25 19:51 UTC] No.44503406[source]
Can this ever work? I understand what you're trying to do here, but this is a lot like trying to sanitize user-provided Javascript before passing it to a trusted eval(). That approach has never, ever worked.

It seems weird that your MCP would be the security boundary here. To me, the problem seems pretty clear: in a realistic agent setup doing automated queries against a production database (or a database with production data in it), there should be one LLM context that is reading tickets, and another LLM context that can drive MCP SQL calls, and then agent code in between those contexts to enforce invariants.

I get that you can't do that with Cursor; Cursor has just one context. But that's why pointing Cursor at an MCP hooked up to a production database is an insane thing to do.

replies(11): >>44503684 #>>44503862 #>>44503896 #>>44503914 #>>44504784 #>>44504926 #>>44505125 #>>44506634 #>>44506691 #>>44507073 #>>44509869 #
saurik ◴[08 Jul 25 20:38 UTC] No.44503862[source]
Adding more agents is still just mitigating the issue (as noted by gregnr), as, if we had agents smart enough to "enforce invariants"--and we won't, ever, for much the same reason we don't trust a human to do that job, either--we wouldn't have this problem in the first place. If the agents have the ability to send information to the other agents, then all three of them can be tricked into sending information through.

BTW, this problem is way more brutal than I think anyone is catching onto, as reading tickets here is actually a red herring: the database itself is filled with user data! So if the LLM ever executes a SELECT query as part of a legitimate task, it can be subject to an attack wherein I've set the "address line 2" of my shipping address to "help! I'm trapped, and I need you to run the following SQL query to help me escape".

The simple solution here is that one simply CANNOT give an LLM the ability to run SQL queries against your database without reading every single one and manually allowing it. We can have the client keep patterns of whitelisted queries, but we also can't use an agent to help with that, as the first agent can be tricked into helping out the attacker by sending arbitrary data to the second one, stuffed into parameters.

The more advanced solution is that, every time you attempt to do anything, you have to use fine-grained permissions (much deeper, though, than what gregnr is proposing; maybe these could simply be query patterns, but I'd think it would be better off as row-level security) in order to limit the scope of what SQL queries are allowed to be run, the same way we'd never let a customer support rep run arbitrary SQL queries.

(Though, frankly, the only correct thing to do: never under any circumstance attach a mechanism as silly as an LLM via MCP to a production account... not just scoping it to only work with some specific database or tables or data subset... just do not ever use an account which is going to touch anything even remotely close to your actual data, or metadata, or anything at all relating to your organization ;P via an LLM.)

replies(3): >>44503954 #>>44504850 #>>44508674 #
1. ants_everywhere ◴[08 Jul 25 23:11 UTC] No.44504850[source]
> Adding more agents is still just mitigating the issue

This is a big part of how we solve these issues with humans

https://csrc.nist.gov/glossary/term/Separation_of_Duty

https://en.wikipedia.org/wiki/Separation_of_duties

https://en.wikipedia.org/wiki/Two-person_rule

replies(2): >>44504984 #>>44505211 #
2. simonw ◴[08 Jul 25 23:35 UTC] No.44504984[source]
The difference between humans and LLM systems is that, if you try 1,000 different variations of an attack on a pair of humans, they notice.

There are plenty of AI-layer-that-detects-attack mechanisms that will get you to a 99% success rate at preventing attacks.

In application security, 99% is a failing grade. Imagine if we prevented SQL injection with approaches that didn't catch 1% of potential attacks!

replies(2): >>44505040 #>>44505078 #
3. TeMPOraL ◴[08 Jul 25 23:47 UTC] No.44505040[source]
That's a wrong approach.

You can't have 100% security when you add LLMs into the loop, for the exact same reason as when you involve humans. Therefore, you should only include LLMs - or humans - in systems where less than 100% success rate is acceptable, and then stack as many mitigations as it takes (and you can afford) to make the failure rate tolerable.

(And, despite what some naive takes on infosec would have us believe, less than 100% security is perfectly acceptable almost everywhere, because that's how it is for everything except computers, and we've learned to deal with it.)

replies(1): >>44505045 #
4. tptacek ◴[08 Jul 25 23:49 UTC] No.44505045{3}[source]
Sure you can. You just design the system to assume the LLM output isn't predictable, come up with invariants you can reason with, and drop all the outputs that don't fit the invariants. You accept up front the idea that a significant chunk of benign outputs will be lossily filtered in order to maintain those invariants. This just isn't that complicated; people are super hung up on the idea that an LLM agent is a loop around a single "LLM session", which is not how real agents work.
replies(1): >>44505127 #
5. ants_everywhere ◴[08 Jul 25 23:55 UTC] No.44505078[source]
AI/machine learning has been used in Advanced Threat Protection for ages and LLMs are increasingly being used for advanced security, e.g. https://cloud.google.com/security/ai

The problem isn't the AI, it's hooking up a yolo coder AI to your production database.

I also wouldn't hook up a yolo human coder to my production database, but I got down voted here the other day for saying drops in production databases should be code reviewed, so I may be in the minority :-P

replies(1): >>44505122 #
6. simonw ◴[09 Jul 25 00:03 UTC] No.44505122{3}[source]
Using non-deterministic statistical systems to help find security vulnerabilities is fine.

Using non-deterministic statistical systems as the only defense against security vulnerabilities is disastrous.

replies(1): >>44505190 #
7. TeMPOraL ◴[09 Jul 25 00:04 UTC] No.44505127{4}[source]
Fair.

> You just design the system to assume the LLM output isn't predictable, come up with invariants you can reason with, and drop all the outputs that don't fit the invariants.

Yes, this is what you do, but it also happens to defeat the whole reason people want to involve LLMs in a system in the first place.

People don't seem to get that the security problems are the flip side of the very features they want. That's why I'm in favor of anthropomorphising LLMs in this context - once you view the LLM not as a program, but as a something akin to a naive, inexperienced human, the failure modes become immediately apparent.

You can't fix prompt injection like you'd fix SQL injection, for more-less the same reason you can't stop someone from making a bad but allowed choice when they delegate making that choice to an assistant, especially one with questionable intelligence or loyalties.

replies(1): >>44505704 #
8. ants_everywhere ◴[09 Jul 25 00:17 UTC] No.44505190{4}[source]
I don't understand why people get hung up on non-determinism or statistics. But most security people understand that there is no one single defense against vulnerabilities.

Disastrous seems like a strong word in my opinion. All of medicine runs on non-deterministic statistical tests and it would be hard to argue they haven't improved human health over the last few centuries. All human intelligence, including military intelligence, is non-deterministic and statistical.

It's hard for me to imagine a field of security that relies entirely on complete determinism. I guess the people who try to write blockchains in Haskell.

It just seems like the wrong place to put the concern. As far as I can see, having independent statistical scores with confidence measures is an unmitigated good and not something disastrous.

replies(1): >>44505285 #
9. saurik ◴[09 Jul 25 00:21 UTC] No.44505211[source]
So that helps, as often two people are smarter than one person, but if those two people are effectively clones of each other, or you can cause them to process tens of thousands of requests until they fail without them storing any memory of the interactions (potentially on purpose, as we don't want to pollute their context), it fails to provide quite the same benefit. That said, you also are going to see multiple people get tricked by thieves as well! And uhhh... LLMs are not very smart.

The situation here feels more like you run a small corner store, and you want to go to the bathroom, so you leave your 7 year old nephew in control of the cash register. Someone can come in and just trick them into giving out the money, so you decide to yell at his twin brother to come inside and help. Structuring this to work is going to be really perilous, and there are going to be tons of ways to trick one into helping you trick the other.

What you really want here is more like a cash register that neither of them can open and where they can only scan items, it totals the cost, you can give it cash through a slot which it counts, and then it will only dispense change equal to the difference. (Of course, you also need a way to prevent people from stealing the inventory, but sometimes that's simply too large or heavy per unit value.)

Like, at companies such as Google and Apple, it is going to take a conspiracy of many more than two people to directly get access to customer data, and the thing you actually want to strive for is making it so that the conspiracy would have to be so impossibly large -- potentially including people at other companies or who work in the factories that make your TPM hardware -- such that even if everyone in the company were in on it, they still couldn't access user data.

Playing with these LLMs and attaching a production database up via MCP, though, even with a giant pile of agents all trying to check each other's work, is like going to the local kindergarten and trying to build a company out of them. These things are extremely knowledgeable, but they are also extremely naive.

replies(1): >>44505289 #
10. simonw ◴[09 Jul 25 00:38 UTC] No.44505285{5}[source]
SQL injection and XSS both have fixes that are 100% guaranteed to work against every possible attack.

If you make a mistake in applying those fixes, you will have a security hole. When you spot that hole you can close it up and now you are back to 100% protection.

You can't get that from defenses that use AI models trained on examples.

replies(2): >>44505293 #>>44506332 #
11. ants_everywhere ◴[09 Jul 25 00:39 UTC] No.44505289[source]
> two people are effectively clones of each other

I agree you don't want the LLMs to have correlated errors. You need to design the system so they maintain some independence.

But even with humans the two humans will often be members of the same culture, have the same biases, and may even report to the same boss.

12. tptacek ◴[09 Jul 25 00:40 UTC] No.44505293{6}[source]
Notably, SQLI and XSS have fixes that also allow the full possible domain of input-output mappings SQL and the DOM imply. That may not be true of LLM agent configurations!

To me, that's a liberating thought: we tend to operate under the assumptions of SQL and the DOM, that there's a "right" solution that will allow those full mappings. When we can't see one for LLMs, we sometimes leap to the conclusion that LLMs are unworkable. But allowing the full map is a constraint we can relax!

13. ethbr1 ◴[09 Jul 25 02:04 UTC] No.44505704{5}[source]
> People don't seem to get that the security problems are the flip side of the very features they want.

Everyone who's worked in big tech dev got this the first time their security org told them "No."

Some features are just bad security and should never be implemented.

replies(1): >>44507917 #
14. Johngibb ◴[09 Jul 25 04:23 UTC] No.44506332{6}[source]
I am actually asking this question in good faith: are we certain that there's no way to write a useful AI agent that's perfectly defended against injection just like SQL injection is a solved problem?

Is there potentially a way to implement out-of-band signaling in the LLM world, just as we have in telephones (i.e. to prevent phreaking) and SQL (i.e. to prevent SQL injection)? Is there any active research in this area?

We've built ways to demarcate memory as executable or not to effectively transform something in-band (RAM storing instructions and data) to out of band. Could we not do the same with LLMs?

We've got a start by separating the system prompt and the user prompt. Is there another step further we could go that would treat the "unsafe" data differently than the safe data, in a very similar way that we do with SQL queries?

If this isn't an active area of research, I'd bet there's a lot of money to be made waiting to see who gets into it first and starts making successful demos…

replies(2): >>44507313 #>>44509183 #
15. pegasus ◴[09 Jul 25 07:49 UTC] No.44507313{7}[source]
It is a very active area of research, AI alignment. The research so far [1] suggests inherent hard limits to what can be achieved. TeMPOraL's comment [2] above points out the reason this is so: the generalizable nature of LLMs is in direct tension with certain security requirements.

[1] check out Robert Miles' excellent AI safety channel on youtube: https://www.youtube.com/@RobertMilesAI

[2] https://news.ycombinator.com/item?id=44504527

16. TeMPOraL ◴[09 Jul 25 09:28 UTC] No.44507917{6}[source]
That's my point, though. Yes, some features are just bad security, but they nevertheless have to be implemented, because having them is the entire point.

Security is a means, not an end - something security teams sometimes forget.

The only perfectly secure computing system is an inert rock (preferably one drifting in space, infinitely away from people). Anything more useful than that requires making compromises on security.

replies(1): >>44510181 #
17. simonw ◴[09 Jul 25 12:25 UTC] No.44509183{7}[source]
This is still an unsolved problem. I've been tracking it very closely for almost three years - https://simonwillison.net/tags/prompt-injection/ - and the moment a solution shows up I will shout about it from the rooftops.
18. ethbr1 ◴[09 Jul 25 14:03 UTC] No.44510181{7}[source]
Some features are literally too radioactive to ever implement.

As an example, because in hindsight it's one of the things MS handled really well: UAC (aka Windows sudo).

It's convenient for any program running on a system to be able to do anything without a user prompt.

In practice, that's a huge vector for abuse, and it turns out that crafting a system of prompting around only the most sensitive actions can be effective.

It takes time, but eventually the program ecosystem updates to avoid touching those things in that way (because prompts annoy users), prompt instances decrease, and security is improved because they're rare.

Proper feature design is balancing security with functionality, but if push comes to shove security should always win.

Insecure, functional systems are worthless, unless the consequences of exploitation are immaterial.