Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)

801 points rexpository | 1 comments | 08 Jul 25 17:46 UTC | HN request time: 0.206s | source

Show context

raspasov ◴[08 Jul 25 22:44 UTC] No.44504711[source]▶

The MCP hype is real, but top of HN?

That's like saying that if anyone can submit random queries to a Postgres database with full access, it can leak the database.

That's like middle-school-level SQL trivia.

replies(3): >>44504731 #>>44505108 #>>44505154 #

simonw ◴[09 Jul 25 00:10 UTC] No.44505154[source]▶

>>44504711 #

> That's like saying that if anyone can submit random queries to a Postgres database with full access, it can leak the database.

The problem as more subtle than that.

Here, we are saying that if the developer of a site - who can already submit random queries to Postgres any time they like - rigs up an LLM-powered assistant to help them do that, an attacker can trick that assistant into running queries on the attacker's behalf by sneaking malicious text into the system such that it is visible to the LLM in one of the database tables.

replies(1): >>44505387 #

1. raspasov ◴[09 Jul 25 01:01 UTC] No.44505387[source]▶

>>44505154 #

I don't understand how that's more subtle than allowing random queries. It only feels different due to the additional probabilistic layer of indirection (the LLM), but the ability is still there.

> who can already submit random queries to Postgres any time they like

A predefined, static set of queries curated by a human with common sense. LLMs have no common sense. They have context.

An LLM that takes user input and has access to a database can generate and run any query. We don't understand what queries might be generated and under what input, and I don't think we will anytime soon.

↑