Most active commenters
  • ajross(3)

←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
786 points rexpository | 11 comments | 08 Jul 25 17:46 UTC | HN request time: 1.627s | source | bottom
Show context
jppope ◴[09 Jul 25 01:05 UTC] No.44505416[source]
Serious question here, not trying to give unwarranted stress to what is no doubt a stressful situation for the supabase team, or trying to create flamebait.

This whole thing feels like its obviously a bad idea to have an mcp integration directly to a database abstraction layer (the supabase product as I understand it). Why would the management push for that sort of a feature knowing that it compromises their security? I totally understand the urge to be on the bleeding edge of feature development, but this feels like the team doesn't understand GenAi and the way it works well enough to be implementing this sort of a feature into their product... are they just being too "avant-garde" in this situation or is this the way the company functions?

replies(5): >>44505432 #>>44505438 #>>44505472 #>>44505501 #>>44506821 #
1. raspasov ◴[09 Jul 25 01:10 UTC] No.44505438[source]
I have no association with Supabase, but in their defense, apart from adding a caution note, there's nothing else that Supabase needs to do, from my perspective.

As far as I am concerned, this is not a serious security hole if the human developer exercises common sense and uses widely recognized security precautions while developing their system.

replies(2): >>44505466 #>>44505595 #
2. paddlepop ◴[09 Jul 25 01:17 UTC] No.44505466[source]
This.

As a platform, where do you draw the line between offering a product vs not because a developer could do something stupid with it?

edit: keeping in mind the use cases they are pushing in their documentation are for local development

replies(1): >>44506839 #
3. ajross ◴[09 Jul 25 01:43 UTC] No.44505595[source]
> this is not a serious security hole if the human developer exercises common sense and uses widely recognized security precautions

Just like SQL injection attacks aren't something to worry about, right?

Have we learned nothing from three decades of internet security experience? Really? Yes. It seems we've learned nothing. I weep for the future.

replies(1): >>44505641 #
4. blackoil ◴[09 Jul 25 01:51 UTC] No.44505641[source]
Database still support RAW queries. So, yeah developer are responsible for proper usage of the tools.
replies(1): >>44505654 #
5. ajross ◴[09 Jul 25 01:54 UTC] No.44505654{3}[source]
There are whole ecosystems of tools designed around the need to isolate queries, though. You don't just throw a Postgres prompt at your developers and tell them to be careful, because if you do little Bobby Tables pwns your stuff.

We know this is how this works. We lived through it. Why on earth do you think the results will be any different this time?

replies(1): >>44505725 #
6. fastball ◴[09 Jul 25 02:07 UTC] No.44505725{4}[source]
Database providers do just throw a postgres prompt at developers though, right? And that is what Supabase is – an infra provider.
replies(1): >>44510163 #
7. frabcus ◴[09 Jul 25 06:21 UTC] No.44506839[source]
Reflecting on this whole situation, I suspect MCP is fundamentally insecure, in which case Supabase should refuse to implement it.

MCP's goal is to make it easy for end user developers to impulsively wire agentically running LLM chats to multiple tools. That very capability fundamentally causes the problem.

Supabase's response (in the top comment in this post) of making it read-only or trying to wrap with an LLM to detect attacks... Neither of those help the fundamental problem at all. Some other tool probably has write capabilities, and the wrapping isn't reliable.

replies(1): >>44509238 #
8. simonw ◴[09 Jul 25 12:29 UTC] No.44509238{3}[source]
> MCP's goal is to make it easy for end user developers to impulsively wire agentically running LLM chats to multiple tools. That very capability fundamentally causes the problem.

That's exactly the problem here: the ability for end users to combine MCP tools means that those end users are now responsible for avoiding insecure tool combinations. That's a really hard thing for end users to do - they have to understand the lethal trifecta risk in order to make those decisions.

9. ajross ◴[09 Jul 25 14:02 UTC] No.44510163{5}[source]
That's an argument, I guess, for absolving Supabase for explicit responsibility for the resulting hilarity. It's not an argument that MCP prompt hacking is "not a serious security hole", which is the point I responded to upthread.
replies(1): >>44510761 #
10. fastball ◴[09 Jul 25 14:54 UTC] No.44510761{6}[source]
It's only a security hole if you give access to users though, right? If you are the one using the Supabase MCP, how is it any different than any other root access to a DB?
replies(1): >>44510936 #
11. simonw ◴[09 Jul 25 15:07 UTC] No.44510936{7}[source]
Because of lethal trifecta attacks: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

If you are the person using the LLM tool, a prompt injection attack in a database row that you are allowed to view could trick your LLM tool into taking actions that you don't want it to take, including leaking other data you are allowed to see via writing to other tables or using other MCP tools.