←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
801 points rexpository | 3 comments | 08 Jul 25 17:46 UTC | HN request time: 0.728s | source
Show context
jppope ◴[09 Jul 25 01:05 UTC] No.44505416[source]
Serious question here, not trying to give unwarranted stress to what is no doubt a stressful situation for the supabase team, or trying to create flamebait.

This whole thing feels like its obviously a bad idea to have an mcp integration directly to a database abstraction layer (the supabase product as I understand it). Why would the management push for that sort of a feature knowing that it compromises their security? I totally understand the urge to be on the bleeding edge of feature development, but this feels like the team doesn't understand GenAi and the way it works well enough to be implementing this sort of a feature into their product... are they just being too "avant-garde" in this situation or is this the way the company functions?

replies(5): >>44505432 #>>44505438 #>>44505472 #>>44505501 #>>44506821 #
raspasov ◴[09 Jul 25 01:10 UTC] No.44505438[source]
I have no association with Supabase, but in their defense, apart from adding a caution note, there's nothing else that Supabase needs to do, from my perspective.

As far as I am concerned, this is not a serious security hole if the human developer exercises common sense and uses widely recognized security precautions while developing their system.

replies(2): >>44505466 #>>44505595 #
1. paddlepop ◴[09 Jul 25 01:17 UTC] No.44505466[source]
This.

As a platform, where do you draw the line between offering a product vs not because a developer could do something stupid with it?

edit: keeping in mind the use cases they are pushing in their documentation are for local development

replies(1): >>44506839 #
2. frabcus ◴[09 Jul 25 06:21 UTC] No.44506839[source]
Reflecting on this whole situation, I suspect MCP is fundamentally insecure, in which case Supabase should refuse to implement it.

MCP's goal is to make it easy for end user developers to impulsively wire agentically running LLM chats to multiple tools. That very capability fundamentally causes the problem.

Supabase's response (in the top comment in this post) of making it read-only or trying to wrap with an LLM to detect attacks... Neither of those help the fundamental problem at all. Some other tool probably has write capabilities, and the wrapping isn't reliable.

replies(1): >>44509238 #
3. simonw ◴[09 Jul 25 12:29 UTC] No.44509238[source]
> MCP's goal is to make it easy for end user developers to impulsively wire agentically running LLM chats to multiple tools. That very capability fundamentally causes the problem.

That's exactly the problem here: the ability for end users to combine MCP tools means that those end users are now responsible for avoiding insecure tool combinations. That's a really hard thing for end users to do - they have to understand the lethal trifecta risk in order to make those decisions.