add security and privacy considerations living document #55
Conversation
|
initial draft based on discussion here: #45 will update it based on relevant discussions in the thread, as well as from TPAC before marking it as ready to merge. |
| Prompt injection represents a critical threat to WebMCP where malicious instructions are embedded in tool metadata, inputs, or outputs to manipulate agent behavior or compromise systems. Unlike traditional injection attacks, these exploits target the language model's interpretation of natural language rather than code execution vulnerabilities. | ||
|
|
||
| **Key Risk Factors**: | ||
| - No cryptographic verification of tool descriptions or schemas |
There was a problem hiding this comment.
I didn't follow this. how does cryptographic verification help?
There was a problem hiding this comment.
I think the point I was trying make here was more about some form of "signing" of each tool, such that agents can be verified that it's the same trusted tool...
But I feel like this might not be relevant to prompt injection, might be an entirely new problem. Let me remove it for now.
|
|
||
| Malicious instructions embedded in tool parameters by compromised or malicious agents, targeting the website's own processing of tool inputs. | ||
|
|
||
| - **Threat Actor**: Malicious users controlling or manipulating agents using WebMCP |
There was a problem hiding this comment.
This one is quite interesting. Definitely worth documenting but I think the onus is on the site as an "Agent provider". Every Agent provider has to mitigate against a common set of attacks when taking untrusted input. They likely have mitigations aside from WebMCP, the same tool could be exposed using an option in the Web UI.
Can you add something along these lines to the text? WebMCP doesn't expand the attack surface for this.
There was a problem hiding this comment.
Yeah, I do agree that WebMCP doesn't expand the attack surface for input injection attacks. I'm incline to minimize attention on this issue at the moment.
Rethinking this, the bigger risk here is likely just that it WebMCP exposes another valuable target for attackers, if website owners implement valuable WebMCP actions on their site (e.g. reset password).
|
|
||
| #### Misalignment Types | ||
|
|
||
| 1. **Malicious misrepresentation** (fraud): |
There was a problem hiding this comment.
It's ambiguous what the site accomplishes from this attack, since it already has the ability to execute this action. Worth documenting that this is about deflecting blame/misattribution. Intentionally taking a harmful action which can be attributed to the Agent.
There was a problem hiding this comment.
point taken, will clarify. It is indeed about intentionally trying to use the ambiguity to deflect blame to agent.
| - Side effects not mentioned in the description | ||
| - Example: Tool deletes draft after sending email without mentioning this behavior | ||
|
|
||
| 3. **Ambiguous scope**: |
There was a problem hiding this comment.
This seems like a duplicate of 2), imprecise i.e. poorly written.
| - Are there specific attack scenarios from existing web security domains (CSRF, XSS, etc.) that apply to WebMCP in novel ways? | ||
| - What risks emerge when combining WebMCP with other emerging web capabilities (Prompt API, Web AI, etc.)? | ||
|
|
||
| ### 2. Responsibility and Scope |
There was a problem hiding this comment.
I wouldn't say these are overarching open questions, it's just considerations for how to approach mitigations in this space.
I'd probably put something like this in the introduction: "Mitigations for any attack vector will need to consider all systems/entities involved: Site authors, Agent providers and browser vendors. While the spec can't define precise mitigation strategies that Agents/browser vendors must provide, the responsibilities for each system should be clearly defined. Common mitigations are documented as recommendations for Agents/browser vendors. We also explore these mitigations to inform additions to the Web API."
There was a problem hiding this comment.
Make sense. I will add that to the introduction as well.
| - Should some tool categories require elevated permissions or review processes? | ||
| - Related: [Issue #44 - Action-specific permission](https://github.com/webmachinelearning/webmcp/issues/44) | ||
|
|
||
| ### 4. Comparison with MCP |
There was a problem hiding this comment.
Similar here, can go into the section at the beginning which explains the overall approach. Something like: "It's likely that many mitigations to handle tools from untrusted sources will be common across MCP and WebMCP."
Because this is something we'll consider for every attack vector/mitigation.
There was a problem hiding this comment.
Sounds good. Will do that
victorhuangwq
left a comment
victorhuangwq
left a comment
There was a problem hiding this comment.
thanks for the review. will make changes accordingly, alongside the updates that I will be making to include points from TPAC and the current issue thread.
|
|
||
| #### Misalignment Types | ||
|
|
||
| 1. **Malicious misrepresentation** (fraud): |
There was a problem hiding this comment.
point taken, will clarify. It is indeed about intentionally trying to use the ambiguity to deflect blame to agent.
| - Side effects not mentioned in the description | ||
| - Example: Tool deletes draft after sending email without mentioning this behavior | ||
|
|
||
| 3. **Ambiguous scope**: |
| - Are there specific attack scenarios from existing web security domains (CSRF, XSS, etc.) that apply to WebMCP in novel ways? | ||
| - What risks emerge when combining WebMCP with other emerging web capabilities (Prompt API, Web AI, etc.)? | ||
|
|
||
| ### 2. Responsibility and Scope |
There was a problem hiding this comment.
Make sense. I will add that to the introduction as well.
| - Should some tool categories require elevated permissions or review processes? | ||
| - Related: [Issue #44 - Action-specific permission](https://github.com/webmachinelearning/webmcp/issues/44) | ||
|
|
||
| ### 4. Comparison with MCP |
There was a problem hiding this comment.
Sounds good. Will do that
2 participants
No description provided.