[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-mcp-tool-approval-can-be-spoofed-eight-different-ways":10,"sections":40},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":30,"tags":31,"sources":35,"feedback":39,"feedback_at":22,"cost_usd":39,"total_tokens":39},4348,"mcp-tool-approval-can-be-spoofed-eight-different-ways","MCP Tool Approval Can Be Spoofed Eight Different Ways","Researchers found eight techniques to smuggle malicious instructions into AI coding agents via MCP, with one making the payload invisible to human reviewers.","A new security paper exposes a structural flaw in the Model Context Protocol that lets attackers feed AI coding agents instructions users never see or approve.\n\nResearchers built a proof-of-concept that speaks the real MCP JSON-RPC protocol against actual client and server software. They implemented eight techniques across five metadata surfaces — tool names, descriptions, input schemas, and related fields — that the MCP approval dialog displays once, then injects verbatim into the model's context on every subsequent turn. All eight delivered attacker-controlled payloads into the model. Four evaded a representative string-matching sanitizer. The key finding: the protocol imposes no requirement that what a human sees in the approval view matches what the model actually receives.\n\nThat fidelity gap is the real vulnerability. Seven of the eight techniques deliver visible-but-unreviewed payloads; the eighth uses Unicode's TAG block (U+E0000–U+E007F), a range with no assigned glyph in mainstream terminals, IDEs, or chat renderers, making that specific payload completely invisible in the approval dialog while arriving intact at the model's tokenizer. Crucially, none of the eight techniques triggered a re-approval prompt, including under a time-of-check to time-of-use attack where the server swaps its metadata after initial approval. The researchers confirmed results were consistent across three independent Python MCP server libraries — 32 cross-library outcome cells, total agreement.\n\nMCP is already the dominant standard for how coding agents discover external tools, which means this isn't a theoretical edge case. The approval-dialog model — click once, trust forever — was always a thin defense; this paper puts numbers on exactly how thin.","[\"security\",\"mcp\",\"ai\",\"tool-use\"]","2026-07-08T04:00:00.000Z","2026-07-08T06:45:51.388Z","2026-07-08T06:45:54.296Z","published",null,[24],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"The body states 'One technique exploits Unicode's TAG block' and implies broad invisible-payload capability across multiple techniques, but the source is explicit that only 1\u002F8 techniques achieves invisibility in the approval view — the other 7 are delivered but visible; the dek's phrase 'hide malicious tool instructions' and the body's framing overstate this by implying all eight techniques produce hidden payloads, which contradicts the source and must be corrected.","resolved","security",[30,32,33,34],"mcp","ai","tool-use",[36],{"name":37,"url":38},"arXiv cs.AI","https:\u002F\u002Farxiv.org\u002Fabs\u002F2607.05744",0,{"sections":41},[42,46,50,55,60,65,70,75,80,85,90,94,99,104],{"name":43,"slug":33,"count":44,"latest_published_at":45},"AI",2590,"2026-07-16T04:00:00.000Z",{"name":47,"slug":30,"count":48,"latest_published_at":49},"Security",294,"2026-07-15T19:59:48.000Z",{"name":51,"slug":52,"count":53,"latest_published_at":54},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":56,"slug":57,"count":58,"latest_published_at":59},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":61,"slug":62,"count":63,"latest_published_at":64},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":66,"slug":67,"count":68,"latest_published_at":69},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":71,"slug":72,"count":73,"latest_published_at":74},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":76,"slug":77,"count":78,"latest_published_at":79},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":81,"slug":82,"count":83,"latest_published_at":84},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":86,"slug":87,"count":88,"latest_published_at":89},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":91,"slug":92,"count":88,"latest_published_at":93},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":95,"slug":96,"count":97,"latest_published_at":98},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":100,"slug":101,"count":102,"latest_published_at":103},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":105,"slug":106,"count":107,"latest_published_at":108},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]