The "lethal trifecta" refers to default configurations, excessive permissions, and inadequate authentication - three factors that plague MCP implementations just as they did with earlier technologies.
These exploits are all the same flavour - untrusted input, secrets and tool calling. MCP accelerates the impact by adding more tools, yes, but it’s by far not the root cause - it’s just the best clickbait focus.
What’s more interesting is who can mitigate - the model provider? The application developer? Both? OpenAI have been thinking about this with the chain of command [1]. Given that all major LLM clients’ system prompts get leaked, the ‘chain of command’ is exploitable to those that try hard enough.
That's great! It would be even better if one of the features included in the table was whether given MCP supports OAuth Dynamic Client Registration, which optional in the MCP standard.
The MCP server technically doesn't support DCR. The authorization server for the MCP server does, which is a minor distinction.
Have you seen significant need for this? I've been trying to find data on things like "how many MCP clients are there really" - if it takes off where everything is going to be an MCP client && dynamically discovering what tools it needs beyond what it was originally set up for, sure.
