How is this different from a backdoor in, say, a Thunderbird extension? I've maintained an extension for Thunderbird and, when I was no longer interested in it, a guy pushed hard to take over the project after sending a few legitimate contributions. I declined because it seemed crazy to give the keys to tens of thousands mailbox to a guy I didn't really know. I also found it crazy that people would trust me initially, but well, I know I'm a good guy :-)
Yeah I thought the same thing. This has nothing to do with MCP really, the same flaw is there in all software: you have to trust the author and the distributor. Nothing stops Microsoft from copying all your Outlook mail. Nothing stops Google from copying all your gmail. Nothing stops the Mutt project from copying all your email. Open source users like to think that "many eyes" keep the code clean and they probably do help, especially on popular projects where all commits get reviewed in detail, but the chance is still there. And the rest of us just trust the developers. This problem is as old as software.
Not really true. They have skin in the game. They have legitimate revenue at stake. If they betray trust on such a scale, and we find out, they'll be out of business.
Idk, I think Microsoft could get away with a lot. Not selling your emails to the highest bidder, that might be a bridge too far, but training an LLM on Outlook emails? Probably. Just have an LLM scan every email to see if its contents are mundane or secret first, and only use the mundane ones. There might be a scandal of some sort, then Microsoft would say sorry (but keep the model), and then everyone would move on because the switching costs are too high.
"Not really true"?! TRUE AS HELL! "Outlook New" LITERALLY DOES THAT! It's an infostealer. Microsoft gets your login info and downloads your mails, contacts and calenders to its own servers!
How this app is legal and not marked as malware is beyond me! It's the biggest information heists in history!
Do people actually choose to use Outlook if they're not already forced to use Exchange/Office365, usually for work?
In my experience, it's hands down the worst e-mail client I've ever used. I only have it on my work PC because my employer uses Office 365. It never even crossed my mind to try to use it for my personal e-mailing needs.
I do agree, however, that companies that decide to trust MS don't care one bit about their scandalous practices. I don't even think it's as much of an actual choice as a cop-out, as in "everybody uses microsoft", so they rarely actually ponder the decision.
Outlook New gets installed by default on Windows 11. Of course people gonna use it. Even if they just trial it, their data is gone. A Anti-Virus should stop the software from running. But that will never happen.
> "everybody uses microsoft", so they rarely actually ponder the decision.
Exactly. That is my main argument against PantaloonFlames's claim "They have legitimate revenue at stake. If they betray trust on such a scale, and we find out, they'll be out of business."
At a certain scale nothing matters anymore! You can Bluescreen half the planet and still be in business.
Sure, I agree, and the problem is absolutely magnified by AI. If a back door gets into Thunderbird, or Google decides to start scanning and sharing all of your email, that’s one point of failure.
An MCP may connect to any number of systems that require a level of trust, and if any one thing abuses that trust it puts the entire system at risk. Now you’re potentially leaking email, server keys, recovery codes, private documents, personal photos, encrypted chats - whatever you give your AI access to becomes available to a single rogue actor.
Giving AI agents permission to do things on your behalf in your computer is obviously dangerous. Installing a compromised MCP server is really the same as installing any compromised software. The fact that this software is triggered by the user or an agent doesn't really change anything. I don't think that humans are more able to decide not to use a tool that could potentially be compromised, but that they have chosen to install already.
> Open source users like to think that "many eyes" keep the code clean and they probably do help, especially on popular projects where all commits get reviewed in detail, but the chance is still there.
> How is this different from a backdoor in, say, a Thunderbird extension?
I don’t get the argument. Had this been a backdoor in a Thunderbird extension, would it not have been worth reporting? Of course it would. The value of this report is first and foremost that it found a backdoor. That it is on an MCP server is secondary, but it’s still relevant to mention it for being the first, so that people who don’t believe or don’t understand these systems can be compromised (those people exist) can update their mental model and be more vigilant.
I have helped many extremely drunk people this way, given them a lift, but point out to them that getting a lift from a stranger you just met is a really bad idea. they're just lucky they met an honest guy with some free time because I keep weird hours and like the neighborhood hole-in-the-wall pub.
