Search papers, labs, and topics across Lattice.
This study investigates the security vulnerabilities of the WebMCP protocol, which allows AI agents to access tools directly from websites, revealing a new threat called Mid-Session Tool Injection (MSTI). By classifying MSTI into Tool Hijacking and Tool Framing, the authors demonstrate how attackers can manipulate the tool visibility and perception during active sessions, effectively disrupting the intended functionality of the protocol. The findings highlight the need for robust security measures, as MSTI exploits the unique characteristics of WebMCP's tool lifecycle and metadata structure.
Mid-Session Tool Injection can hijack AI agent tools in real-time, exposing a critical vulnerability in the WebMCP protocol.
WebMCP is a newly emerging protocol that enables websites to expose tools directly to AI agents, bypassing traditional user interfaces and introducing new security risks. The dynamic exposure of agent-accessible tools in WebMCP expands the attack surface of web sessions, especially when third-party scripts are involved. In this study, we identify a new potential threat, termed Mid-Session Tool Injection (MSTI), in which attackers leverage third-party scripts to inject malicious tools during an active session. To better characterize this threat, we classify MSTI based on the stage and target of manipulation, distinguishing between Tool Hijacking and Tool Framing. Tool Hijacking modifies the set of tools visible to the agent through mechanisms such as the AbortSignal API or race conditions during tool registration. In contrast, Tool Framing influences the agent's perception of tool roles through metadata fields such as tool name, description, readOnlyHint, and inputSchema. Our implementation demonstrates that both Tool Hijacking and Tool Framing can successfully disrupt the intended functionality of WebMCP. Based on these results, we outline potential mitigation directions and provide security design recommendations for WebMCP, including binding tool identity to its origin, ensuring lifecycle consistency, enforcing data boundaries for third-party tools, and maintaining traceable logs of tool registration and invocation. These findings indicate that MSTI arises from WebMCP's unique tool lifecycle and structured metadata, making the tool surface itself an emerging security concern.