Adversaries are pivoting from direct prompt injection to indirect injection attacks targeting agentic AI systems by poisoning external data sources. By manipulating Model Context Protocol (MCP) tool definitions and OpenAPI/Swagger specifications, attackers embed malicious instructions within metadata fields such as 'description' or 'parameter'. When an AI agent parses this documentation to resolve tool-calling logic, it interprets the embedded payloads as functional requirements. This enables unauthorized tool execution, facilitating sensitive data exfiltration to attacker-controlled callback URLs, privilege escalation, and fraudulent financial transactions, including cryptocurrency payments. This vulnerability fundamentally compromises the security boundary of AI agents utilizing external tool integration and grounding.
- Threat Model: Indirect Data Poisoning
- Transition from direct user-to-model interaction to passive exploitation of external data.
- Targeting of "grounding" sources and tool-calling metadata within agentic workflows.
- Exploitation of the inherent trust agents place in structured API specifications and schemas.
- Attack Mechanics: Schema Manipulation
- Injection of malicious instructions into Model Context Protocol (MCP) tool definitions.
- Poisoning of OpenAPI/Swagger documentation via 'description' and 'parameter' fields.
- Use of manipulated JSON tool schemas to alter agentic decision-making processes.
- Delivery of indirect injection payloads through web-search results used for agent grounding.
- Detection & Indicators: Identifying Malicious Metadata
- Monitoring for anomalous instruction strings within JSON schema 'description' fields.
- Auditing tool-calling logs for unexpected outbound network requests to unverified domains.
- Detecting sudden shifts in agent behavior following the ingestion of new documentation or tools.
- Systemic & Security Impact: Agent Hijacking
- Unauthorized data exfiltration via automated calls to attacker-controlled callback URLs.
- Financial loss through the execution of unauthorized cryptocurrency payments.
- Privilege escalation by leveraging the agent's authorized tool-calling capabilities.
- Compromise of sensitive user session tokens and API credentials.
- Countermeasures: AI-Centric Defenses
- Strict schema validation and sanitization for all external tool and API definitions.
- Implementation of network egress filtering to block unauthorized callback URLs.
- Deployment of Human-in-the-loop (HITL) protocols for high-stakes tool execution.
- Enhanced monitoring of LLM reasoning chains for instructional and logic anomalies.
Related posts
- gbhackers.com — Hackers Use Fake API Documentation to Trick AI Agents Into Sending Crypto Payments
- vibegraveyard.ai — Prompt injection stopped being theoretical - Unit 42 found AI agents obeying poisoned web pages
- vibegraveyard.ai — GeminiJack turned a poisoned document into silent corporate data theft
- TechNadu — Model Context Protocol (MCP) Tool Poisoning Hijacks AI Agents to Steal Data
- Cybersecurity News — Hackers Abuse SEO Poisoning and Hidden HTML to Trick AI Agents Into Following Malicious Instructions
- Bragg
- Zscaler