MCP Phantom Task Injection: Stealing Credentials Through the Server You Trust
·9 mins
Fourth article in my MCP security series. By chaining a transport-layer weakness (session ID as sole routing key) with the Tasks and Elicitation systems, an attacker can inject phantom tasks into a victim’s MCP session and phish credentials through the legitimate, trusted server. CVSS 8.1 — reported to Anthropic VDP and disclosed. Full technical breakdown with working PoC.