Latest news with #MCPs
Yahoo
11 hours ago
- Business
- Yahoo
Asana bug in new AI feature may have exposed data to other users for weeks
A bug in one of Asana's new AI features made user information accessible to other users for several weeks. The company said the issue was resolved and it was not the result of a malicious hack. Instead, it appeared to be a logic flaw in its MCP (Model Context Protocol) server that was released on May 1, according to cybersecurity firm UpGuard (via BleepingComputer). MCP is an open-source framework that enables AI assistants to interact with sites and apps. The introduction of Asana's MCP Server enabled companies to integrate AI features like summarization and natural language search from LLMs. SEE ALSO: 'Your Year in Asana' is a reminder of all the work you did (or didn't do) The rise of generative AI tools and new standards that enable interoperability for LLMs create new privacy issues and increased cybersecurity risk. MCP servers are a shiny new target for hackers, and there's also risk of prompt injection attacks, token theft, and a general increase in data leaks since MCPs request broad permission to function smoothly, according to a blog post from cybersecurity firm Pillar. According to UpGuard, the bug "appears to have been part of this initial release," and was discovered by Asana on June 4. But during this time, Asana users working with the MCP server have been able to access information from other accounts' "projects, teams, tasks, and other Asana objects," according to an email reportedly sent to customers impacted. In a statement to BleepingComputer, Asana said the bug impacted around 1,000 accounts. Asana has more than 130,000 companies using its project management platform, including some big companies like Uber, Spotify, and Airbnb. (Disclosure: Mashable's editorial team also uses Asana.) Asana took the server offline and informed customers using the MCP server on June 16 about the bug. "As soon as the vulnerability was discovered, our teams immediately took the MCP server down and resolved the issue in our code," Asana said in its statement to BleepingComputer. Meanwhile, the company sent a contact form to customers potentially impacted to compile a full report of which companies may have had their data exposed. It's unclear yet if there was any major data breach, but Asana advised companies to review their logs for MCP access and any information generated by their AI tools and report it to Asana if they find any data that doesn't belong to their company. UPDATE: Jun. 18, 2025, 1:50 p.m. EDT Asana confirmed in a status update that the affected server was back online as of June 17.
Yahoo
06-06-2025
- Business
- Yahoo
Akto Launches Industry's First MCP Security Platform
Akto Launches Industry's First Security Platform for Model Context Protocol (MCP) Servers SAN FRANCISCO, June 6, 2025 /PRNewswire/ -- Akto, a leader in API security, today announced the launch of Akto MCP Security, the world's first purpose-built solution designed to secure Model Context Protocol (MCP) servers. As AI agents like ChatGPT, Claude, and GitHub Copilot rapidly become part of core enterprise workflows, developers are adopting MCP to enable these agents to safely and dynamically invoke APIs. But with this shift comes a new attack surface - MCP Servers. "MCP is the protocol powering the next generation of AI-native software," said Ankita Gupta, Co-Founder and CEO of Akto. In May 2025, a critical vulnerability in GitHub's MCP server allowed attackers to embed malicious instructions in public issues. When processed by AI agents, those instructions led to unauthorized access and data leakage highlighting the urgent need for MCP-specific security controls. Akto MCP Security is designed from the ground up to protect MCPs. It detects shadow MCP servers, tests for prompt injection and tool poisoning vulnerabilities, and monitors AI-to-API traffic in real time to flag suspicious behavior. The platform helps security teams stay ahead of threats in a world where APIs aren't just passive endpoints, they're actively invoked by autonomous agents that can introduce new risks with every interaction. Built in collaboration with Akto's enterprise customers, the Akto MCP Security platform includes three core modules at launch: MCP Server Discovery – Automatically detects all MCP-compatible servers and related API calls across environments using Akto's 50+ traffic and code connectors, eliminating shadow MCPs. MCP Security Testing – Continuously tests MCP endpoints and tools for vulnerabilities like unauthorized access, prompt injection, insecure auth, and data exposure. MCP Monitoring & Threat Detection – Real-time behavioral analysis of MCP traffic to detect threats such as tool misuse, permission escalation, and malicious agent behavior. "MCP opens powerful new possibilities, but also dangerous new paths for abuse," said Ankush Jain, CTO at Akto. "We've built dedicated logic for how MCP works, so security teams can monitor, test, and protect these systems with context." Akto's early access program is already onboarding enterprise customers who are actively building with MCP, including teams at leading banking, fintech, and healthcare companies. The company plans to expand its API Security capabilities to cover modern, new threats. For more details or to schedule a customized demo, visit the Akto website or email earlyaccess@ About Akto: Akto is the fastest-growing API Security platform built for Modern AppSec teams. The platform helps teams build an enterprise-grade API security program from code to runtime. Akto's industry-leading suite of API discovery, API Protection, and API security testing solutions enables organizations to gain visibility in their API security posture. Fortune 500s, Banks, and 1,000+ appsec teams globally trust Akto for their API security needs. View original content to download multimedia: SOURCE Akto Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
