A new zero-click attack dubbed Shadow Escape exploits the Model Context Protocol (MCP) to silently steal sensitive data via popular AI agents such as ChatGPT, Claude, and Gemini.
This vulnerability, uncovered by Operant, allows malicious actors to exfiltrate personally identifiable information, including Social Security numbers and medical records, without user interaction or detection by traditional security tools.
Shadow Escape operates by embedding hidden malicious instructions in seemingly innocuous documents, such as employee onboarding PDFs downloaded from public sources.
When uploaded to an MCP-enabled AI assistant, these instructions prompt the AI to access connected databases, CRM systems, and file shares, thereby surfacing private data such as names, addresses, credit card details, and protected health information.
The AI, acting under trusted credentials, then disguises exfiltration as routine tasks, such as performance logging, sending data to external servers linked to the dark web, all within the organization’s firewall and without alerting users or IT teams.
This attack chain unfolds in stages: infiltration via poisoned files, discovery of sensitive records across multiple systems, and covert transmission.
Unlike prior threats requiring phishing or errors, Shadow Escape leverages MCP’s design for seamless AI-tool integration, turning helpful agents into unwitting vectors for identity theft and fraud.
First Zero Click Attack Exploits MCP
Demonstrated in a video by Operant AI, the exploit escalates from a simple query to full data dumps in minutes, affecting healthcare, finance, and retail sectors where AI aids customer service.
The discovery, revealed during Cybersecurity Awareness Month, highlights MCP’s role in amplifying risks as enterprises adopt agentic AI for efficiency.
Any MCP-connected system from OpenAI’s ChatGPT to custom Llama-based agents is vulnerable, potentially exposing trillions of records due to widespread default permissions.
Donna Dodson, former NIST cybersecurity chief, warned that securing MCP and agent identities is “absolutely critical,” especially in high-stakes industries.
Traditional defenses like data loss prevention fail here, as traffic appears legitimate over encrypted channels. Operant AI estimates massive undetected breaches already occurring, urging immediate audits of AI permissions and integrations.
To counter Shadow Escape, experts recommend contextual identity access management, document sanitization before upload, real-time tool monitoring, and inline data redaction.
Operant AI’s MCP Gateway provides runtime controls to block exfiltration at the AI layer. Organizations must treat all external documents as threats, enforce least-privilege access, and implement AI-specific observability across multi-platform deployments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
