http://simonwillison.net/2025-06-19T22:53:54+00:00Simon Willison2025-06-19T22:53:54+00:002025-06-19T22:53:54+00:00https://simonwillison.net/2025/Jun/19/atlassian-prompt-injection-mcp/#atom-tag

<p><strong><a href="https://www.catonetworks.com/blog/cato-ctrl-poc-attack-targeting-atlassians-mcp/">Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk</a></strong></p> Stop me if you've heard this one before:</p> <blockquote> <ul> <li>A threat actor (acting as an external user) submits a malicious support ticket. </li> <li>An internal user, linked to a tenant, invokes an MCP-connected AI action. </li> <li>A prompt injection payload in the malicious support ticket is executed with internal privileges. </li> <li>Data is exfiltrated to the threat actor’s ticket or altered within the internal system.</li> </ul> </blockquote> <p>It's the classic <a href="https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/">lethal trifecta</a> exfiltration attack, this time against Atlassian's <a href="https://www.atlassian.com/blog/announcements/remote-mcp-server">new MCP server</a>, which they describe like this:</p> <blockquote> <p>With our Remote MCP Server, you can summarize work, create issues or pages, and perform multi-step actions, all while keeping data secure and within permissioned boundaries.</p> </blockquote> <p>That's a single MCP that can access private data, consume untrusted data (from public issues) and communicate externally (by posting replies to those public issues). Classic trifecta.</p> <p>It's not clear to me if Atlassian have responded to this report with any form of a fix. It's hard to know what they <em>can</em> fix here - any MCP that combines the three trifecta ingredients is insecure by design.</p> <p>My recommendation would be to shut down any potential exfiltration vectors - in this case that would mean preventing the MCP from posting replies that could be visible to an attacker without at least gaining human-in-the-loop confirmation first. <p>Tags: <a href="https://simonwillison.net/tags/atlassian">atlassian</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/ai">ai</a>, <a href="https://simonwillison.net/tags/prompt-injection">prompt-injection</a>, <a href="https://simonwillison.net/tags/generative-ai">generative-ai</a>, <a href="https://simonwillison.net/tags/llms">llms</a>, <a href="https://simonwillison.net/tags/exfiltration-attacks">exfiltration-attacks</a>, <a href="https://simonwillison.net/tags/model-context-protocol">model-context-protocol</a>, <a href="https://simonwillison.net/tags/lethal-trifecta">lethal-trifecta</a></p>

2025-05-13T15:52:09+00:002025-05-13T15:52:09+00:00https://simonwillison.net/2025/May/13/end-of-ai-upsells/#atom-tag

<p><strong><a href="https://www.saastr.com/atlassian-were-not-going-to-charge-more-customers-extra-for-ai-anymore-the-beginning-of-the-end-of-the-ai-upsell/">Atlassian: “We’re Not Going to Charge Most Customers Extra for AI Anymore”. The Beginning of the End of the AI Upsell?</a></strong></p> Jason Lemkin highlighting a potential new trend in the pricing of AI-enhanced SaaS:</p> <blockquote> <p>Can SaaS and B2B vendors really charge even more for AI … when it’s become core? And we’re already paying $15-$200 a month for a seat? [...]</p> <p>You can try to charge more, but if the competition isn’t — you’re going to likely lose. And if it’s core to the product itself … can you really charge more ultimately? Probably … not.</p> </blockquote> <p>It's impressive how quickly LLM-powered features are going from being part of the top tier premium plans to almost an expected part of most per-seat software. <p><small></small>Via <a href="https://twitter.com/jasonlk/status/1922301795180609880">@jasonlk</a></small></p> <p>Tags: <a href="https://simonwillison.net/tags/atlassian">atlassian</a>, <a href="https://simonwillison.net/tags/startups">startups</a>, <a href="https://simonwillison.net/tags/saas">saas</a>, <a href="https://simonwillison.net/tags/ai">ai</a>, <a href="https://simonwillison.net/tags/generative-ai">generative-ai</a>, <a href="https://simonwillison.net/tags/llms">llms</a></p>

2007-06-21T08:29:44+00:002007-06-21T08:29:44+00:00https://simonwillison.net/2007/Jun/21/crowd/#atom-tag

<p><strong><a href="http://confluence.atlassian.com/display/CROWD/Crowd 1.1.0 Release Notes">Crowd 1.1.0 Release Notes</a></strong></p> Atlassian software are now offering a commercial OpenID provider, with the ability to hook in to an existing LDAP directory and some smart whitelist / blacklist options. <p>Tags: <a href="https://simonwillison.net/tags/atlassian">atlassian</a>, <a href="https://simonwillison.net/tags/blacklisting">blacklisting</a>, <a href="https://simonwillison.net/tags/crowd">crowd</a>, <a href="https://simonwillison.net/tags/ldap">ldap</a>, <a href="https://simonwillison.net/tags/openid">openid</a>, <a href="https://simonwillison.net/tags/whitelisting">whitelisting</a></p>

2007-02-17T00:51:48+00:002007-02-17T00:51:48+00:00https://simonwillison.net/2007/Feb/17/wikipatterns/#atom-tag

<p><strong><a href="http://www.wikipatterns.com/display/wikipatterns/Wikipatterns">Wikipatterns</a></strong></p> Great idea this: a wiki documenting patterns for successfully growing your own wiki. <p>Tags: <a href="https://simonwillison.net/tags/atlassian">atlassian</a>, <a href="https://simonwillison.net/tags/patterns">patterns</a>, <a href="https://simonwillison.net/tags/wiki">wiki</a></p>