upvote

points

by CGamesPlay149 days ago |
comments
upvoteby minznerjosh148 days ago|
next
[-]
Yup. ChatGPT did not have proper MCP support until now. They only supported MCP for connecting Deep Research to additional data sources, and for that, your MCP server had to implement two specific tools that Deep Research is able to call.

What’s being released here is really just proper MCP support in ChatGPT (like Claude has had for ages now) though their instructions regarding needing to specific about which tools to use make me wonder how effective it will be compared to Claude. I assume it’s hidden behind “Developer Mode” to discourage the average ChatGPT user from using it given the risks around giving an LLM read/write access to potentially sensitive data.

reply
upvoteby simonw149 days ago|
prev|
next
[-]
If you have an MCP tool that can perform write actions and you use it in a context where an attacker may be able to sneak their own instructions into the model (classic prompt injection) that attacker can make that MCP tool do anything they want.
reply
upvoteby CGamesPlay149 days ago|
parent|
[-]
How is this "developer mode" different than just connecting the MCP normally and prompt injecting it to use the same tools?
reply
upvoteby simonw149 days ago|
parent|
[-]
It's no different. This just brings that unsafe anti-pattern to the ChatGPT consumer app itself - albeit hidden behind an option with a scary name that might hopefully discourage many users who don't understand the consequences from turning it on.
reply
upvoteby AdieuToLogic149 days ago|
prev|
next
[-]
> Two replies to this comment have failed to address my question. I must be missing something obvious.

Since one of these replies is mine, let me clarify.

From the documentation:

  When using developer mode, watch for prompt injections and 
  other risks, model mistakes on write actions that could 
  destroy data, and malicious MCPs that attempt to steal 
  information.
The first warning is equivalent to a SQL injection attack[0].

The second warning is equivalent to promoting untested code into production.

The last warning is equivalent to exposing SSH to the Internet, configured such that your account does not require a password to successfully establish a connection, and then hoping no one can guess your user name.

0 - https://owasp.org/www-community/attacks/SQL_Injection

reply
upvoteby AdieuToLogic149 days ago|
prev|
[-]
> I don't understand how this is dangerous.

From literally the very first sentences in the linked resource:

  ChatGPT developer mode is a beta feature that provides full 
  Model Context Protocol (MCP) client support for all tools, 
  both read and write. It's powerful but dangerous ...
reply