{"id":3608,"date":"2025-06-19T02:27:58","date_gmt":"2025-06-19T02:27:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3608"},"modified":"2025-06-19T02:27:58","modified_gmt":"2025-06-19T02:27:58","slug":"asanas-mcp-ai-connector-could-have-exposed-corporate-data-csos-warned","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3608","title":{"rendered":"Asana\u2019s MCP AI connector could have exposed corporate data, CSOs warned"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CSOs with Asana\u2019s Model Context Protocol (MCP) server in their environment should scour their logs and metadata for data leaks after the discovery of a serious vulnerability.<\/p>\n<p>Asana, a software-as-a-service workplace management platform, said this week that its MCP server had been temporarily taken offline after it found what it called a bug. The server was <a href=\"https:\/\/status.asana.com\/\" target=\"_blank\" rel=\"noopener\">back online<\/a> Tuesday.<\/p>\n<p>But <a href=\"https:\/\/www.upguard.com\/blog\/asana-discloses-data-exposure-bug-in-mcp-server\" target=\"_blank\" rel=\"noopener\">according to researchers<\/a> at security provider Upguard, the hole, discovered June 4, could also have exposed data belonging to other users of Asana\u2019s work management platform.\u00a0<\/p>\n<p>Upguard quotes Asana saying the bug \u201ccould have potentially exposed certain information from your Asana domain to other Asana MCP users within the projects, teams, tasks, and other Asana objects of the MCP user\u2019s permissions.\u201d<\/p>\n<p>There is no indication that attackers have exploited the bug or that other users actually viewed the information accessible through the MCP bug, says Upguard.<\/p>\n<p>For its part, Asana says the vulnerability was not a result of a hack or malicious activity on its systems. CSO asked the company for comment, but no reply had been received by press time.<\/p>\n<p>The incident is more evidence that MCP is a protocol that\u2019s still in early development, says Kellman Meghu, principal security architect at Canadian consultancy DeepCove Cybersecurity. \u201cThis is a common problem with MCP servers, which is why we stay away from them. MCPs all have this issue.\u201d<\/p>\n<p>CSOs using MCP should limit the data it can access until cybersecurity controls are tightened, he said in an interview.<\/p>\n<h2 class=\"wp-block-heading\">What is MCP?<\/h2>\n<p><a href=\"https:\/\/www.infoworld.com\/article\/3613143\/anthropic-introduces-the-model-context-protocol.html\" target=\"_blank\" rel=\"noopener\">MPC<\/a> is a protocol <a href=\"https:\/\/www.anthropic.com\/news\/model-context-protocol\" target=\"_blank\" rel=\"noopener\">created by AI provider Anthropic<\/a> and open sourced last November. The company described it as\u00a0 \u201ca new standard for connecting AI assistants to the systems where data lives, including content repositories, business tools, and development environments. Its aim is to help frontier models produce better, more relevant responses.\u201d<\/p>\n<p>Developers can either expose their data through MCP servers, Anthropic said, or build AI applications (MCP clients) that connect to these servers. The idea is that, instead of maintaining separate connectors for each data source, developers can now build against a standard protocol.\u00a0Anthropic\u2019s Claude AI platform supports connecting MCP servers to the Claude Desktop app.<\/p>\n<p>According to Upguard, Asana released its MCP server May 1. The company\u2019s web page still refers to it as an \u201c<a href=\"https:\/\/developers.asana.com\/docs\/using-asanas-mcp-server\" target=\"_blank\" rel=\"noopener\">experimental beta tool<\/a>.\u201d<\/p>\n<p>\u201cYou may encounter bugs, errors, or unexpected results,\u201d it adds.<\/p>\n<p>Asana says its MPC server allows AI assistants and other applications to access the Asana Work Graph so customers can access Asana data from compatible AI applications, generate reports and summaries based on Asana data, and analyze project data and get AI-powered suggestions. Through it, an employee can ask an AI assistant, for example, \u201cFind all my incomplete tasks due this week\u201d, \u201cCreate a new task in the Marketing project assigned to me\u201d or \u201cShow me the status of the Q2 Planning project.\u201d<\/p>\n<p>As AI platforms like Claude, ChatGPT, Microsoft Copilot, and others multiply, developers are eager for ways, such as MCP, to connect them to existing enterprise productivity applications. However, <a href=\"https:\/\/www.cio.com\/article\/3987692\/new-agentic-ai-tools-bring-new-threat-agent-sprawl.html\" target=\"_blank\" rel=\"noopener\">there have been warnings<\/a> that these AI agents, some of which come from AI platform providers themselves, have security risks.<\/p>\n<p>DeepCove Cybersecurity\u2019s Meghu notes that some AI broker agents, like MCP, are actually long-lived server-TCP connections. He prefers a connection solution using the <a href=\"https:\/\/www.infoworld.com\/article\/2335814\/what-is-retrieval-augmented-generation-more-accurate-and-reliable-llms.html\" target=\"_blank\" rel=\"noopener\">RAG model<\/a> (retrieval augmented generation) with an API call that can be authenticated for security. Among other benefits, RAG can be configured to search only approved data and not information used in training that may include sensitive information.<\/p>\n<p>\u201cThis is where the lessons we\u2019ve learned in terms of [data] segmentation and how we handle direct APIs are applicable [to AI systems],\u201d he said, \u201cbut they threw that out and went with these long-lived TCP connections that can\u2019t really be monitored. By the time it [a data leak] happens, it\u2019s too late.\u201d<\/p>\n<p>Depending on what it connects to, an MCP server can be \u201ca huge, massive attack vector,\u201d Meghu said. For example, he said, if the MCP server is connected to a SIEM (security information and event monitoring) platform for analysis of log data, a threat actor might try to access that server to gather data.<\/p>\n<p>\u201cWhere do you situate this thing [an MCP server] is a great question\u201d \u2014 one that CSOs need to answer, he said.<\/p>\n<p>\u201cI think, like all [new] protocols, it\u2019s too early to put it into production,\u201d he added. \u201cThey rushed this out. I think there are better ways to do this that we haven\u2019t figured out yet \u2026 Why couldn\u2019t we build on known protocols like JSON, RestAPI? Why did this have to be a special service? They didn\u2019t think about access control as part of the protocol?\u201d<\/p>\n<p>\u201cI expect lots of protocols like this to appear, and hopefully some of them will be built from the ground up with security in mind \u2013 audit control, authentication of each call-in,\u201d he said.<\/p>\n<h2 class=\"wp-block-heading\">Advice for CSOs<\/h2>\n<p>He advised CSOs to limit the data MCP projects can access, and audit who has been accessing that data. \u201cI think we have a lot to learn,\u201d he said.<\/p>\n<p>Upguard says CSOs integrating any large language model (LLM) into their IT systems should:<\/p>\n<p><strong>limit scope aggressively<\/strong>: Ensure that context servers like MCP enforce strict tenant isolation and least-privilege access;<\/p>\n<p><strong>log everything<\/strong>: Maintain granular logs of all requests, especially LLM-generated queries, to support forensic investigations;<\/p>\n<p><strong>ensure manual oversight during reintroduction<\/strong>: Automated re-connections or retraining pipelines should be paused when incidents arise;<\/p>\n<p><strong>treat internal bugs seriously<\/strong>: Even internal software flaws can have real-world exposure consequences.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CSOs with Asana\u2019s Model Context Protocol (MCP) server in their environment should scour their logs and metadata for data leaks after the discovery of a serious vulnerability. Asana, a software-as-a-service workplace management platform, said this week that its MCP server had been temporarily taken offline after it found what it called a bug. The server [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3603,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3608"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3608"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3608\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3603"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}