{"id":5786,"date":"2025-11-13T14:05:00","date_gmt":"2025-11-13T14:05:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5786"},"modified":"2025-11-13T14:05:00","modified_gmt":"2025-11-13T14:05:00","slug":"rogue-mcp-servers-can-take-over-cursors-built-in-browser","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5786","title":{"rendered":"Rogue MCP servers can take over Cursor\u2019s built-in browser"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>AI agents and coding copilots are shaking up how \u2014 and what \u2014 developers code. But they\u2019re also rapidly expanding the attack surface of developer machines<\/p>\n<p>The latest example: Security researchers have shown how a rogue Model Context Protocol (MCP) server can inject malicious code into the built-in browser feature of Cursor, a popular AI-powered code editor.<\/p>\n<p>\u201cWe demonstrate how a single malicious MCP server can replace login pages inside Cursor\u2019s internal browser with an attacker-controlled page that harvests credentials and sends them to a remote attacker,\u201d researchers from AI cybersecurity firm Knostic.ai wrote in <a href=\"https:\/\/www.knostic.ai\/blog\/mcp-hijacked-cursor-browser\">new research<\/a> shared with CSO. \u201cWe also show how that same capability allows an attacker to fully compromise the victim\u2019s workstation.\u201d<\/p>\n<p>Originally developed by Anthropic to facilitate communication between large language models (LLMs) and external data sources or applications to improve workflow context, MCP has become a key component for developing AI agents that automate tasks by leveraging external tools.<\/p>\n<p>The protocol uses a client-server architecture, in which applications expose functionality to LLMs through an MCP server and AI agents or applications connect to those services through an MCP client. Integrated development environments (IDEs) such as Microsoft\u2019s Visual Studio Code \u2014 and those based on it, like Cursor and Windsurf \u2014 natively support integration with MCP servers.<\/p>\n<p>To enhance security, most IDE vendors maintain repositories with vetted MCP servers, but IDE users can also deploy custom servers manually. Such servers can be found all over the internet, including GitHub. Earlier this year, researchers found hundreds of MCP servers in public GitHub repositories that <a href=\"https:\/\/www.csoonline.com\/article\/4012712\/misconfigured-mcp-servers-expose-ai-agent-systems-to-compromise.html\">had dangerous misconfigurations<\/a>, including default exposure to untrusted networks and OS command injection paths.<\/p>\n<h2 class=\"wp-block-heading\">Attacking Cursor and other VS Code-based IDEs<\/h2>\n<p>Cursor is essentially a fork of VS Code with code added to turn it into an AI-assisted coding tool, whereas VS Code gets its AI capabilities through extensions. Knostic researcher Dor Munis, who developed the MCP attack against Cursor, told CSO that unlike VS Code, which performs integrity checks of its own files, Cursor does not. As a result, any modification of its own code will not present the user with a warning.<\/p>\n<p>VS Code, and by extension Cursor and other VS Code forks, is built on Electron, a framework used to develop cross-platform applications with Node.js and the Blink browser engine from Chrome. Because of this, these applications employ a JavaScript interpreter. As IDEs, they also have file system access and elevated permissions to perform tasks.<\/p>\n<p>Knostic researchers recently published <a href=\"https:\/\/www.knostic.ai\/blog\/demonstrating-code-injection-vscode-cursor\">a proof-of-concept attack against Cursor implemented through a malicious extension<\/a> that injected malicious JavaScript into the running IDE to execute actions and manipulate its user interface. Malicious extensions have also been found <a href=\"http:\/\/csoonline.com\/article\/4072829\/tigerjacks-malicious-vscode-extensions-mine-steal-and-stay-hidden.html\">in the VSCode Marketplace and the OpenVSX registry<\/a>, which Cursor also uses, including <a href=\"https:\/\/www.csoonline.com\/article\/4076718\/self-propagating-worm-found-in-marketplaces-for-visual-studio-code-extensions-2.html\">a self-propagating worm that harvests credentials<\/a> from developer machines.<\/p>\n<p>Knostic\u2019s newly unveiled attack is similar in concept, but delivered via a malicious MCP server, it expands the attack surface beyond extensions.<\/p>\n<p>\u201cAn MCP server should be treated exactly like VS Code extensions in terms of security,\u201d Munis said. That\u2019s because MCP servers are essentially downloaded to run on your computer, and inherit the permissions of the IDE you use, he explained.<\/p>\n<p>In his proof-of-concept attack, Munis shows that an MCP server can inject JavaScript code into <a href=\"https:\/\/cursor.com\/docs\/agent\/browser\">the built-in browser<\/a> that Cursor recently added to allow developers to visually test changes to their application code and to allow Cursor\u2019s AI agent to automatically perform tasks that require browsing. Using this technique, Munis replaced the browser\u2019s actively displayed page with a log-in prompt, like in a phishing scenario, but without the URL ever changing \u2014 in other words, injected code\u2019s changes happen on the fly.<\/p>\n<p>Of course, the impact of such an attack would depend on what the victim is doing in the browser. Developers might be displaying sensitive data from the web app they\u2019re working on, or they might be logged into a service. It\u2019s worth noting that the internal browser saves authentication cookies for the session and those could also be targeted.<\/p>\n<p>The attack was developed to prove successful JavaScript code injection via an MCP server, but just like with the extension attack, it could be expanded to perform other malicious actions inside the Cursor IDE itself.<\/p>\n<h2 class=\"wp-block-heading\">Defenses<\/h2>\n<p>Organizations must review and control, both through policy and access controls, the IDE extensions and MCP servers their developers use. They should do this just like they should be vetting application dependencies from package registries such as npm or PyPI to prevent the compromise of developer machines or inheriting vulnerabilities in their code.<\/p>\n<p>Attackers are increasingly using VS Code extensions as an attack vector to target developers and it\u2019s only a matter of time before they\u2019ll start abusing MCP servers more widely.<\/p>\n<p>\u201cTry to find the project\u2019s GitHub repo and review the code,\u201d the Knostic team advised. \u201cThis is a program you install on your computer that can do anything. If there\u2019s doubt about its credibility, DO NOT USE IT.\u201d<\/p>\n<p>Using auto-run modes, in which agents are allowed to perform tasks automatically inside the IDE without a human approving the steps, also known as YOLO mode, should also be avoided.<\/p>\n<p>\u201cNever blindly enable anything, especially MCP functionality,\u201d the team warned. \u201cDon\u2019t assume that everything your AI agent generated is as you expected. Read through the code before you perform actions in the embedded browser.\u201d<\/p>\n<p><a href=\"https:\/\/cursor.com\/docs\/context\/mcp#security-considerations\">In its MCP documentation<\/a>, Cursor itself warns developers to:<\/p>\n<p>Verify an MCP server\u2019s source and only install from trusted developers and repositories<\/p>\n<p>Check what data and APIs the server is supposed to access<\/p>\n<p>Use API keys with restricted permissions<\/p>\n<p>Audit the server\u2019s code for critical integrations<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>AI agents and coding copilots are shaking up how \u2014 and what \u2014 developers code. But they\u2019re also rapidly expanding the attack surface of developer machines The latest example: Security researchers have shown how a rogue Model Context Protocol (MCP) server can inject malicious code into the built-in browser feature of Cursor, a popular AI-powered [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5783,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5786","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5786"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5786"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5786\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5783"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}