It's nothing groundbreaking nor particularly exploitive about MCP itself (although I have my thoughts on MCP), it's just a clever use of prompt injection and "viral" marketing by saying MCP was exploited. As I build agentic systems I always keep the philosophy of assume whatever you give the agent access to can be accessed by anyone accessing the agent. Never trust the LLM to be doing access control and use the person requesting the LLM take action as the primary principal (from a security standpoint) for the task an agent is doing.

This article does make me think about being more careful of what you give the agent access to while acting on your behalf though which is what we should be focusing on here. If it has access to your email and you tell it to go summarize your emails and someone sent a malicious prompt injection email that redirects the agent to forward your security reset token, that's the bad part that people may not be thinking about when building or using agents.