Table of Contents
Fetching ...

MPMA: Preference Manipulation Attack Against Model Context Protocol

Zihan Wang, Rui Zhang, Yu Liu, Wenshu Fan, Wenbo Jiang, Qingchuan Zhao, Hongwei Li, Guowen Xu

TL;DR

The paper introduces MPMA, a new security threat against MCP-based LLM agents operating in competitive ecosystems, and presents two attack frameworks—DPMA and GAPMA—that manipulate MCP tool metadata to bias LLM tool selection for economic gain. DPMA directly injects manipulative words, achieving high effectiveness but low stealth, while GAPMA leverages advertising strategies and a genetic algorithm to balance robustness and inconspicuousness. Through extensive experiments across multiple MCP servers and base LLMs, GAPMA generally achieves strong attack efficacy with improved stealth, and DPMA demonstrates high ASR in many settings. The work highlights urgent defense needs to preserve fairness and resilience in MCP ecosystems, including defense tooling and trusted labeling mechanisms.

Abstract

Model Context Protocol (MCP) standardizes interface mapping for large language models (LLMs) to access external data and tools, which revolutionizes the paradigm of tool selection and facilitates the rapid expansion of the LLM agent tool ecosystem. However, as the MCP is increasingly adopted, third-party customized versions of the MCP server expose potential security vulnerabilities. In this paper, we first introduce a novel security threat, which we term the MCP Preference Manipulation Attack (MPMA). An attacker deploys a customized MCP server to manipulate LLMs, causing them to prioritize it over other competing MCP servers. This can result in economic benefits for attackers, such as revenue from paid MCP services or advertising income generated from free servers. To achieve MPMA, we first design a Direct Preference Manipulation Attack (DPMA) that achieves significant effectiveness by inserting the manipulative word and phrases into the tool name and description. However, such a direct modification is obvious to users and lacks stealthiness. To address these limitations, we further propose Genetic-based Advertising Preference Manipulation Attack (GAPMA). GAPMA employs four commonly used strategies to initialize descriptions and integrates a Genetic Algorithm (GA) to enhance stealthiness. The experiment results demonstrate that GAPMA balances high effectiveness and stealthiness. Our study reveals a critical vulnerability of the MCP in open ecosystems, highlighting an urgent need for robust defense mechanisms to ensure the fairness of the MCP ecosystem.

MPMA: Preference Manipulation Attack Against Model Context Protocol

TL;DR

The paper introduces MPMA, a new security threat against MCP-based LLM agents operating in competitive ecosystems, and presents two attack frameworks—DPMA and GAPMA—that manipulate MCP tool metadata to bias LLM tool selection for economic gain. DPMA directly injects manipulative words, achieving high effectiveness but low stealth, while GAPMA leverages advertising strategies and a genetic algorithm to balance robustness and inconspicuousness. Through extensive experiments across multiple MCP servers and base LLMs, GAPMA generally achieves strong attack efficacy with improved stealth, and DPMA demonstrates high ASR in many settings. The work highlights urgent defense needs to preserve fairness and resilience in MCP ecosystems, including defense tooling and trusted labeling mechanisms.

Abstract

Model Context Protocol (MCP) standardizes interface mapping for large language models (LLMs) to access external data and tools, which revolutionizes the paradigm of tool selection and facilitates the rapid expansion of the LLM agent tool ecosystem. However, as the MCP is increasingly adopted, third-party customized versions of the MCP server expose potential security vulnerabilities. In this paper, we first introduce a novel security threat, which we term the MCP Preference Manipulation Attack (MPMA). An attacker deploys a customized MCP server to manipulate LLMs, causing them to prioritize it over other competing MCP servers. This can result in economic benefits for attackers, such as revenue from paid MCP services or advertising income generated from free servers. To achieve MPMA, we first design a Direct Preference Manipulation Attack (DPMA) that achieves significant effectiveness by inserting the manipulative word and phrases into the tool name and description. However, such a direct modification is obvious to users and lacks stealthiness. To address these limitations, we further propose Genetic-based Advertising Preference Manipulation Attack (GAPMA). GAPMA employs four commonly used strategies to initialize descriptions and integrates a Genetic Algorithm (GA) to enhance stealthiness. The experiment results demonstrate that GAPMA balances high effectiveness and stealthiness. Our study reveals a critical vulnerability of the MCP in open ecosystems, highlighting an urgent need for robust defense mechanisms to ensure the fairness of the MCP ecosystem.
Paper Structure (22 sections, 6 equations, 7 figures, 6 tables, 1 algorithm)

This paper contains 22 sections, 6 equations, 7 figures, 6 tables, 1 algorithm.

Figures (7)

  • Figure 1: The workflow of the MCP-based LLM agent. It can be divided into four steps, namely: ❶ task planning, ❷ tool selection, ❸ tool calling, ❹ conclusion and output.
  • Figure 2: The attack scenario of the MPMA.
  • Figure 3: The attack overview of the MPMA. It respectively describes the benign process and the attack effects under the conditions of $\mathtt{DPMA}$ and $\mathtt{GAPMA}$ strategies from top to bottom.
  • Figure 4: The experimental results of $\mathtt{DPMA}$ on 5 base LLMs and 8 MCP servers.
  • Figure 5: The stealthiness experimental result of $\mathtt{DPMA}$ and $\mathtt{GAPMA}$ utilizing the LLM-as-a-judge and human evaluation. The RD and BD mean raw description and best description, and w/ and w/o mean whether to utilize GA.
  • ...and 2 more figures