The Model Context Protocol (MCP) is quickly becoming the connective tissue between AI agents and the outside world. But its design decisions and assumptions have created 'seamless' AI integration into a dangerous attack surface.
What was built to standardize and simplify agent–tool integrations is now riddled with trust gaps that can be exploited to seize control of entire workflows.

This talk is an offensive tour of MCP’s weak spots. We’ll demonstrate how attackers can:

Poison tool descriptions to hijack an agent’s behavior.

Exploit line-jumping attacks to execute code before a user ever calls a tool.

Abuse shared memory and unvalidated context for stealthy persistence and exfiltration.

Pull off version-drift rug pulls, quietly swapping safe tools for malicious ones.

Through live demos and real attack scenarios, we’ll show how little effort it takes to weaponize MCP’s core features against unsuspecting users. By the end, you’ll see why MCP should be treated less like an integration protocol and more like an attack surface.