Simon Willison’s Weblog

Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk. Stop me if you've heard this one before:

• A threat actor (acting as an external user) submits a malicious support ticket.
• An internal user, linked to a tenant, invokes an MCP-connected AI action.
• A prompt injection payload in the malicious support ticket is executed with internal privileges.
• Data is exfiltrated to the threat actor’s ticket or altered within the internal system.

It's the classic lethal trifecta exfiltration attack, this time against Atlassian's new MCP server, which they describe like this:

With our Remote MCP Server, you can summarize work, create issues or pages, and perform multi-step actions, all while keeping data secure and within permissioned boundaries.

That's a single MCP that can access private data, consume untrusted data (from public issues) and communicate externally (by posting replies to those public issues). Classic trifecta.

It's not clear to me if Atlassian have responded to this report with any form of a fix. It's hard to know what they can fix here - any MCP that combines the three trifecta ingredients is insecure by design.

My recommendation would be to shut down any potential exfiltration vectors - in this case that would mean preventing the MCP from posting replies that could be visible to an attacker without at least gaining human-in-the-loop confirmation first.

# 19th June 2025, 10:53 pm / atlassian, security, ai, prompt-injection, generative-ai, llms, exfiltration-attacks, model-context-protocol, lethal-trifecta

Atlassian: “We’re Not Going to Charge Most Customers Extra for AI Anymore”. The Beginning of the End of the AI Upsell? (via) Jason Lemkin highlighting a potential new trend in the pricing of AI-enhanced SaaS:

Can SaaS and B2B vendors really charge even more for AI … when it’s become core? And we’re already paying $15-$200 a month for a seat? [...]

You can try to charge more, but if the competition isn’t — you’re going to likely lose. And if it’s core to the product itself … can you really charge more ultimately? Probably … not.

It's impressive how quickly LLM-powered features are going from being part of the top tier premium plans to almost an expected part of most per-seat software.

# 13th May 2025, 3:52 pm / atlassian, startups, saas, ai, generative-ai, llms

Crowd 1.1.0 Release Notes. Atlassian software are now offering a commercial OpenID provider, with the ability to hook in to an existing LDAP directory and some smart whitelist / blacklist options.

# 21st June 2007, 8:29 am / atlassian, blacklisting, crowd, ldap, openid, whitelisting

Wikipatterns. Great idea this: a wiki documenting patterns for successfully growing your own wiki.

# 17th February 2007, 12:51 am / atlassian, patterns, wiki