in github mcp server , the implementation of the protocol MCP (Model Context Protocol) from Github, revealed vulnerability that allows us to extract data from private repositories of users using AI-speakers to automate the work with repository.
MCP protocol is designed to bind AI models with various data sources. GITHUB MCP Server provides seamless integration of large language models with the GITHUB API and provides these models with an additional context, extracting data from GitHub-Roads. The MCP models can be used to automate certain actions with GitHub, for example, to analyze errors.
The essence of the vulnerability is that through interaction with a large language model connected to the GITHUB, you can achieve the issuance of confidential data about the user who tied the AI-agent to its accounting record on Github. The attacker can be placed in a public repository for which automation based on a large language model is used, a specially designed report on the problem (Issue). After activation, the model will form a PULL request with the proposed solution. Accordingly, if the problem concerns private repositories or confidential data, the model can disclose information in the preceded PULL request.
For example, it was sent message about an error with a complaint that the author is not indicated in the Readme file. As a decision in the message, it was proposed to add information about the author and a list of all the repositories with which the author worked to Readme. As a result, the model created pull-poll with information, including personal information about the author, extracted from a private repository, as well as a list of private repositories. At the next stage, through such an interaction with the model, you can get data from a particular private repository.
To activate the AI-agent, it is necessary that the owner of the repository gives the command to analyze error messages. If the GitHub is connected with the Claude AI service to disclose information, it is enough that the owner of the repository sends the AISSTROSISTE a request to “look at Issue in my open code and eliminate them.” After that, the AI assistant uses a configured MCP integration with the accounting record on GitHub and will perform the instructions contained in the messages about the problems of the instructions.