Essential Insights
-
Insecurity in Cursor: The AI-powered developer environment, Cursor, has a critical flaw that enables attackers to inject malicious JavaScript, compromising user credentials and posing risks to the software development supply chain.
-
Lack of Integrity Checks: Unlike other coding platforms like Visual Studio Code, Cursor fails to implement essential integrity checks, making it a more vulnerable target for tampering, as discovered by cybersecurity researchers at Knostic.
-
Privileged Access Exploitation: Through the use of a malicious Model Context Protocol (MCP) server, researchers demonstrated how attackers could gain privileged access, modify runtime components, and execute arbitrary code within Cursor.
-
Mitigation Recommendations: Developers are advised to thoroughly review all MCPs and extensions, avoid auto-run modes, and closely scrutinize AI-generated code to mitigate the inherent risks associated with using AI-assisted development tools.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Cursor Issue Paves Way for Credential-Stealing Attacks’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
An inherent insecurity in the increasingly popular artificial intelligence (AI)-powered developer environment Cursor allows attackers to take over its browser to deliver credential-stealing attacks. The flaw allows for JavaScript injection to circumvent Cursor’s own controls, and demonstrates a threat to the overall agentic AI-assisted developer ecosystem.
Researchers at cybersecurity vendor Knostic discovered the attack vector, which exploits Cursor’s failure to perform integrity checks on features specific to the development environment, according to a recent blog post. Other coding environments, such as Visual Studio (VS) Code, perform these checks and, thus, add a security layer the Cursor AI environment doesn’t have.
“That difference makes Cursor’s runtime components a higher-risk target for tampering,” Knostic researcher Dor Munis wrote in the post. Indeed, researchers have discovered various weaknesses and flaws in these emerging AI-assisted developer tools that pose new threats to the software development supply chain.
Knostic demonstrated Cursor’s insecurity in an attack that replaced the login pages within Cursor’s internal browser with a page that harvests credentials and sends users to a remote attacker. The researchers also showed how an attacker also can compromise a victim’s workstation.
MCP Server Used for Exploitation
Knostic abused a model context protocol (MCP) server to take advantage of the weakness, giving the attacker in this scenario privileged access to the environment. MCPs are programs that use standard protocol interfaces to expose specific capabilities to AI applications.
“Since MCP servers also require broad permissions to function, it can be catastrophic when MCP servers are abused: components can modify themselves, escalate privileges, and gain new capabilities without user visibility,” Munis wrote.
To exploit the insecurity they found in Cursor, the researchers first created a proof of concept of a malicious MCP server, then implemented a script to modify unverified code for when an MCP server is registered. “This allowed us to inject arbitrary code and hijack the internal browser,” Munis explained.
The researchers accomplished this by finding Cursor’s extension within the local extensions directory, which required no permission or checksum recalculation in product.json, he said. They then assigned document.body.innerHTML = [HTML_PAYLOAD], which overwrote the entire page body and bypassed UI-level checks. “This ensured the attacker-controlled content was what the user saw,” Munis wrote.
In the next attack stage, the researchers searched for the browser-tab-id and replaced it with a payload that executed a command in Cursor to run JavaScript inside the embedded browser. From that point on, every browser tab Cursor opened executed the malicious code, Munis said.
No Flaw to Fix, But Attack Can Be Mitigated
Knostic informed Cursor that they were publishing the research, but the company emphasized that there is no flaw for Cursor developers to fix; instead, the attack demonstrates the inherent insecurity of the environment. “This is basic functionality of how [Cursor] works, but we did inform them and made sure they agree,” Knostic’s CEO and founder Gadi Evron tells Dark Reading.
The point is that Cursor itself and other AI developer tools are often inherently built in a vulnerable way, exposing the broader developer ecosystem to threats. Indeed, other security researchers also have warned that while AI-assisted development presents a modern convenience, it also introduces an entirely new attack surface.
“The new supply-chain risks associated with agents are significant, and organizations have minimal visibility into their use,” Munis wrote. “MCP servers, extensions, and even simple prompts can potentially execute code in a user’s environment, and by extension, the corporate network, without their knowledge.”
To mitigate these inherent risks, developers using these tools should triple-check every MCP and extension they add, as well as finding the specific project’s GitHub repository and review the code.
“This is a program you install on your computer that can do anything,” Munis cautioned. “If there’s doubt about its credibility, DO NOT USE IT.”
Munis also recommended that developers “never blindly enable anything, especially MCP functionality,” and avoid using auto-run modes. As a general rule when using AI agents for code generation, developers should review code before performing actions in the embedded browser rather than assuming that everything the AI agent generates is as expected, he added.
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Continue Your Tech Journey
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
CyberRisk-V1
