Why LLM Authorization is Hard

The General Analysis blog highlights a vulnerability within the Supabase MCP Agent, showcasing how private data can be leaked without elevating user or agent privileges, due to the agent's inability to distinguish between data and instructions and its connection to the database with an overprivileged account. This exploit involved a malicious prompt in a support ticket that tricked the agent into revealing sensitive information, demonstrating the challenges of authorizing Large Language Models (LLMs) applications. LLMs, which operate on numerical data representations, need broad potential permissions but narrow effective permissions to prevent unauthorized data access. The blog emphasizes the importance of integrating strong authorization measures in LLM applications to mitigate risks associated with natural language input, which can easily be misunderstood or manipulated. It discusses the necessity of resource-level authorization over route-level authorization, suggesting techniques like impersonation to ensure LLMs operate under the least privilege principle, thus minimizing potential exploitation opportunities. By addressing these authorization gaps, developers can align LLM operations with user permissions and task-specific needs, thereby enhancing security in AI-driven applications.