Overview
Attackers inject a message into a Heroku-hosted web service to trick the MCP-connected agent into transferring ownership of the Heroku application to the attacker. Demonstrates prompt injection through application-level data affecting infrastructure management.
Who Is Affected
Discovered by Tramlines.io researchers. Targets developers managing Heroku applications through MCP-connected agents that have Heroku management permissions.
Where It Exists
The attack surface is any user-controllable content in a Heroku-hosted application (logs, error messages, user input displays) that the MCP agent might read during normal operations.
When It Was Found
Published June 30, 2025. Represents a new class of prompt injection that bridges web application content and cloud infrastructure management.
How It Works
An attacker injects a prompt injection payload into content that the Heroku MCP agent will process (e.g., application logs, error pages, or database records). The injected prompt instructs the agent to use the Heroku MCP server's ownership transfer tool to reassign the application to the attacker's Heroku account. If the agent has sufficient permissions, the transfer executes without additional confirmation.
Impact
Complete loss of control over Heroku applications including deployed code, databases, environment variables (containing secrets), custom domains, and billing. The attacker gains full ownership and can access all application data, modify code, or hold the application for ransom.
Mitigation
Restrict MCP agent permissions to read-only for infrastructure management where possible. Require multi-factor confirmation for destructive operations like ownership transfers. Implement content sanitization for all data the agent processes from external sources. Use separate MCP sessions for application monitoring and infrastructure management.