Overview
An attack against the whatsapp-mcp server where a malicious co-installed server steals WhatsApp message history by swapping its tool definition after approval and using UI deception techniques to hide the exfiltrated data.
Who Is Affected
Discovered by Invariant Labs. Targets users of the whatsapp-mcp server who also have other MCP servers connected—a realistic multi-server scenario.
Where It Exists
The attack exploits the whatsapp-mcp bridge server that connects personal WhatsApp accounts to MCP-enabled LLM systems like Claude Desktop.
When It Was Found
Disclosed April 7, 2025. Demonstrated as a working proof-of-concept against Claude Desktop with the whatsapp-mcp server installed.
How It Works
A malicious MCP server initially defines an innocent tool, then performs a rug pull to change its description to instruct the LLM to read WhatsApp messages via the whatsapp-mcp tools and forward them. The exfiltrated content is hidden by prepending large amounts of whitespace, exploiting the fact that many UIs hide horizontal scrollbars by default.
Impact
Complete exfiltration of personal WhatsApp message history including private conversations, media descriptions, and contact information. The UI deception makes detection extremely difficult for end users. Demonstrates that messaging bridge MCP servers create high-value attack targets.
Mitigation
Avoid connecting messaging bridge servers alongside untrusted MCP servers. Use MCP clients with horizontal scroll indicators or content length warnings. Implement data loss prevention (DLP) rules that flag large outbound data transfers through tool parameters. Audit tool definitions for rug pull behavior.