Full Report
Work management platform Asana is warning users of its new Model Context Protocol (MCP) feature that a flaw in its implementation potentially led to data exposure from their instances to other users and vice versa. [...]
Analysis Summary
# Incident Report: Asana MCP AI Feature Cross-Organization Data Exposure
## Executive Summary
Asana experienced a security incident where its Machine Learning/AI feature (MCP) incorrectly exposed customer data across different organizational tenants. This vulnerability allowed data summaries generated for one organization to inadvertently include details from another, potentially leading to significant privacy and regulatory concerns for affected customers. Asana acknowledged the issue, took the faulty server offline temporarily, and notified approximately 1,000 impacted customers.
## Incident Details
- Discovery Date: June 4 (Date exposure was noted by UpGuard leading to disclosure)
- Incident Date: Began approximately one month prior to discovery on June 4.
- Affected Organization: Asana
- Sector: Software as a Service (SaaS) / Productivity Software
- Geography: Global (Impacts customers using the MCP AI feature)
## Timeline of Events
### Initial Access
- Date/Time: Approximately one month prior to June 4, 2024.
- Vector: Flaw within the Machine Learning/AI (MCP) feature implementation.
- Details: The AI feature was erroneously referencing data from one customer tenant when processing requests for another.
### Lateral Movement
- **Not Applicable:** This incident was rooted in a systemic logic/configuration flaw within an application feature, not a traditional network breach involving lateral movement by an attacker.
### Data Exfiltration/Impact
- Sensitive customer data from one organization was exposed to users in other organizations via AI-generated summaries or answers.
### Detection & Response
- **Detection:** The vulnerability was identified by UpGuard, who subsequently informed BleepingComputer and Asana.
- **Response Actions:** Asana took the affected MCP server offline. They sent communication forms to impacted organizations. The status page indicated a return to normal operational status on June 17, 17:00 UTC.
## Attack Methodology
Since this was an application-level logic flaw rather than a malicious external attack, traditional MITRE ATT&CK categories are largely inapplicable.
- Initial Access: Vulnerable Application Logic (MCP AI Feature)
- Persistence: Not applicable
- Privilege Escalation: Not applicable
- Defense Evasion: Not applicable
- Credential Access: Not applicable
- Discovery: Not applicable (System was querying its own data structure incorrectly)
- Lateral Movement: Not applicable
- Collection: Inadvertent data pulling by the AI service across tenants.
- Exfiltration: Unauthorized cross-tenant data viewing/disclosure.
- Impact: Data exposure and privacy breach.
## Impact Assessment
- Financial: Not disclosed, but involved remediation costs.
- Data Breach: Customer data exposed to other unrelated organizations. Confirmed impact on roughly 1,000 customers.
- Operational: Temporary service disruption related to the faulty MCP server being taken offline.
- Reputational: Damage to customer trust due to the exposure of proprietary data via an AI feature.
## Indicators of Compromise
- **Network Indicators:** None explicitly mentioned related to malicious external activity.
- **File Indicators:** None mentioned.
- **Behavioral Indicators:** Unauthorized cross-tenant data referencing within the MCP AI service logs. Admins should look for AI summaries containing unfamiliar external data.
## Response Actions
- **Containment measures:** The MCP server responsible for the exposure was taken offline immediately.
- **Eradication steps:** (Implied) Debugging and patching the faulty logic within the AI feature before bringing the service back online.
- **Recovery actions:** Service restored on June 17, 17:00 UTC, after remediation.
## Lessons Learned
- **Key Takeaways:** Application-level vulnerabilities, especially in new features like integrated AI/LLMs, pose significant risks for data segmentation and tenancy segregation. The duration of the exposure (over a month) highlights a gap in proactive monitoring for cross-tenant data leakage.
- **What could have been done better:** Faster detection mechanisms to identify data leakage originating from the AI feature. Implementing stronger tenancy isolation checks before feature deployment.
## Recommendations
- Review detailed Asana logs specifically concerning MCP AI access and scrutinize all generated AI summaries or answers for data originating from other organizations.
- Immediately restrict LLM/AI integration access to a restricted level until trust is re-established.
- Pause auto-reconnections and bot pipelines associated with the AI service until residual exposure risks are confirmed to be zero.