Vulnerability Management

Zapier security flaws could have exposed millions of user accounts

(Adobe Stock)

As reported by CyberScoop, security researchers discovered a chain of five vulnerabilities in the popular workflow automation service Zapier that, if exploited by a malicious actor, could have granted access to millions of user accounts and connected systems.

The flaws, disclosed by Token Security, did not require malware or insider access, only a free Zapier account. Researchers chained together weaknesses to gain access to internal storage containing over 1,100 private software images. One image held a publishing key for code that runs in every logged-in Zapier user's browser. An attacker could have updated this code to act as a legitimate user, creating or altering automations and accessing connected services. This could lead to actions like sending emails, moving files, or pulling database records, all appearing legitimate. While attackers couldn't obtain passwords for connected services, the actions would originate from the user's account.

Researchers also found a working key tied to an AI company's CTO, allowing them to send an email from the executive's Gmail. Zapier triaged the issues within four days and remediated within three weeks, paying the maximum $3,000 bounty. The company stated there is no evidence the weaknesses were exploited before being patched. Automation platforms and AI tools are increasingly granted authority across multiple services, making such vulnerabilities a significant supply-chain risk. Token Security noted similar mistakes are likely present at other companies.

Source: CyberScoop

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds