Researchers from Token Security chained five flaws in Zapier to show how a free account could have led to access across millions of users and the services they connect. Zapier patched the issues after disclosure, but the case highlights how a compromise of the platform could enable broad supply-chain abuse through legitimate automations. #Zapier #TokenSecurity
Keypoints
- Token Security chained five vulnerabilities in Zapier.
- A free Zapier account was the only prerequisite for the attack path.
- The flaws could have exposed millions of user accounts and connected services.
- Researchers recovered credentials and found a key for code running in user browsers.
- Zapier patched the issues, paid a $3,000 bounty, and found no evidence of exploitation.
Read More: https://cyberscoop.com/zapier-bug-chain-account-takeover-patched/