Security researchers have identified a chain of five vulnerabilities in the popular workflow automation service Zapier. These weaknesses, if exploited by a malicious actor, could have potentially granted unauthorized access to millions of user accounts and the connected systems they control. The discovery highlights the complex security challenges inherent in widely used online services.
The critical flaws were disclosed by the cybersecurity firm Token Security. According to their report, the exploitation did not require any advanced malware or insider privileges; merely a free Zapier account was sufficient. Researchers successfully linked together individual vulnerabilities that, in isolation, might have seemed minor, but collectively created a significant security pathway into Zapier’s platform.
Zapier Vulnerabilities Expose User Data and Connected Systems
Zapier is a widely adopted service that facilitates data transfer and task automation across thousands of applications, including email, customer relationship management (CRM) tools, payment processors, and code repositories. With a user base numbering in the millions and support for over 8,000 third-party integrations, a successful breach of Zapier could trigger a broad supply-chain attack, impacting numerous businesses and individuals.
The attack chain, as detailed by the researchers, began with an exploit targeting how users implement custom code snippets within their automations. This initial step allowed access to discarded credentials that the service had intended to delete. These recovered credentials then provided entry to an internal storage system containing over 1,100 private software images belonging to Zapier.
Exploiting Code and Access Controls
One of these private software images contained a publishing key for a piece of code executing within the browser of every logged-in Zapier user. According to the report, an attacker could have injected malicious code through this key. This would have enabled them to act as an authorized user on the platform, allowing the creation of new automations, modification of existing ones, and access to services already approved by the compromised user.
Such actions could include sending emails, transferring files, extracting data from customer databases, or posting messages, all appearing to originate from legitimate user accounts. The researchers stressed that while the exploit would not grant access to the connected services’ direct login credentials, the actions performed through Zapier would be indistinguishable from genuine user activity to external systems.
Further demonstrating the potential impact, the research uncovered a separate, immediate risk. The team found a valid key linked to the personal Gmail account of the chief technology officer of an AI company that Zapier utilized internally. Using this key, the researchers were able to send an email from the executive’s own account to an address they controlled.
Token Security reportedly informed Zapier of these capabilities without exploiting them further. The researchers confirmed they had the means to deploy malicious updates to the code running in user browsers but instead reported their findings through Zapier’s bug-bounty program in February.
Zapier’s Response and Industry Implications
Zapier triaged the identified issues within four days and implemented remediations within three weeks, cooperating with Token Security on the disclosure process. The company awarded the maximum bounty of $3,000 through the program and stated they have no evidence that the vulnerabilities were exploited before being patched.
This incident occurs at a time when automation platforms and AI tools are increasingly empowered to act on behalf of users across multiple services. The researchers from Token Security suggest that the vulnerabilities they found are not unique to Zapier, indicating that similar patterns of errors might exist within other companies that have not yet conducted thorough security reviews.
Zapier has confirmed that all identified issues have been resolved and no further user action is required. However, the researchers advise organizations with sensitive data to review their automation logs for any uninitiated activity and consider reauthorizing Zapier connections to critical systems as a precautionary measure.
The full research report detailing these findings is available on Token Security’s website. The next expected step for organizations is to assess their own automation configurations and security protocols in light of these revelations.