Zapier fixes bug chain that researchers say risked widespread account takeover

Staff Editor 2026-05-28

Zapier fixes bug chain that researchers say risked widespread account takeover

https://cyberscoop.com/zapier-bug-chain-account-takeover-patched/

Publish Date: 2026-05-28 09:10:00

Source Domain: cyberscoop.com

Security researchers chained together five separate weaknesses in the popular workflow automation service Zapier that, if first discovered by a malicious actor, could have granted access to millions of user accounts and the systems those accounts connect to.

The flaws, disclosed by security firm Token Security, did not require malware or insider access. The only prerequisite, according to the company’s report, was a free Zapier account. From there, researchers chained together weaknesses that, if taken individually, would have looked routine, but together opened a path to one of the most widely used services of the modern internet.

Zapier’s software can be configured to move data between email, customer-relationship tools, payment processors, calendars, code repositories and thousands of other applications. The company says it supports more than 8,000 third-party integrations and has millions of users, which means breaking into Zapier could escalate into a wide-ranging supply-chain attack.

The researchers said an attempted attack would start by exploiting a weakness in how users write small pieces of code as part of their automations. Once that feature was isolated, researchers recovered login credentials the service had tried to discard. Those credentials, in turn, exposed an internal storage system holding more than 1,100 of Zapier’s private software images, one of which contained a publishing key for a piece of code that runs inside every logged-in Zapier user’s browser.

According to the report, if an attacker updated that code, they could have acted as a legitimate user inside the platform, creating new automations, altering existing ones, and tapping into connections the user had already approved to outside services. From there, they could instruct the platform to send emails, move files, pull records from customer databases, or post messages, all from accounts that appeared entirely legitimate.

The researchers stressed that…

Source

More Stories

New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration

New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration

Staff Editor 2026-06-06
New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration

New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration

Staff Editor 2026-06-06
When Steve Jobs Revealed The iPhone, Most Of The Industry Shrugged. CrowdStrike CEO Says AI Could Be Anot

When Steve Jobs Revealed The iPhone, Most Of The Industry Shrugged. CrowdStrike CEO Says AI Could Be Anot

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy