With Complex Cloud Integrations, Small Errors Lead to Major Compromises
Dark ReadingArchived May 29, 2026✓ Full text saved
Researchers discover an exploit chain combining over-permissioned roles, secrets discovery, and non-human identities that could have compromised a popular automation service.
Full text archived locally
✦ AI Summary· Claude Sonnet
VULNERABILITIES & THREATS
СLOUD SECURITY
CYBER RISK
CYBERSECURITY OPERATIONS
NEWS
With Complex Cloud Integrations, Small Errors Lead to Major Compromises
Researchers discover an exploit chain combining over-permissioned roles, secrets discovery, and non-human identities that could have compromised a popular automation service.
Robert Lemos,Contributing Writer
May 29, 2026
5 Min Read
SOURCE: T.N. SURSOCK VIA SHUTTERSTOCK
Low-code cloud services that allow users to create and run their own sandboxed code could be compromised by multistep exploit chains, leading to a complete platform takeover, if software-as-a-service (SaaS) providers haven't properly sandboxed their environments, managed the roles and permissions of non-human identities, and inadvertently exposed secrets in code artifacts.
Such a compromise almost happened to low-code automation service Zapier. Using a handful of steps that exploited the company's platform, researchers with agentic-identity security firm Token Security discovered they could reconnoiter Zapier's sandboxed environment, discover credentials, and move laterally to pull the company's private repositories, and potentially could have published malicious code, researchers stated in an analysis published May 28.
Token Security researchers could have pushed malicious code to Zapier's repositories and to any users authenticated to the system, says Yair Balilti, research team lead for Token Security.
Related:Microsoft Issues Out-of-Band SharePoint Patch
"If you have a user in Zapier, I can take your cookie, send it to an attacker website," he says. "I can use the same cookie and use all the tools that you are using in Zapier. For example, if you have some automation to send email to get to [another service], I can use the same primitive."
The ability to jump between cloud components using credentials, development secrets, and non-human identities has become a major source of vulnerability in enterprise cloud usage. Between the disaggregation of software into various cloud services and the accelerating push for agentic AI swarms, SaaS infrastructure is growing more complex and harder to secure. Cybersecurity researchers have already noted that most companies — 56%, in fact — do not have a process in place to track SaaS-to-SaaS connections and integrations. Last year, the threat actor UNC6395, for example, stole data from company's Salesforce instances by abusing OAuth tokens associated with a third-party sales automation app, Salesloft Drift.
"note — this isn't a security thing"
Token Security's five-step attack chain used to nearly compromise the automation service started with ability to write code in a code block. Zapier and other automation service providers allow users to write their own code to accomplish custom tasks or allow an AI agent to write the code for them. Code by Zapier, for example, allows customer scripts and data manipulation code to be written in Python and JavaScript.
"It is advertised as a place where users run their own logic," Token Security's Balilti stated in his online analysis. "So we ran our own logic."
Related:Microsoft Exchange Zero-Day Under Attack, No Patch Available
Using their own code, the researchers were able to query the sandbox OS to discover it was running on AWS Lambda, and while there were no obviously leaked credentials, the ability to read a task file showed an overly permissive role — incorrectly named "allow_nothing_role" — and the failure to securely delete credentials.
In the file's comments, a developer wrote:
# note - this isn't a security thing since we pass a allow\_nothing role - just avoids
# responding to dozens of annoying false positive security reports
As their second step, the researchers created a Python script to extract secrets from the memory, which was aided by the fact that AWS Lambda does not proactively delete the tokens and other secrets until the container is recycled. Using the role, the researchers discovered that they could list and request 1,111 files from Zapier's private repository during the third stage of their attack. Among those files, they found one that exposed an NPM token for publishing that could be used for every package.
The Five Stages of Cloud Compromise include escaping the sandbox, finding credentials and over-permissioned roles, and then moving laterally. Source: Token Security
While the researchers described their last two steps, they did not execute them. A post-install script would have allowed them to run arbitrary code by adding it to a legitimate Zapier package, and the fifth stage would allowed them to distribute the code to every authenticated Zapier user's browser.
Related:Can Laws Stop Deepfakes? South Korea Aims to Find Out
"An attacker would have been able to act as the user inside Zapier: create Zaps, create Tables, create MCP servers, modify existing automations, and use the user's existing connections to third-party services through Zapier's platform," Balilti wrote in the analysis. "Those connections execute server-side. The attacker can drive them by riding the user's session and asking Zapier to do things."
Too Many Permissions, Too Little Security
Token Security notified Zapier in February under responsible-disclosure guidelines, which fixed the issue in less than a week. Token Security later confirmed that the remediation works and intends to present the research June 1 at fwd:cloudsec North America.
Companies need to pay more attention to their automation platforms and the data to which they have access, then focus on limiting roles as much as possible, Balilti says.
"When you are using some automation platform, you are connected to all your integrations — like Salesforce, Gmail, and Google Drive — and maybe when you do that, [make sure you] do that with the least-privileged scope that you can," he says. "Then, if sometime your user is exposed, it will just be read-only or [limited to] specific resources."
The permission problem is significant. In March, for example, Salesforce warned customers that their guest accounts tended to have lax permissions, allowing cybercriminals to conduct social-engineering attacks and steal data.
More than likely, attackers are already pen-testing companies' SaaS deployments, says Balilti.
"There are many automation workflow platforms in the world and most of them also have [a feature similar to] a code block," he says. "And maybe some attackers will try the same approach."
About the Author
Robert Lemos
Contributing Writer
Rob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity.
A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports.
Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major).
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
VULNERABILITIES & THREATS
Cheap Hardware Module Bypasses AMD, Intel Memory Encryption
by Rob Wright
NOV 25, 2025
VULNERABILITIES & THREATS
Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs
by Jai Vijayan, Contributing Writer
NOV 11, 2025
VULNERABILITIES & THREATS
Microsoft Issues Emergency Patch for Critical Windows Server Bug
by Rob Wright
OCT 24, 2025
VULNERABILITIES & THREATS
350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE
by Nate Nelson, Contributing Writer
JUL 11, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS