CVE-2022-28802 Zapier's code by 2022-08-17 allowed for privilege escalation between accounts, such as execution of Python/JavaScript code.
Corporate IT teams that rely on Code by Zapier likely had their own rules restricting usage of their service to authorized employees. As a result, any employee with a basic understanding of Python or JavaScript could have potentially used the service to access data without authorization. This would have required no special privileges or permissions beyond those that every Code by Zapier customer would have had. Code by Zapier fixed the problem on 2022-08-17. There are no known reports of a customer being misused through its service.
Summary of Finding:
A code review discovered that Code by Zapier allowed an unauthorized user to access a customer’s data. This was likely due to the company not having enough rules to restrict usage of the service, which allowed any employee with a basic understanding of Python or JavaScript to potentially use the service without authorization.
Code by Zapier fixed the problem on 2022-08-17 and there are no known reports of a customer being misused through its service.
Conclusion: Stay vigilant of your Code by Zapier usage
The problems with Code by Zapier were ones that could have been easily prevented. The service, which provides automation of business processes via webhooks, has been around since 2013. However, it wasn't until late 2017 when the service was breached and customers’ data "accidentally" exposed.
It's important to keep an eye on your resources, both inside and outside the company, to ensure that they're not being exploited. If you use Code by Zapier or other similar tools for building automation workflows, make sure to follow these simple rules:
1) Do not share your API keys with anyone who is not in the company
2) Ensure that every employee understands their usage restrictions
3) Make sure to create a clearly defined process for using the tool within your company
4) Monitor your use of the tool regularly
5) Be proactive—report any suspicious activity immediately
Overview of the Vulnerability
An employee's access to an IT service could have been limited by the rules of the service, but an unauthorized user could still potentially use this service to gain unauthorized access. This would require no special privileges or permissions beyond those that every Code by Zapier customer would have had. The company fixed the problem on 2022-08-17. There are no known reports of a customer being misused through its service.
Timeline
Published on: 09/21/2022 20:15:00 UTC
Last modified on: 09/26/2022 18:49:00 UTC