Security firm Token Security discovered five chained vulnerabilities in Zapier that, together, could have let an attacker take over millions of user accounts — starting with nothing more than a free account.
The attack path ran from a code-writing feature through discarded credentials, into an internal storage system holding over 1,100 private software images. One image contained a publishing key for code running inside every logged-in user's browser — meaning a bad actor could have quietly hijacked automations across Zapier's 8,000+ integrations.
Researchers reported the flaws in February. Zapier triaged within four days, patched within three weeks, and paid the $3,000 maximum bounty. No exploitation was detected.
Source: CyberScoop