Zenity, the leader in security governance for No-Code/Low-Code development disclosed a severe vulnerability in Code by Zapier.
The Zenity research team disclosed that they discovered a sandbox-escape vulnerability in Code by Zapier in the middle of March 2022. Code by Zapier is a service that is used by Zapier to execute custom code as part of a Zap. Exploiting this vulnerability, any user could take full control over the execution environment of their entire account allowing them to manipulate results and steal sensitive data. For example, a Zapier user could take control over the admin’s custom code execution environment. Furthermore, the exploit could be performed via the user’s private folder, which admins cannot monitor, thus avoiding detection.
“The vulnerability discovered by our team allowed any Zapier user to take full control over their entire organization’s environment. A user could read and even manipulate the admin’s zaps and the admin would have no way of knowing about it,” said Michael Bargury, Zenity’s CTO and Co-Founder.
The Zapier security team has been candid and responsive, and the issue is now fully mitigated, and this disclosure has been coordinated with the Zapier team.
Zenity can confirm that the vulnerability has been fully mitigated by Zapier. Accounts of customers using Code by Zapier before 8/17/2022 could have been exploited.
“Zapier is a secure platform in and of itself. Unfortunately, no platform is 100% secure and security vulnerabilities are commonplace even with the world’s largest organizations,” Bargury adds and expands: “Security of the Zapier platform itself is also only one part of the story. It is more important to secure what YOU build on top of Zapier. When you create a Zap, you could create a vulnerability that exposes your organization to risks. No-Code development is still development, and you must own your part of the shared responsibility model.”