TMCnet News

Zenity Discloses #ZAPESCAPE - a Severe Vulnerability Enabling Organization-Wide Control Over Code by Zapier
[September 22, 2022]

Zenity Discloses #ZAPESCAPE - a Severe Vulnerability Enabling Organization-Wide Control Over Code by Zapier

TEL-AVIV, Israel, Sept. 22, 2022 /PRNewswire/ -- Zenity, the leader in security governance for No-Code/Low-Code development disclosed a severe vulnerability in Code by Zapier.


The Zenity research team disclosed that they discovered a sandbox-escape vulnerability in Code by Zapier in the middle of March 2022. Code by Zapier is a service that is used by Zapier to execute custom code as part of a Zap. Exploiting this vulnerability, any user could take full control over the execution environment of their entire account allowing them to manipulate results and steal sensitive data. For example, a Zapier user could take control over the admin's custom code execution environment. Furthermore, the exploit could be performed via the user's private folder, which admins cannot monitor, thus avoiding detection.

"The vulnerability discovered by our team allowed any Zapier user to take full control over their entire organization's environment. A user could read and even manipulate the admin's zaps and the admin would have no way of knowing about it," said Michael Bargury, Zenity's CTO and Co-Founder.

The Zapier security team has been candid and responsive, and the issue is now fully mitigated, and this disclosure has been coordinated with the Zapier team.

Zenity can confirm that the vulnerability has been fully mitigated by Zapier. Accounts of customers using Code by Zapier before 8/17/2022 could have been exploited.

"Zapier is a secure platform in and of itself. Unfortunately, no platform is 100% secure and security vulnerabilities are commonplace even with the world's largest organizations," Bargury adds and expands: "Security of the Zapier platform itself is also only one part of the story. It is more important to secure what YOU build on top of Zapier. When you create a Zap, you could create a vulnerability that exposes your organization to risks. No-Code development is still development, and you must own your part of the shared responsibility model."

For more information, please go to:

About Zenity

Zenity is the first and only security governance platform for No-Code/Low-Code applications, automations and integrations.

No-Code/Low-Code platforms are sweeping the world, allowing pro and citizen developers to create what they need, when they need it and on their own, but without any security governance and tooling.

Zenity empowers IT and Security professionals to gain complete visibility and control over their No-Code/Low-Code estate, enabling them to unblock No-Code/Low-Code development and: (1) Gain visibility and discover No-Code/Low-Code shadow-IT with a cross-platform inventory; (2) Get continuous risk assessment to pinpoint vulnerabilities and insecure components; (3) Mitigate risk with automated remediation actions; (4) Govern the No-Code/Low-Code lifecycle and enforce security policies with playbooks.

Zenity was established by Ben Kliger and Michael Bargury, ex-Microsoft cyber security leaders and experts, after experiencing security and no-code/low-code challenges while working in the security division.

Zenity is the leader of security governance for this new wave of IT decentralization, and is working with large enterprises, among them Fortune 500 companies. More information could be found at Zenity's low-code security blog as well asthe OWASP Top 10 Low-Code/No-Code Security Risks group that Zenity leads. and follow us on LinkedIn and Twitter.

For further information, contact [email protected]


Cision View original content:

[ Back To's Homepage ]