Critical Vulnerability in Code by Zapier Exposed: Zenity Uncovers #ZAPESCAPE

Zenity, a frontrunner in security governance for no-code and low-code development, publicized a critical sandbox-escape vulnerability they discovered in Code by Zapier. The flaw, dubbed #ZAPESCAPE, could have given attackers full control over an organization's execution environment, potentially granting them access to manipulate results and steal sensitive information.

The security research team at Zenity found the vulnerability in mid-March 2022 within Code by Zapier, a service utilized by Zapier to execute custom code as part of a Zap. Exploiting #ZAPESCAPE could enable a user to seize control over an admin's custom code execution environment. Furthermore, the exploit could be performed via a user's private folder, which is inaccessible to admins, remaining undetectable.

Michael Bargury, Zenity's Co-Founder and CTO, said, "The vulnerability discovered by our team allowed any Zapier user to take full control over their entire organization's environment. A user could read and even manipulate the admin's zaps, and the admin would have no way of knowing about it."

Zapier's security team has been forthcoming and prompt in addressing the issue, which has now been completely mitigated. This disclosure has been coordinated with the Zapier team, and Zenity confirms that the vulnerability has been fully mitigated. However, Code by Zapier users' accounts prior to August 17, 2022, could have been exploited.

Bargury adds that although Zapier is a secure platform, no platform is immune to vulnerabilities. When creating a Zap, users must take responsibility for securing what they build on top of the platform, as no-code development is still development and requires adherence to the shared responsibility model.

As the first and only security governance platform for no-code/low-code applications, integrations, and automation, Zenity provides an essential service. With the rise of no-code/low-code platforms such as AppMaster, both professional and citizen developers can create customized software solutions without extensive coding knowledge. However, this convenience comes with potential security risks if not adequately governed and managed.

Zenity enables IT and security professionals to have comprehensive visibility and control over their no-code/low-code estates. This allows them to eliminate potential vulnerabilities and adopt a more secure approach to development. The platform offers features such as cross-platform inventory, continuous risk assessment, automated remediation actions, and governance playbooks to enforce security policies throughout the entire no-code/low-code lifecycle.

Founded by former Microsoft cybersecurity leaders and experts, Ben Kliger and Michael Bargury, Zenity is a leader in security governance for IT decentralization. The company works with large enterprises, including Fortune 500 corporations, and leads the OWASP Top 10 Low-Code/No-Code Security Risks group.