Zapier fixes bug chain that researchers say risked widespread account takeover | CyberScoop<\/title> <meta name=\"description\" content=\"Zapier has fixed a critical five-bug vulnerability chain discovered by Token Security that risked widespread account takeovers and supply-chain access.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/zapier-bug-chain-account-takeover-patched\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Zapier fixes bug chain that researchers say risked widespread account takeover\"> <meta property=\"og:description\" content=\"Zapier has fixed a critical five-bug vulnerability chain discovered by Token Security that risked widespread account takeovers and supply-chain access.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/zapier-bug-chain-account-takeover-patched\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-05-28T13:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2026-05-28T13:07:40+00:00\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1778775768g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1779818961g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/89192\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=89192\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fzapier-bug-chain-account-takeover-patched%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fzapier-bug-chain-account-takeover-patched%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-89192 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/zapier-bug-chain-account-takeover-patched\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.530082987552\">\n<div class=\"single-article__header-content\" readability=\"36.508083140878\">\n<p> A five-step flaw chain in the popular automation service, now patched, could have let a single attacker act as any signed-in user across thousands of connected apps. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/89192\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"457\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover.jpg?resize=640%2C457&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg 4000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=300,214 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=768,549 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=1024,731 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=1536,1097 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=2048,1463 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=600,429 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=235,168 235w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=472,337 472w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=945,675 945w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-2.jpg?resize=1180,843 1180w\" sizes=\"(max-width: 945px) 100vw, 945px\"><figcaption> (Photo by Artur Widak\/NurPhoto via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"53.015995140717\"><body readability=\"107.35670103093\"><\/p>\n<p>Security researchers chained together five separate weaknesses in the popular workflow automation service Zapier that, if first discovered by a malicious actor, could have granted access to millions of user accounts and the systems those accounts connect to.<\/p>\n<p>The flaws, disclosed by security firm Token Security, did not require malware or insider access. The only prerequisite, according to the company\u2019s report, was a free Zapier account. From there, researchers chained together weaknesses that, if taken individually, would have looked routine, but together opened a path to one of the most widely used services of the modern internet.<\/p>\n<p>Zapier\u2019s software can be configured to move data between email, customer-relationship tools, payment processors, calendars, code repositories and thousands of other applications. The company says it supports more than 8,000 third-party integrations and has millions of users, which means breaking into Zapier could escalate into a wide-ranging supply-chain attack.<\/p>\n<p>The researchers said an attempted attack would start by exploiting a weakness in how users write small pieces of code as part of their automations. Once that feature was isolated, researchers recovered login credentials the service had tried to discard. Those credentials, in turn, exposed an internal storage system holding more than 1,100 of Zapier\u2019s private software images, one of which contained a publishing key for a piece of code that runs inside every logged-in Zapier user\u2019s browser.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>According to the report, if an attacker updated that code, they could have acted as a legitimate user inside the platform, creating new automations, altering existing ones, and tapping into connections the user had already approved to outside services. From there, they could instruct the platform to send emails, move files, pull records from customer databases, or post messages, all from accounts that appeared entirely legitimate.<\/p>\n<p>The researchers stressed that a possible attacker could not have obtained passwords or login keys for those connected services, as those remain on Zapier\u2019s servers. But because the actions would have been carried out through Zapier itself, they would have looked, to any outside system, like the user\u2019s own.<\/p>\n<p>A separate finding, uncovered during the same research, illustrated how immediate that risk can be. The researchers said they discovered a working key tied to the personal account of the chief technology officer of an outside artificial-intelligence company whose software Zapier used internally. Using that key, they were able to send an email from the executive\u2019s own Gmail account to a mailbox they controlled.<\/p>\n<p>Token Security told Zapier the capability existed but did not exploit it. The researchers confirmed they had the access needed to push a malicious update into code running inside every signed-in Zapier user\u2019s browser, and instead reported the findings in February under the company\u2019s bug-bounty program. <\/p>\n<p>Researchers said that Zapier triaged the issues within four days, remediated within three weeks, and worked with the company to allow disclosure. The company paid the program\u2019s maximum bounty of $3,000 and says it has no evidence the weaknesses were exploited before they were patched.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWorth saying out loud in a culture that often punishes disclosure programs for slowness,\u201d Token\u2019s blog post reads. <\/p>\n<p>Zapier did not respond to CyberScoop\u2019s request for comment. <\/p>\n<p>The episode lands at a moment when automation platforms and artificial-intelligence tools are increasingly being granted the standing authority to act on behalf of users across dozens of services at once. Token Security\u2019s researchers argued that the weaknesses they found were not unique to Zapier. Each link in the chain, they said, was a well-documented kind of mistake. The vulnerability was the chain itself, and the same pattern, they warned, almost certainly exists at other companies that have not yet looked.<\/p>\n<p>Zapier says the issues have been fixed and no further action is required. But the researchers suggested organizations with heightened sensitivity review their automation logs for anything they did not create, and consider reauthorizing Zapier connections to particularly sensitive systems.<\/p>\n<p>You can read the full research report on <a href=\"https:\/\/www.token.security\/zapocalypse\">Token Security\u2019s website<\/a>. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9973821989529\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/zapier-bug-chain-account-takeover-patched\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zapier fixes bug chain that researchers say risked widespread account<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,256,1866,6721,703,6722],"tags":[86,262,1868,6723,705,6724],"class_list":["post-8689","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-research","category-supply-chain-attacks","category-token-security","category-vulnerability-disclosure","category-zapier","tag-cybersecurity","tag-research","tag-supply-chain-attacks","tag-token-security","tag-vulnerability-disclosure","tag-zapier"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain-attacks\/\" rel=\"category tag\">supply chain attacks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/token-security\/\" rel=\"category tag\">Token Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-disclosure\/\" rel=\"category tag\">vulnerability disclosure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zapier\/\" rel=\"category tag\">zapier<\/a>","tag_info":"zapier","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8689"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8689\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8689,"date":"2026-05-28T08:00:00","date_gmt":"2026-05-28T13:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=89192"},"modified":"2026-05-28T08:00:00","modified_gmt":"2026-05-28T13:00:00","slug":"zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/05\/28\/zapier-fixes-bug-chain-that-researchers-say-risked-widespread-account-takeover\/","title":{"rendered":"Zapier fixes bug chain that researchers say risked widespread account takeover"},"content":{"rendered":"