Top 4 Zapier security risks
Zapier is a platform that allows you to integrate web apps across an organization. It can make fast work of data from various web applications; however, it is not a perfect panacea in terms of security. Zapier has some security risks that you should take into account before deciding if this solution is right for your organization. We will explore four security risks you should be aware of when using Zapier.
What is Zapier?
Zapier is an integration solution that allows users to automate tasks via customized workflows using over 3,000 web apps. For example, an email from Gmail can trigger an action to copy an attachment in the email to Dropbox and then alert you in Slack that the file is ready to use. Zapier makes it so instead of having to open three apps to perform three tasks, all of it is done at once via automation.
Instead of needing a complete application of each part of an API, Zapier integrations are a curated set of the most important features of an API.
1. Global storage
The most striking security risk of Zapier is the fact that its Storage app is global. The widely-used app was built by Zapier to be used for storage during your workflow. The flaw stems from the fact that when a key is chosen by the user, it determines the grouping of data, and the user has the option to select arbitrary keys for themselves. This can be problematic if the user assumes that Storage is account-based, and chooses a weak key. Choosing weak keys, which was demonstrated in an investigation of Storage, allowed for both authentication tokens and personally identifiable information (PII) to be found upon review.
2. Nothing to prevent key collisions
There is another security risk associated with Storage by Zapier. Namely, there is nothing that will prevent key collisions with other users. This means that if one user unwittingly chooses the same password used by another user, it would be possible for the user to overwrite the other user’s data. It would also mean that the second user that chose a password would be able to read all data in the respective key group.
3. No Zapier account required to interact with Storage
The last of the Zapier security issues stemming from Storage is that a user does not have to register a Zapier account to interact with the app. There is no account tied to actions within Zapier, so it would be very difficult to track activities like interactions with the app. Adversaries can abuse this by storing malware in Storage, making it a command and control channel, and by performing DoS (or denial of service) attacks by filling Storage up.
4. Lackluster security for default credentials
It is one thing to lead a horse to water, it is quite another thing to force the horse to use strong security practices. As of the time of writing this article, Zapier requires the simplest modern credential convention — only a username and password. While this may have been considered secure 25 years ago, much has changed in terms of security and this will no longer suffice, especially for software that can access so many apps across your organization. While users can turn on two-factor authentication (2FA), and Zapier strongly recommends that users enable this security feature, it is still not compulsory. The perceived inconvenience that some users may have with forcing 2FA will help make Zapier more secure by default.
Honorable mention — Zapier is not HIPAA compliant
HIPAA (Health Insurance Portability and Accountability Act) is the regulatory framework that organizations working with patients’ protected health information, or PHI, need to comply with, and this extends to the organization’s IT and information security practices. Zapier lists itself as being not HIPAA compliant on its website.
Mitigation of security risks
The good thing is that most of these security risks can all be mitigated.
- Restrict new key creation. Zapier should require users to log in and create a new key group in Storage instead of allowing the creation of new keys outside of Zapier’s application ecosystem. This would allow Zapier to track which user accounts own which keys
- Zapier should automatically generate a random UUID token for the user when they create their token instead of allowing users to choose what they want it to be
- When creating a new key, make sure that a unique key is chosen. This will greatly reduce the number of key collisions
- Require a user account to interact with Storage by Zapier
- Make all users utilize 2FA for credentialing purposes
Zapier has some security risks that should be recognized by those considering adopting it for use in their organization. The good thing is that the majority of the security risks can be fixed; however, Storage by Zapier will require a good degree of redesign to get rid of its globally accessible nature.
Zapier Intro. Zapier platform