Technology

Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain

1 2 minutes read
Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain
Vercel breach exposes the OAuth gap most security teams cannot.png

The recent security breach at Vercel has sent shockwaves through the tech industry, highlighting the vulnerabilities that can arise from seemingly innocuous actions. The chain of events that led to unauthorized access to Vercel’s internal systems began with one employee at the AI vendor, Context.ai, falling victim to an infostealer. This employee had installed a browser extension from Context.ai and signed in using their corporate Google Workspace account, unwittingly granting broad OAuth permissions.

When Context.ai was breached, the attacker gained access to the employee’s Workspace account and used it as a gateway into Vercel’s production environments. By exploiting non-sensitive environment variables that were accessible through the dashboard and API, the attacker was able to escalate privileges and navigate through Vercel’s systems undetected.

The CEO of Vercel, Guillermo Rauch, described the attacker as “highly sophisticated” and possibly using AI to accelerate their activities. Further investigations revealed a second OAuth grant tied to Context.ai’s Chrome extension, which granted read access to users’ Google Drive files. This revelation prompted Google to remove Context.ai’s extension from the Chrome Web Store.

Forensic evidence published by Hudson Rock traced the origin of the breach to a Lumma Stealer infection on a Context.ai employee’s device in February. This infection led to the compromise of various credentials, including Google Workspace logins, Supabase keys, and Datadog tokens. The attacker then used these credentials to access Context.ai’s AWS environment and eventually breach Vercel’s systems.

The breach exposed several governance failures, including inadequate auditing of AI tool OAuth scopes, insufficient classification of environment variables, and a lack of detection coverage for the intricate chain of events that led to the breach. The prolonged dwell time between the initial detection of the breach and the public disclosure also raised concerns about vendor notification practices.

To address these issues, security directors are advised to conduct thorough audits of AI tool OAuth grants, prioritize the classification of environment variables, and enhance detection capabilities for complex supply chain attacks. Additionally, they should establish clear notification protocols with vendors and monitor shadow AI adoption within their organizations.

In conclusion, the Vercel breach serves as a stark reminder of the risks associated with third-party integrations and the importance of comprehensive security measures to prevent unauthorized access to sensitive systems. By learning from this incident and implementing proactive security measures, organizations can better protect themselves against similar threats in the future.

Tags
1 2 minutes read

Related Articles

Silo Season 3 Release Date, Plot, Cast and Trailer

Silo Season 3 Release Date, Plot, Cast and Trailer

4 hours ago
Samsung Galaxy S27: Rumours, Price, Release Date

Samsung Galaxy S27: Rumours, Price, Release Date

10 hours ago
Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it

Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it

16 hours ago
5 Easy Ways to Make Your Smartphone More Sustainable

5 Easy Ways to Make Your Smartphone More Sustainable

22 hours ago
Back to top button