When it comes to cybersecurity, businesses typically want to assume that every user is a special snowflake. The premise that each user has a unique identity, and that cybersecurity teams can manage access permissions and identify anomalous activity based on that identity, is a cornerstone of modern security operations.

Zenity research team has recently discovered a potential customer data leakage in Storage by Zapier, a service used for simple environment and state storage for Zap workflows. With only a few simple steps and no authentication, we were able to access sensitive customer data. Given the nature of this flaw, it would be easy for bad actors to recreate our approach and access the same sensitive data without significant expertise.