TL;DR
- On April 19, Vercel disclosed a breach caused by a compromised OAuth grant tied to a third-party app, Context AI—an attacker didn’t need to hack Vercel directly, they just walked in through a door someone else left open.
- Expel hunted across customer environments for the abused OAuth application client ID disclosed in Vercel’s bulletin.
- OAuth consent grants are only as safe as the apps holding them—audit what’s been granted, restrict what users can approve, and treat unexpected third-party app access as a red flag worth investigating.
What happened
On April 19, Vercel, a cloud app development platform, disclosed a security incident involving unauthorized access stemming from a supply chain compromise. A compromised Context AI account enabled attackers to access and steal data from Vercel by exploiting an OAuth grant. Context AI—a third-party app—had its own security incident, allowing the attacker to leverage access to reach Vercel’s systems.
What you need to know
We performed a hunt to scope for use of the application across our customer environments.
OAuth consent grants are designed to allow a third-party application to access specific data, but can be a severe risk if the permission granted is too broad or if the app comes under control of an attacker.
Vercel disclosed the abused OAuth app’s identifier here: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj
What you should do
Regularly hunt and monitor for excessive or unexpected OAuth consent grants within your environment. Uncommon or unexpected applications should be investigated.
Restrict what permissions users are allowed to grant to third-party apps.
References
- Vercel’s security bulletin
- Infostealers.com claim suggesting the incident was the result of infostealing malware
