Security concerns are mounting among web app vendors, especially as sensitive secrets necessary for API access are often stored insecurely. Eric Schwake of Salt Security emphasizes that this puts pressure on security teams, particularly since APIs are critical for applications like ChatGPT. The unchecked data access poses significant risks, making third-party applications prime targets for cyber threats, while also raising potential compliance issues. Notable applications affected include ChatGPT, Trello, and Slack, with risks extending even to recruitment tools that handle sensitive corporate information.
Sensitive secrets required for this access are often stored in an insecure manner by default," Schwake said. "This situation presents a key API security challenge for security teams, and with services like ChatGPT heavily depending on APIs to access and handle user data, this poses an even greater risk.
A third-party web application ending up with "unintentional" user data owing to this situation becomes a target for threat actors and could potentially run afoul of compliance rules just by having that level of access.
Oasis notes that apps such as ChatGPT (uses File Picker v8.0), ClickUp, Trello, Zoom, and Slack are potentially affected.
Even apps like Phenome, a recruitment tool, could unintentionally expose confidential files if users upload resumes from corporate accounts.
Collection
[
|
...
]