Vercel hacked after fatal OAuth misstep: granting “Allow All” permissions

Vercel, a cloud platform and maintainer of Next.js, a major web development framework, has been hacked, and hackers are selling access to credentials that could help pull off “the largest supply chain attack ever if done right.” An OAuth token, granting too many permissions, became a single point of failure.

Vercel acknowledged that a threat actor accessed their internal systems and compromised the credentials of “a limited subset of customers.”

The company released a security advisory recommending that customers review account activity logs and rotate any secrets potentially exposed in the environment variables that were not marked as sensitive.

“We reached out to that subset and recommended an immediate rotation of credentials,” Vercel said.

“Environment variables marked as ‘sensitive’ in Vercel are stored in a manner that prevents them from being read, and we currently do not have evidence that those values were accessed.”

The incident sparked fears that attackers might have obtained NPM and GitHub tokens and other credentials that can snowball into new waves of supply chain attacks.

“We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open-source projects remain safe for our community,” Guillermo Rauch, CEO of Vercel, assured.

Rauch explained that the breach escalated from a single employee’s compromised Google Workspace account, underscoring that many developers may be granting third-party apps too many privileges.

What happened?

“A Vercel employee got compromised via the breach of an AI platform customer called http://

Context.ai, which he was using,” Rauch posted on X.

“Through a series of maneuvers … the attacker got further access to Vercel environments.”

The CEO believes that the attacker is highly sophisticated and was likely using AI.

“They moved with surprising velocity and in-depth understanding of Vercel.”

Context.AI is a company that deploys autonomous, chat-driven AI agents and AI office suites for its customers, designed to enhance productivity by creating documents, presentations, and spreadsheets. The company suffered a data breach a month ago.

“Last month, we identified and stopped a security incident involving unauthorized access to our AWS environment,” Context.AI said in a new security update.

“The unauthorized actor also likely compromised OAuth tokens for some of our consumer users.”

OAuth (Open Authorization) is an open standard for access delegation that grants applications, like Context.ai, limited access to users’ resources without requiring a password. In the hands of attackers, the stolen token can grant the same access.

While the compromised OAuth token was used to access Vercel’s Google Workspace, Context.AI believes it’s Vercel’s own mistake to grant too broad permissions.

“Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions,” the AI company further explained.

“Vercel’s internal OAuth configurations appear to have allowed this action to grant these broad permissions.“

Context.AI said its enterprise customers were unaffected by the security incident because they’re served through an entirely separate platform on customer-owned environments. The company shut down its consumer product and associated resources after the event.

The scale of the incident at Vercel remains unclear

Rauch believes that the number of customers impacted by the security incident is “quite limited,” and the company is working with them directly.

“Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data,” Rauch said.

“We do have a capability, however, to designate environment variables as ‘non-sensitive.’”

The attackers enumerated “non-sensitive” data, and that was sufficient to gain further access.

While Rauch says they’re turning the incident “into the most formidable security response imaginable,” he also recommends customers take precautions.

“My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature.”

The Cybernews research team highlighted the mismatch between the threat actor’s claims and Vercel’s.

“Although Vercel itself does not claim which specific secrets are at risk, the threat actor claims to have access to a number of them, including GitHub and NPM tokens. The latter is used to authenticate within the NPM registry, which then allows people/organizations to publish npm packages,“ our researchers noted.

“Combining the point that Vercel owns Next.js, if these secrets are not rotated in time, they could be exploited further, for example, via publishing an “update” of Next.js, that could contain malware, and then a plethora of web apps that use this framework would suffer as a result.”

It’s a mystery who’s behind the attack – the data was listed for sale

The threat actors themselves were the first to report a hit on Vercel by listing the data for sale, allegedly for $2 million, on an illicit dark web marketplace and Telegram channel.

Multiple security analysts shared a screenshot of the post on X. However, at the time of writing, the post is no longer available.

“I am selling Access Key/Source Code/Database from Vercel Company,” reads a post by a threat actor using the alias “ShinyHunters.”

ShinyHunters, a notorious extortion group, has denied its involvement in the breach, attributing it to an impersonator.

The threat actor shared a screenshot from Linear, a specialized project management tool, as proof of the breach, and claimed to have “multiple employee accounts” with access to internal deployments and API keys, including “some” NPM and GitHub tokens.

“Give me a quote if you're interested. This could be the largest supply chain attack ever if done right,” the threat actor said.

“You send one update with a payload, and it will hit every developer on the planet who runs an installation or updates a package.”

The worst-case – an ecosystem-wide supply chain attack – has not materialized, suggesting the incident may be contained. Malware analysts at vx-underground estimate that the damage could’ve been substantially greater, yet the cyberattack was a “standard smash-and-grab” operation.

Check your OAuth apps and permissions, researchers warn

Vercel’s advisory contains a single indicator of compromise, and a recommendation to urgently check whether Google Workspace hasn’t been compromised by the same OAuth app:

“110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com”

However, this raises a broader issue: trusted third-party tools have too much access to Google Workspace.

“If you're responding to the Vercel breach by looking at your OAuth apps for a single ID, maybe also export the full list while you're in there. Spend a week asking yourself which scopes you have allowed, and whether you recognize all of the services. That could’ve saved Vercel,” said Secure Annex researcher John Tuckner.

Any tool with OAuth access to sensitive cloud accounts might serve as an entry for attackers.

“When one OAuth token can compromise dev tools, CI pipeline, secrets, and deployment simultaneously, something architectural has gone wrong,” one of the tech enthusiasts on the Hacker News forum noted.

---

Unlock more exclusive Cybernews content on YouTube.