OAuth，SaaS供應鍊和安全風險：導航雷區

SalesLoft/Drift Breach突出了SaaS供應鏈中不斷增長的安全風險，尤其是關於Oauth集成。了解如何減輕這些威脅。

The recent Salesloft/Drift breach, which came to light in August 2025, serves as a stark reminder of the lurking dangers within the SaaS ecosystem. Specifically, the exploitation of OAuth integrations has exposed a significant blind spot in SaaS security.

最近在2025年8月揭露的最近的銷售樓/漂流違規行為，這引起了SaaS生態系統中潛伏的危險的明顯提醒。具體而言，對Oauth集成的開發已經在SaaS安全中揭示了一個很大的盲點。

OAuth: A Double-Edged Sword

Oauth：雙刃劍

OAuth, intended to simplify identity and integration, has inadvertently become a major vulnerability. As Jaime Blasco, CTO of Nudge Security, points out, once attackers gain control of OAuth tokens, traditional security measures like multi-factor authentication (MFA) become useless. These tokens grant persistent trust, allowing attackers to move laterally across interconnected SaaS environments. The Drift breach allowed attackers to access Salesforce and Google Workspace environments across hundreds of organizations.

旨在簡化身份和集成的Oauth無意中成為一個主要漏洞。正如Audge Security的首席技術官Jaime Blasco指出的那樣，一旦攻擊者獲得了Oauth代幣的控制，多因素身份驗證（MFA）等傳統的安全措施就變得毫無用處。這些令牌授予持續信任，使攻擊者能夠在互連的SaaS環境中橫向移動。漂移漏洞使攻擊者能夠訪問數百個組織的Salesforce和Google Workspace環境。

The Anatomy of the Drift Breach

漂移破裂的解剖結構

The attack, attributed to UNC6395 (aka GRUB1), began months before its discovery. The attackers initially targeted Drift's GitHub repositories, eventually gaining access to their AWS environment. From there, they stole OAuth tokens for various integrations, including Salesforce and Google Workspace. This access allowed them to sift through Salesforce support cases, seeking customer credentials, a tactic previously observed in breaches involving Okta and Cloudflare.

這次襲擊歸因於UNC6395（又名GRUB1），始於發現的幾個月。攻擊者最初以Drift的GitHub存儲庫為目標，最終訪問其AWS環境。從那裡，他們偷走了Oauth代幣進行各種集成，包括Salesforce和Google Workspace。這種訪問使他們能夠通過Salesforce支持案例進行篩選，尋求客戶憑證，這是一種先前在涉及Okta和Cloudflare的違規行為中觀察到的策略。

Missed Detection Opportunities

錯過檢測機會

A key takeaway from the incident is the importance of proactive security measures. Blasco emphasizes that vendors can implement detection mechanisms to identify and prevent token misuse. However, many companies fail to forward SaaS logs, restrict OAuth token lifespans, or enforce session timeouts, leaving their integrations exposed.

事件的關鍵要點是主動安全措施的重要性。 Blasco強調，供應商可以實施檢測機制來識別和防止令牌濫用。但是，許多公司未能轉發SaaS日誌，限制Oauth代幣壽命或執行會話超時，從而使集成均暴露出來。

The SaaS Security Triad of Mistakes

SaaS安全三合會的錯誤

Blasco identifies three common errors that expose IT and security teams to risk:

Blasco確定了三個常見的錯誤，使IT和安全團隊面臨風險：

1. Lack of visibility into SaaS applications
2. Inadequate monitoring of integrations
3. Failure to configure SaaS applications securely

These oversights create a fragmented SaaS landscape ripe for exploitation.

這些疏忽創造了零散的SaaS景觀，以剝削。

Shadow SaaS and the Rise of Shadow AI

影子SaaS和影子AI的崛起

The problem is compounded by the rise of shadow SaaS and shadow AI. Employees are increasingly adopting tools outside of IT's purview, often exposing sensitive data to unvetted startups. As AI agents become more sophisticated, they will rely on OAuth, API keys, and other protocols to access data, further expanding the attack surface.

Shadow SaaS和Shadow AI的崛起使問題更加複雜。員工越來越多地採用其範圍之外的工具，通常會將敏感數據暴露於未經審查的初創公司。隨著AI代理變得越來越複雜，他們將依靠OAuth，API密鑰和其他協議來訪問數據，從而進一步擴大攻擊表面。

Practical Steps for Security Teams

安全團隊的實用步驟

Despite the complexity, Blasco advises teams to focus on the fundamentals:

儘管很複雜，但布拉斯科建議團隊專注於基本面：

• Inventory all applications.
• Enforce MFA.
• Configure integrations with timeouts and IP restrictions.

Salesforce's Response

Salesforce的回應

Following the breach, Salesforce temporarily disabled all Salesloft integrations as a precautionary measure. Salesloft also took Drift temporarily offline to review the application and enhance its security.

違反後，Salesforce暫時禁用所有SalesLoft集成作為預防措施。 Salesloft還暫時脫機，以審查應用程序並提高其安全性。

Fiji's Crypto Ban: A Different Kind of Security

斐濟的加密禁令：另一種安全性

While the SaaS breaches highlight one type of security risk, the island nation of Fiji is taking a different approach to security by renewing its ban on cryptocurrencies. Citing concerns about money laundering, terrorism funding, and a lack of regulatory resources, Fiji aims to protect its financial system and national security. This move, while controversial, reflects a growing awareness of the potential risks associated with digital assets.

儘管Saas違反了一種安全風險，但斐濟島國家通過更新對加密貨幣的禁令採取了不同的安全方法。斐濟援引對洗錢，恐怖主義資金和缺乏監管資源的擔憂，旨在保護其金融體系和國家安全。這一舉動雖然有爭議，但反映了人們對與數字資產相關的潛在風險的越來越多。

Looking Ahead

展望未來

The Salesloft/Drift breach is a wake-up call. The security of the SaaS supply chain requires constant vigilance, robust security practices, and a proactive approach to identifying and mitigating risks. Otherwise, OAuth will continue to be a weak spot. It is the gift that keeps on giving... to hackers, that is.

SalesLoft/Drift Breach是一個警鐘。 SaaS供應鏈的安全需要持續的警惕，強大的安全慣例以及積極的識別和減輕風險的方法。否則，Oauth將繼續成為一個弱點。這是不斷捐贈給黑客的禮物。