Shadow AI & OAuth sprawl

Maximum organizations are rightly worried about workers adopting unapproved AI equipment. Shadow AI use within the type of LLMs, the place customers add delicate knowledge to ChatGPT, Claude, or a dozen different chatbots, is a sound fear. However it isn’t the most important one.

When an worker connects an AI app into Google Workspace, Microsoft 365, Salesforce, or another core platform, they are making a power, programmatic bridge between your setting and a 3rd celebration.

That bridge does not cross away when the worker stops the use of the app. And if that 0.33 celebration will get compromised, the bridge turns into a right away pathway into your techniques.

We simply noticed this situation play out with the Vercel breach. Context.ai’s AI app was once trialled through a Vercel worker, who had granted it get right of entry to (by means of OAuth) to their Google Workspace account. When Context.ai were given breached, Vercel were given stuck within the fallout.

The AI scramble is a drive multiplier for shadow SaaS

Shadow IT isn’t a brand new downside. Maximum organizations run closely (or solely) on SaaS, accessed within the browser, with loads of apps in keeping with undertaking. Unmanaged, self-adopted apps had been a thorn within the aspect of safety groups for a while. However the AI scramble is a drive multiplier.

There are other forms of shadow IT to concentrate on within the context of AI apps:

• Shadow apps: Apps that workers have signed as much as and are the use of for trade functions with out trade approval. This contains apps signed as much as with a company account or non-public account.

• Shadow tenants: Apps that workers are getting access to with non-public accounts, necessarily developing shadow tenants outdoor of your company’s keep watch over — even supposing you could have authorized the app itself.

• Shadow extensions: Many AI apps include an extension counterpart, at the side of numerous third-party extensions which are both untrustworthy or downright malicious. Browser extensions upload every other attitude to the equation through presenting visibility past the appliance into browser task. 

• Shadow integrations: OAuth connections throughout apps that don’t seem to be recognized or authorized. Despite the fact that an app itself is authorized, plugging that app at once into your number one undertaking apps — with the entire delicate knowledge and capability therein — is not essentially additionally authorized.

Within the Vercel case, we’re speaking in particular about shadow integrations. However all of those provide a key possibility in your group. 

The Vercel breach: a textbook instance of OAuth grants long gone improper

The Vercel breach obviously illustrates the affect of shadow AI integrations. 

A Vercel worker had hooked up an AI app — in particular a deprecated consumer-grade “AI Workplace Suite” product from Context.ai — into their Google Workspace tenant. Vercel wasn’t even a registered buyer of Context.ai.

This was once perhaps a self-service trial that were given built-in, calmly used, and forgotten about, including an invisible node to the group’s assault floor.

Via adopting the Context.ai app, the Vercel worker added a third-party’s workers and techniques as a safety dependency. 

When Context.ai was once due to this fact compromised (allegedly the results of an infostealer an infection from an worker in search of Roblox cheats — sure, truly), the attacker was once ready to leverage OAuth tokens saved in Context.ai’s setting to pivot into downstream buyer accounts.

That incorporated the Vercel worker’s Google Workspace, which took place to be a well-permissioned account with get right of entry to to interior dashboards, worker information, API keys, NPM tokens, and GitHub tokens.

Vercel isn’t an outlier: attackers are focused on OAuth at scale

Common OAuth interconnectedness is not only an AI app downside. Attackers had been exploiting this for a while, and the cadence is accelerating:

• In 2025, Scattered Lapsus$ Hunters introduced OAuth-driven provide chain assaults in opposition to Salesforce and Google Workspace tenants after breaching Salesloft (in particular the Salesloft Waft platform) and Gainsight. Over 1000 organizations have been impacted — together with Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Qualys, and plenty of extra — with over 1.5 billion information stolen.

• Snowflake consumers have been impacted after a breach at knowledge anomaly detection corporate Anodot, the place the attacker tried to leverage stolen authentication tokens to get right of entry to Salesforce knowledge, with Rockstar Video games a high-profile sufferer.

Attackers don’t seem to be best abusing present OAuth connections as a part of provide chain assaults — they are the use of OAuth-focused phishing because the entrance door to sufferer environments. Remaining 12 months’s Salesforce marketing campaign started with instrument code phishing, the place attackers tricked sufferers into registering an attacker-controlled app into their Salesforce tenant, granting complete API get right of entry to for mass knowledge exfiltration.

We’ve since noticed a 37x build up in instrument code phishing assaults this 12 months, with greater than a dozen prison PhaaS kits in circulate.

The trend is obvious: OAuth integrations are turning into one of the crucial reliably abused assault surfaces in undertaking environments, and each and every new AI instrument your workers attach makes the internet somewhat wider.

The internet of OAuth sprawl spans approach past Google and Microsoft

The Vercel breach is illustrative, nevertheless it best scratches the outside of the issue.

Controlling OAuth on your major undertaking cloud setting (suppose M365 or Google Workspace) is slightly easy — each platforms give admins the facility to audit and keep watch over OAuth connections. The Vercel breach can have been have shyed away from had their workers been blocked from including new OAuth integrations with out admin approval — a toggle of their Google admin panel. Or, if the mixing were flagged in a regimen audit and got rid of.

However doing this throughout each and every SaaS app is significantly more difficult. Now not best do you want a complete and up-to-date stock, you want to be an app admin for each and every app (no longer all the time the case for self-adopted apps), and the precise app must provide the keep watch over to limit and take away OAuth grants on behalf of customers on your tenant.

Take into accounts how the standard AI app operates. If you wish to have it to successfully automate workflows — pull knowledge from one app, mixture and analyze it in every other, provide that data in a document, dashboard, or presentation, after which distribute it — that is a good few integrations in only one workflow. MCP connections use OAuth to succeed in this interconnectivity in the similar approach as another SaaS app.

We used to speak about automation apps like Zapier as being a goldmine for attackers. Neatly, AI apps are on their technique to being much more interconnected, extra ceaselessly used, and extra versatile in the case of how attackers can abuse them.

What safety groups must do now

Lock down OAuth consent. Undertake a default-deny option to permitting customers to consent to new integrations on your number one undertaking apps. This is similar theory we not too long ago recommended for browser extension control — customers should not be ready to introduce new agree with relationships with out approval. 

Audit what is already hooked up. Automatically audit the OAuth integrations already on your setting to make sure they are nonetheless certainly required. Each and every integration expands your assault floor and may probably grant an attacker intensive get right of entry to. 

Assume past Google and Microsoft. Controlling OAuth on your number one undertaking cloud is vital however no longer enough. SaaS-to-SaaS connections are much less visual and ceaselessly have fewer controls. You want visibility into OAuth grants taking place throughout each and every app. 

Take note, this isn’t solely a shadow AI downside, even supposing AI adoption is contributing considerably to the sprawl.

How Push Safety can assist

As we have established, there are slightly a couple of items to this puzzle. Push Safety can assist with they all.

Push observes each and every app login your workers make of their browser, construction a complete image of SaaS and AI use throughout your company. This contains how they are logging in and the way safe the login is: did it have MFA, what sort of MFA, was once it the use of a susceptible or compromised password, did they use SSO, and so forth.

Push additionally tracks OAuth integrations on your setting and provides you with the facility to regulate and take away them, offering a unmarried platform to view, arrange, and safe app use throughout your company.

This makes it simple to floor each vulnerabilities and conceivable keep watch over gaps, and do something positive about them. 

However the place Push truly excels is within the skill to watch and block OAuth connection requests even outdoor of your number one undertaking apps. The usage of Push, you’ll be able to stumble on and block OAuth integration requests as they traverse the browser.

This app-agnostic stage of keep watch over is really vital to halting OAuth integration sprawl.

Push’s browser-based safety platform additionally detects and blocks browser-based assaults like AiTM phishing, credential stuffing, malicious browser extensions, instrument code phishing, ClickFix, and consultation hijacking in actual time — together with probably the most outstanding infostealer supply vectors (the supply of Context.ai’s breach).

Push analyzes each and every internet web page in each and every browser consultation and tab for threats, in actual time, without a latency.

Be told extra about methods to safe Shadow AI with Push, and e book time with our group for a are living demo.

Subsidized and written through Push Safety.