A recent Salesforce security advisory highlighted a growing challenge facing security teams: the risks posed by trusted third-party SaaS applications.The advisory disclosed unusual activity involving the Klue Battlecards application, a third-party integration that connects to Salesforce using OAuth permissions. While the issue was not caused by a vulnerability in Salesforce itself, it serves as another reminder that attackers increasingly target trusted SaaS integrations rather than the SaaS platforms they connect to. The rise in SaaS supply chain security attacksOver the past few years, incidents involving vendors such as Gainsight and Salesloft Drift have demonstrated how attackers can abuse trusted application relationships to gain access to sensitive enterprise data. Rather than attacking the SaaS platform directly, attackers target connected applications that already possess authorized access.For security teams, the challenge is rarely the SaaS platform itself. The challenge is understanding which third-party applications have access to business-critical data, what permissions they have been granted, and how quickly organizations can assess exposure when an incident occurs.The Salesforce-Klue incident is a good example of why visibility into SaaS integrations has become an essential part of modern SaaS security. What role did OAuth play in the Salesforce-Klue incident?OAuth was the trust mechanism that allowed the Klue Battlecards application to access Salesforce data on behalf of authorized users. When organizations connect third-party applications to Salesforce, they typically grant OAuth permissions that allow those applications to access specific Salesforce resources and APIs. If a connected application becomes compromised, attackers may be able to abuse those existing permissions to access sensitive data through legitimate channels without exploiting a vulnerability in Salesforce itself.Figure 1. Salesforce-Klue Attack PathFigure 1. OAuth enables third-party applications to access SaaS platforms on behalf of users. While this simplifies integrations, it also creates a trust relationship that attackers can exploit if a connected application becomes compromised.In the Salesforce-Klue incident, Salesforce reported unusual activity involving the Klue Battlecards application and subsequently disabled the integration. While the complete details of the attack have not been publicly disclosed, the incident highlights a broader security challenge: organizations often have limited visibility into the third-party applications connected to their SaaS environments, the permissions those applications have been granted, and the data they can access.This is why third-party application governance has become a critical component of SaaS security. Security teams need visibility not only into the SaaS platform itself, but also into the ecosystem of connected applications that may have access to sensitive business data. How to discover the Klue integration in your environmentThe first challenge during any OAuth-related incident is determining whether the affected application exists in your environment.The screenshot below shows how Zscaler SaaS Security discovers the Klue Battlecards integration connected to Salesforce and provides visibility into its permissions, access level, and risk profile.Figure 2. Klue Battlecards Integration Discovered by Zscaler SaaS SecurityFigure 2. Zscaler SaaS Security provides visibility into the Klue Battlecards integration, including access type, permissions granted, and overall risk profile.As shown in Figure 2, security teams can immediately identify:The connected applicationPlatform association (Salesforce)Access typeRisk scorePermission scopeOAuth permissions grantedMost importantly, teams can quickly determine whether they are potentially affected when incidents like this are disclosed.The Klue integration, for example, shows permissions such as Full Access, API Access, Refresh Tokens, Offline Access, and User Data Access. Understanding these permissions is critical because they help security teams assess the potential impact of a compromised application and determine the appropriate remediation actions. How Zscaler provides visibility and accelerates incident response timesWhen incidents like this are disclosed, security teams immediately need answers to a few critical questions:Do we have the affected application installed?Which users authorized it?What permissions were granted?Does it have access to sensitive data?What is the potential blast radius?Can we quickly revoke access if necessary?Without centralized visibility, answering these questions can take hours or even days.Zscaler SaaS Security continuously discovers and inventories third-party applications, OAuth integrations, browser extensions, and SaaS add-ons connected across major SaaS platforms. It provides visibility into more than 150,000 third-party add-ons and integrations, helping organizations understand exactly which applications have access to their SaaS environments. Managing SaaS application permission sprawl and exposureOne of the most common challenges with OAuth-connected applications is permission sprawl.Applications often accumulate permissions over time or retain access long after they are needed.Zscaler SaaS Security helps organizations identify:Overprivileged applicationsDormant applicationsPotentially harmful applicationsUnsanctioned third-party integrationsThis allows security teams to proactively reduce their attack surface before attackers exploit trusted connections.Beyond discovering risky applications, organizations also need to understand exposure. Which users authorized the application? What data can it access? How significant is the potential impact?Zscaler Unified SaaS Security correlates applications, users, posture findings, and data exposure to provide a more complete understanding of risk. This helps security teams quickly assess blast radius and prioritize remediation efforts. Why continuous monitoring mattersThe Salesforce-Klue incident is another reminder that SaaS security is not a one-time activity.Applications evolve. Permissions change. Risk profiles increase.What may have been considered a low-risk integration a year ago may represent a significantly different risk today.Zscaler SSPM continuously monitors SaaS environments for posture changes, risky configurations, and configuration drift, helping organizations identify new exposures to reduce risk of security incidents. Final ThoughtsThe Salesforce-Klue incident reinforces an important lesson: attackers increasingly target trusted third-party applications rather than the SaaS platforms themselves.Organizations need visibility not only into SaaS configurations, but also into the applications, permissions, users, and data connected to those platforms.When a security advisory is released, security teams should be able to immediately answer:Do we have the affected application?What permissions does it have?Which users authorized it?What data can it access?How quickly can we respond?With Zscaler SaaS Security, organizations can discover third-party applications, assess risk, understand exposure, and rapidly respond when incidents occur, all from a single platform. To learn more about how Zscaler can help your organization respond to incidents like Salesforce-Klue, request a demo. FAQWhat happened in the Salesforce-Klue security incident? The Salesforce-Klue incident involved attackers compromising Klue’s integration infrastructure and stealing OAuth tokens used to connect customer Salesforce environments to the Klue Battlecards platform. According to public reporting, the attackers used those tokens to access Salesforce data through legitimate APIs, resulting in data exposure at multiple organizations, including several cybersecurity firms. Salesforce subsequently disabled the Klue integration after detecting unusual activity and stated that the issue was limited to the Klue application connection rather than a vulnerability in the Salesforce platform itself.What is an OAuth-based SaaS supply chain attack, and why is it so dangerous? In an OAuth-driven supply chain attack, adversaries exploit the trust established between a SaaS environment and a connected third-party tool. Bad actors use existing authorized credentials to compromise an application and navigate through legitimate API channels to harvest sensitive enterprise information. In this way, bad actors don’t need to target the primary SaaS infrastructure directly.How can organizations find out if the Klue Battlecards integration is connected to their Salesforce environment? Organizations can review connected applications within Salesforce or use a SaaS security solution such as Zscaler SaaS Security to discover OAuth-connected applications. Continuous visibility into third-party integrations helps security teams quickly identify whether applications like Klue Battlecards are present and assess their associated risks.What permissions does the Klue Battlecards Salesforce integration use, and why do they matter? The Klue Battlecards integration can be granted permissions such as API Access, Full Access, Refresh Tokens, Offline Access, and User Data Access. These permissions matter because they determine what data an application can access and the potential impact if the application becomes compromised.How should security teams respond when a third-party SaaS integration is compromised? Security teams should immediately identify affected applications, review granted permissions, determine which users authorized the integration, assess potential data exposure, and revoke access if necessary. Organizations should also investigate related activity, rotate credentials where appropriate, and evaluate the overall blast radius of the compromise.
[#item_full_content] A recent Salesforce security advisory highlighted a growing challenge facing security teams: the risks posed by trusted third-party SaaS applications.The advisory disclosed unusual activity involving the Klue Battlecards application, a third-party integration that connects to Salesforce using OAuth permissions. While the issue was not caused by a vulnerability in Salesforce itself, it serves as another reminder that attackers increasingly target trusted SaaS integrations rather than the SaaS platforms they connect to. The rise in SaaS supply chain security attacksOver the past few years, incidents involving vendors such as Gainsight and Salesloft Drift have demonstrated how attackers can abuse trusted application relationships to gain access to sensitive enterprise data. Rather than attacking the SaaS platform directly, attackers target connected applications that already possess authorized access.For security teams, the challenge is rarely the SaaS platform itself. The challenge is understanding which third-party applications have access to business-critical data, what permissions they have been granted, and how quickly organizations can assess exposure when an incident occurs.The Salesforce-Klue incident is a good example of why visibility into SaaS integrations has become an essential part of modern SaaS security. What role did OAuth play in the Salesforce-Klue incident?OAuth was the trust mechanism that allowed the Klue Battlecards application to access Salesforce data on behalf of authorized users. When organizations connect third-party applications to Salesforce, they typically grant OAuth permissions that allow those applications to access specific Salesforce resources and APIs. If a connected application becomes compromised, attackers may be able to abuse those existing permissions to access sensitive data through legitimate channels without exploiting a vulnerability in Salesforce itself.Figure 1. Salesforce-Klue Attack PathFigure 1. OAuth enables third-party applications to access SaaS platforms on behalf of users. While this simplifies integrations, it also creates a trust relationship that attackers can exploit if a connected application becomes compromised.In the Salesforce-Klue incident, Salesforce reported unusual activity involving the Klue Battlecards application and subsequently disabled the integration. While the complete details of the attack have not been publicly disclosed, the incident highlights a broader security challenge: organizations often have limited visibility into the third-party applications connected to their SaaS environments, the permissions those applications have been granted, and the data they can access.This is why third-party application governance has become a critical component of SaaS security. Security teams need visibility not only into the SaaS platform itself, but also into the ecosystem of connected applications that may have access to sensitive business data. How to discover the Klue integration in your environmentThe first challenge during any OAuth-related incident is determining whether the affected application exists in your environment.The screenshot below shows how Zscaler SaaS Security discovers the Klue Battlecards integration connected to Salesforce and provides visibility into its permissions, access level, and risk profile.Figure 2. Klue Battlecards Integration Discovered by Zscaler SaaS SecurityFigure 2. Zscaler SaaS Security provides visibility into the Klue Battlecards integration, including access type, permissions granted, and overall risk profile.As shown in Figure 2, security teams can immediately identify:The connected applicationPlatform association (Salesforce)Access typeRisk scorePermission scopeOAuth permissions grantedMost importantly, teams can quickly determine whether they are potentially affected when incidents like this are disclosed.The Klue integration, for example, shows permissions such as Full Access, API Access, Refresh Tokens, Offline Access, and User Data Access. Understanding these permissions is critical because they help security teams assess the potential impact of a compromised application and determine the appropriate remediation actions. How Zscaler provides visibility and accelerates incident response timesWhen incidents like this are disclosed, security teams immediately need answers to a few critical questions:Do we have the affected application installed?Which users authorized it?What permissions were granted?Does it have access to sensitive data?What is the potential blast radius?Can we quickly revoke access if necessary?Without centralized visibility, answering these questions can take hours or even days.Zscaler SaaS Security continuously discovers and inventories third-party applications, OAuth integrations, browser extensions, and SaaS add-ons connected across major SaaS platforms. It provides visibility into more than 150,000 third-party add-ons and integrations, helping organizations understand exactly which applications have access to their SaaS environments. Managing SaaS application permission sprawl and exposureOne of the most common challenges with OAuth-connected applications is permission sprawl.Applications often accumulate permissions over time or retain access long after they are needed.Zscaler SaaS Security helps organizations identify:Overprivileged applicationsDormant applicationsPotentially harmful applicationsUnsanctioned third-party integrationsThis allows security teams to proactively reduce their attack surface before attackers exploit trusted connections.Beyond discovering risky applications, organizations also need to understand exposure. Which users authorized the application? What data can it access? How significant is the potential impact?Zscaler Unified SaaS Security correlates applications, users, posture findings, and data exposure to provide a more complete understanding of risk. This helps security teams quickly assess blast radius and prioritize remediation efforts. Why continuous monitoring mattersThe Salesforce-Klue incident is another reminder that SaaS security is not a one-time activity.Applications evolve. Permissions change. Risk profiles increase.What may have been considered a low-risk integration a year ago may represent a significantly different risk today.Zscaler SSPM continuously monitors SaaS environments for posture changes, risky configurations, and configuration drift, helping organizations identify new exposures to reduce risk of security incidents. Final ThoughtsThe Salesforce-Klue incident reinforces an important lesson: attackers increasingly target trusted third-party applications rather than the SaaS platforms themselves.Organizations need visibility not only into SaaS configurations, but also into the applications, permissions, users, and data connected to those platforms.When a security advisory is released, security teams should be able to immediately answer:Do we have the affected application?What permissions does it have?Which users authorized it?What data can it access?How quickly can we respond?With Zscaler SaaS Security, organizations can discover third-party applications, assess risk, understand exposure, and rapidly respond when incidents occur, all from a single platform. To learn more about how Zscaler can help your organization respond to incidents like Salesforce-Klue, request a demo. FAQWhat happened in the Salesforce-Klue security incident? The Salesforce-Klue incident involved attackers compromising Klue’s integration infrastructure and stealing OAuth tokens used to connect customer Salesforce environments to the Klue Battlecards platform. According to public reporting, the attackers used those tokens to access Salesforce data through legitimate APIs, resulting in data exposure at multiple organizations, including several cybersecurity firms. Salesforce subsequently disabled the Klue integration after detecting unusual activity and stated that the issue was limited to the Klue application connection rather than a vulnerability in the Salesforce platform itself.What is an OAuth-based SaaS supply chain attack, and why is it so dangerous? In an OAuth-driven supply chain attack, adversaries exploit the trust established between a SaaS environment and a connected third-party tool. Bad actors use existing authorized credentials to compromise an application and navigate through legitimate API channels to harvest sensitive enterprise information. In this way, bad actors don’t need to target the primary SaaS infrastructure directly.How can organizations find out if the Klue Battlecards integration is connected to their Salesforce environment? Organizations can review connected applications within Salesforce or use a SaaS security solution such as Zscaler SaaS Security to discover OAuth-connected applications. Continuous visibility into third-party integrations helps security teams quickly identify whether applications like Klue Battlecards are present and assess their associated risks.What permissions does the Klue Battlecards Salesforce integration use, and why do they matter? The Klue Battlecards integration can be granted permissions such as API Access, Full Access, Refresh Tokens, Offline Access, and User Data Access. These permissions matter because they determine what data an application can access and the potential impact if the application becomes compromised.How should security teams respond when a third-party SaaS integration is compromised? Security teams should immediately identify affected applications, review granted permissions, determine which users authorized the integration, assess potential data exposure, and revoke access if necessary. Organizations should also investigate related activity, rotate credentials where appropriate, and evaluate the overall blast radius of the compromise.
