Risky Bulletin – Srsly Risky Biz: Exploiting Authorization Sprawl is the New Black

Host: Amberly Jack
Guest: Tom Uren (Policy and Intelligence Editor)
Date: September 11, 2025

Overview

In this episode, Amberly Jack and Tom Uren discuss two major cybersecurity developments:

1. The recent Salesloft Drift breach as a key example of "authorization sprawl," where attackers exploit interconnected accounts and services using stolen authentication tokens, creating a massive "blast radius" far beyond an initial point of compromise.
2. Apple’s newly-announced “memory integrity enforcement” feature, how it targets a longstanding class of software vulnerabilities, and what this shows about Apple's approach to device security.

The show provides a nuanced exploration of modern cyber threats, shifting attacker tactics, and both the challenges and progress involved in defending complex ecosystems.

Main Discussion Points & Insights

1. The Salesloft Drift Breach: Anatomy of Authorization Sprawl

Incident Breakdown:

• Attackers compromised Salesloft’s GitHub account, pivoted into Salesloft’s AWS environment, and obtained an authentication token.
• Using this token, they accessed the Salesforce instances of Salesloft Drift customers, impacting a broad range of organizations.
• Notably, Cloudflare (an affected company) published an unusually detailed post-mortem, shedding light on attack mechanics and fallout.

Key Points:

• Shift in Attacker Tactics (01:13–03:00):

  • “It's not hacking a device... This is much more, let's get an authentication token and just use the authorities or privileges that that token has to move through the network.” – Tom Uren [01:16]
  • Modern attacks often forgo traditional exploits or device compromises, instead moving laterally and exploiting the legitimate privileges attached to existing tokens.

• Blast Radius and Unintended Exposure (03:00–06:30):

  • Attackers enumerated Cloudflare's Salesforce environment, testing rate limits before extracting maximum data without triggering alarms.
  • Stolen data included customer communications, API keys, and authentication credentials. The degree of exposure varied based on how each company used Salesloft Drift and what data/chats included.
  • “We've gone from the compromise of Salesloft's GitHub to potentially the compromise of all sorts of different things... it could be, you know, passwords, AWS keys, who knows? So it's become a potentially very, very broad, quite unscoped [impact].” – Tom Uren [05:54]

• Transparency as a Learning Opportunity (06:30–07:25):

  • Unusually, both the breached SaaS provider and a key customer shared extensive details, making this a rare, instructive case study in authorization sprawl.

Why More of These Attacks Are Expected (07:25–08:34):

• Monitoring for illicit use of legitimate tokens is far less mature than endpoint detection for classic exploits.
• “There’s not a lot of security tools that are optimized to figure out is this legitimate authentication token being used correctly or maliciously... it sidesteps a lot of traditional protections.” – Tom Uren [07:46]
• Existing controls and best practices are “not necessarily the done things and they’re all more work” [08:48].

On Defensive Recommendations:

• Cloudflare and Salesloft issued remediation advice; other experts highlight the need for tighter privilege controls, monitoring, and review of SaaS integrations, but adoption is slow.

• “The nature of these things is that people get bitten and then they adjust their behavior.” – Tom Uren [09:16]

• “[Attackers] will also be learning off this case study... it’s inevitable fun times, not ideal.” – Tom Uren [09:03]

2. Apple’s Memory Integrity Enforcement: A Quiet Security Leap

Feature Announcement:

• Apple introduced “memory integrity enforcement” with its latest chips, blending hardware and software mitigations to thwart memory corruption attacks.

Background (10:19–12:05):

• Memory manipulation—“fiddling with the way it stores memory”—is a foundational technique for software exploits, prevalent for over 50 years.
• Recent governmental push (especially in the US and allied countries) for adoption of memory-safe programming languages.

Significance and Impact:

• While high-profile malware like NSO Group’s Pegasus uses such memory attacks, only a tiny segment of Apple’s vast user base is typically at risk.
• “They’re doing all this work really to cut off the, reduce the risk for a small number of people and there’s no real business case for that.” – Tom Uren [13:05]

Why Does Apple Bother?

• “I think they've got it in their sort of corporate culture. I think they just believe in doing it. I think they've got the money to do it.” – Tom Uren [13:35]
• Rare example where major security advancement doesn’t hinder profitability or user experience, so Apple pursues it as a long-term benefit.

How the Work Unfolded (15:05–16:20):

• “The culmination of at least five years of work... From an offensive point of view, they have a research team that was constantly attacking... what they thought they were building.” – Tom Uren [15:06]
• Apple’s engineering teams used “iterative attack and defense” against simulated and prototype devices, steadily eliminating classes of vulnerabilities before they could be abused in the wild.

What It Means for Users and Industry:

• This doesn’t make iPhones “impregnable” but raises the bar for attackers—especially state-backed and mercenary actors.
• The security benefits are expected to “work their way into other products as well” as competitors copy these techniques [16:50].

Memorable Quotes & Moments

• On Authorization Sprawl as the “New Black”

  • “Single impact, but massive blast radius.” – Tom Uren (paraphrased by Amberly) [00:55]

• On Data Leakage Potential

  • “So in the course of normal discussion with their customers, people had shared... secrets or authentication tokens that could allow the threat actor to do something else.” – Tom Uren [05:30]

• On Industry Readiness

  • “There’s not a lot of security tools that are optimized to figure out is this legitimate authentication token being used correctly or maliciously... it sidesteps a lot of traditional protections and it’s a greenfields opportunity for threat actors.” – Tom Uren [07:46]

• On Apple’s Security Philosophy

  • “I think they've got it in their sort of corporate culture. I think they just believe in doing it. I think they've got the money to do it.” – Tom Uren [13:35]
  • “This allowed us to identify and eradicate entire attack strategies and techniques before attackers could ever discover them.” – (Apple, quoted by Tom Uren) [15:49]

Important Segment Timestamps

• 00:38 – 07:25: Deep dive into the Salesloft Drift breach, step-by-step attack path, and its wider implications.
• 07:25 – 10:09: Discussion on the rising trend and defensive challenges of authorization sprawl.
• 10:09 – 17:30: Apple’s memory integrity enforcement: what it is, why it matters, and the long-term impact.

Overall Tone and Takeaways

Amberly and Tom focus on clear, accessible explanations of complex cybersecurity issues, blending technical clarity with practical policy and industry context. The conversation is collegial, lightly humorous (“fun times, not ideal”), but grounded in the urgency of modern digital risks.

For defenders and decision-makers, the message is clear:

• The classic “breach one, breach many” risk of interconnected services must be addressed with new detection and privilege management strategies.
• Security investments, even for a minority of high-risk users, can yield broad and lasting improvements for the wider ecosystem.

End of summary.