Vercel breach highlights AI tool OAuth security risks

A recent breach at Vercel, a cloud platform for Next.js, exposed significant security vulnerabilities stemming from an employee's use of a third-party AI tool, Context.ai. The attacker gained access through an OAuth grant with broad permissions, which was inherited when Context.ai was compromised. This allowed the attacker to pivot into Vercel's production environment by exploiting unclassified environment variables. The incident underscores the risks associated with AI tool integrations and inadequate OAuth scope management, as attackers can leverage compromised AI vendors to bypass traditional security measures. Vercel has since updated its security defaults and is working with authorities.