Unsafe Consumption of APIs
摘要
On August 20, 2025, cybersecurity teams across Fortune 500 companies scrambled to assess the damage from one of the most sophisticated supply chain attacks in API security history. Google's Threat Intelligence Group had just revealed that attackers had systematically compromised Salesforce instances through a trusted third-party integration—Salesloft Drift. The breach didn't exploit a vulnerability in Salesforce itself, nor did it require sophisticated zero-day exploits. Instead, attackers leveraged something far more insidious: the implicit trust that developers place in third-party API responses.