Toxic Combinations: When Cross-App Permissions Stack into Risk
تزايد "التركيبات السامة": كيف كايخلقو تراخيص الذكاء الاصطناعي بين التطبيقات مخاطر مخفية
The Rise of Toxic Combinations: How Cross-App AI Permissions Create Invisible Risks
TL;DR: A major data exposure at Moltbook has highlighted "toxic combinations"—security risks born when AI agents or integrations bridge multiple SaaS applications. Because traditional security reviews examine apps in isolation, these cross-app bridges create blind spots that allow attackers to hijack credentials and data across entire ecosystems.
On January 31, 2026, researchers disclosed a significant security failure at Moltbook, a social network designed specifically for AI agents. The platform had left its database exposed, leaking 35,000 email addresses and 1.5 million API tokens belonging to 770,000 active agents.
While the sheer volume of tokens was concerning, the true danger lay within the agents' private messages. These conversations contained plaintext third-party credentials, including OpenAI API keys, stored in the same unencrypted tables as the tokens required to hijack the agents themselves. This incident serves as a textbook example of a "toxic combination"—a structural vulnerability where no single application is "broken," but the connection between them creates a catastrophic risk.
Anatomy of a Toxic Combination
A toxic combination occurs when a permission breakdown happens across two or more applications, bridged by an AI agent, an integration, or an OAuth grant. These risks are rarely the result of one bad decision; instead, they emerge when:
- An AI agent or connector bridges two apps (e.g., connecting a code editor to Slack).
- Each side of the bridge appears secure in isolation.
- No single application owner has authorized or even seen the resulting "trust relationship."
For example, a developer might use an MCP (Model Context Protocol) connector to post code snippets from their IDE to a Slack channel. The Slack admin approves the bot, and the IDE admin approves the outbound connection. However, neither reviews the total risk: prompt injections in the IDE could now leak code to Slack, or malicious instructions in Slack could flow back into the IDE’s context.
Why Traditional Access Reviews Fail
Most Organizations still perform SaaS access reviews on a per-application basis. This method is increasingly ineffective against modern environments for several reasons:
- Non-Human Identities: SaaS environments are now flooded with service accounts, bots, and AI agents that outnumber human users.
- Runtime Relationships: Trust relationships are now formed at the moment of use (via OAuth or MCP) rather than during formal provisioning.
- The Telemetry Gap: According to the Cloud Security Alliance’s State of SaaS Security 2025 report, 56% of organizations are concerned about over-privileged API access in SaaS-to-SaaS integrations.
When a token holds scopes across multiple applications that were never provisioned through a central identity system, answering "what can this identity actually do?" becomes nearly impossible for manual reviewers.
Strategies for Closing the Gap
To mitigate these risks, security teams must shift their focus from reviewing individual apps to reviewing the "bridges" between them. Key areas for improvement include:
| Area to Review | Practical Implementation |
|---|---|
| Non-human Inventory | Maintaining a register of every AI agent, bot, and MCP server with a designated owner. |
| Cross-app Scope Grants | Flagging instances where an identity gains "Write" permissions in one app while already holding "Read" scopes in another. |
| Bridge Review | Creating an audit trail for every connector that explicitly names the trust relationship between the two linked systems. |
| Runtime Monitoring | Watching for "drift" where an identity suddenly begins operating across a new combination of apps. |
The Role of Dynamic SaaS Security Platforms
Because manual review cannot scale with the speed of OAuth "consent clicks," organizations are turning to Dynamic SaaS Security Platforms (SSPs) like Reco.
Unlike traditional Identity Governance and Administration (IGA) tools that look at static roles, dynamic platforms continuously monitor the runtime graph. By mapping how identities, permissions, and data flow across the entire SaaS environment, these platforms can treat a combination of scopes across Slack, Google Drive, and Salesforce as a single exposure rather than three separate, "safe" approvals.
As AI agents continue to automate workflows, the next major breach likely won't involve a complex zero-day exploit. Instead, it will look like an authorized agent doing exactly what it was "allowed" to do—moving data across a bridge that security teams didn't know existed.
Source: Toxic Combinations: When Cross-App Permissions Stack into Risk
