A five-step flaw chain in the popular automation service, now patched, could have let a single attacker act as any signed-in user across thousands of connected apps.