All articles tagged with #account takeover
Lovense, a major maker of internet-connected sex toys, failed to fully fix security flaws that exposed users' email addresses and allowed account takeovers, risking privacy and safety, especially for vulnerable users like cam models. The bugs were disclosed by security researcher BobDaHacker, who received a bug bounty but went public after Lovense delayed fixing the issues for 14 months.
A security researcher revealed that Lovense, a major maker of internet-connected sex toys, failed to fully fix two security vulnerabilities that expose users' email addresses and allow account takeovers, posing significant privacy and security risks for its over 20 million users.
Research reveals that 9% of Microsoft Entra SaaS apps remain vulnerable to nOAuth abuse, a security flaw in OpenID Connect implementation that can lead to account hijacking and data breaches, despite being disclosed two years ago. The vulnerability exploits cross-tenant access and unverified emails, with Microsoft urging developers to properly implement authentication measures to prevent exploitation.
Over 46,000 Grafana instances remain unpatched despite a critical vulnerability (CVE-2025-4123) that allows attackers to execute malicious plugins and hijack accounts through a client-side open redirect flaw. The vulnerability, discovered by Alvaro Balada and addressed in May, affects multiple versions, but many remain vulnerable, posing a significant security risk. Upgrading to the latest secure versions is recommended to mitigate potential exploits.
Third-party plugins for OpenAI ChatGPT could be exploited by threat actors to hijack accounts on third-party websites, such as GitHub, and access sensitive data. Security flaws in ChatGPT and its ecosystem, including OAuth manipulation and zero-click account takeover vulnerabilities, have been uncovered by Salt Labs. Additionally, a new side-channel attack has been identified, allowing attackers to extract encrypted responses from AI assistants by inferring token lengths in network traffic. Countermeasures such as random padding and transmitting tokens in larger groups are recommended to mitigate the effectiveness of the side-channel attack.
Forty-one state attorneys general have written a letter to Meta's top attorney expressing concern over the surge in complaints about Facebook and Instagram account takeovers, which are draining law enforcement resources. The officials demand immediate action to mitigate the threat, citing instances of financial crimes tied to stolen accounts and scammers running ads on the platforms. Meta insists it invests heavily in enforcement and detection tools, but the attorneys general argue that the company needs to take proper action to protect users from account takeovers and associated fraudulent activities.
GitLab has released security updates to address two critical vulnerabilities, including one that could lead to account takeover without user interaction. The flaw, tracked as CVE-2023-7028, affects self-managed instances of GitLab Community Edition and Enterprise Edition. Another critical flaw (CVE-2023-5356) was also patched, allowing a user to abuse Slack/Mattermost integrations. Users are advised to upgrade to the patched version as soon as possible and enable 2FA, especially for those with elevated privileges.
EvilProxy, a popular phishing platform, has been used in a large-scale campaign targeting Microsoft 365 accounts. Researchers have observed 120,000 phishing emails sent to over a hundred organizations, primarily impacting high-ranking executives. EvilProxy employs reverse proxies to steal authentication cookies and bypass multi-factor authentication. The campaign impersonates popular brands and utilizes open redirections to evade detection. Once an account is compromised, the threat actors establish persistence by adding their own multi-factor authentication method. Organizations are advised to increase security awareness, implement stricter email filtering rules, and adopt FIDO-based physical keys to defend against this growing threat.