Security News

"The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS Foundation and Open Source Security Foundation leaders shared on Monday. "These emails implored OpenJS to take action to update one of its popular JavaScript projects to 'address any critical vulnerabilities,' yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement."

Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive...

Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific...

A group of 41 US state attorneys general, tired of serving as a customer complaint clearinghouse for Facebook and Instagram users, have sent a letter to Meta asking it to figure out how to reduce a "Dramatic and persistent spike" in account takeovers. In a letter [PDF] dated March 5, the AGs said their offices have received skyrocketing complaints from Facebook and Instagram users about account takeovers and lockouts since 2022.

A new pair of security vulnerabilities have been disclosed in JetBrains TeamCity On-Premises software that could be exploited by a threat actor to take control of affected systems. The flaws,...

JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors...

Five days after Mastodon developers pushed out fixes for a remotely exploitable account takeover vulnerability, over 66% of Mastodon servers out there have been upgraded to close the hole. Mastodon is open-source software for running self-hosted social networking services within the wider Fediverse.

Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month. The critical flaw allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.

Computer science researchers have developed a new way to identify security weaknesses that leave people vulnerable to account takeover attacks, where an attacker gains unauthorized access to online accounts. Dr Luca Arnaboldi from Birmingham's School of Computer Science worked with Professor David Aspinall from the University of Edinburgh, Dr Christina Kolb from the University of Twente, and Dr Sasa Radomirovic from the University of Surrey to define a way of cataloging security vulnerabilities and modeling account takeover attacks, by reducing them their constituent building blocks.

Attackers targeting vulnerable self-managed GitLab instances could use a specially crafted HTTP request to send a password reset email to an attacker-controlled, unverified email address. Users with 2FA enabled aren't vulnerable to account takeover, unless the attacker also had control of the 2FA authenticator, but a password reset could still be achieved.