Security News

A group of 41 US state attorneys general, tired of serving as a customer complaint clearinghouse for Facebook and Instagram users, have sent a letter to Meta asking it to figure out how to reduce a "Dramatic and persistent spike" in account takeovers. In a letter [PDF] dated March 5, the AGs said their offices have received skyrocketing complaints from Facebook and Instagram users about account takeovers and lockouts since 2022.

A new pair of security vulnerabilities have been disclosed in JetBrains TeamCity On-Premises software that could be exploited by a threat actor to take control of affected systems. The flaws,...

JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors...

Five days after Mastodon developers pushed out fixes for a remotely exploitable account takeover vulnerability, over 66% of Mastodon servers out there have been upgraded to close the hole. Mastodon is open-source software for running self-hosted social networking services within the wider Fediverse.

Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month. The critical flaw allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.

Computer science researchers have developed a new way to identify security weaknesses that leave people vulnerable to account takeover attacks, where an attacker gains unauthorized access to online accounts. Dr Luca Arnaboldi from Birmingham's School of Computer Science worked with Professor David Aspinall from the University of Edinburgh, Dr Christina Kolb from the University of Twente, and Dr Sasa Radomirovic from the University of Surrey to define a way of cataloging security vulnerabilities and modeling account takeover attacks, by reducing them their constituent building blocks.

Attackers targeting vulnerable self-managed GitLab instances could use a specially crafted HTTP request to send a password reset email to an attacker-controlled, unverified email address. Users with 2FA enabled aren't vulnerable to account takeover, unless the attacker also had control of the 2FA authenticator, but a password reset could still be achieved.

Social engineer reveals effective tricks for real-world intrusionsIn this Help Net Security interview, Jayson E. Street, Chief Adversarial Officer at Secure Yeti, discusses intriguing aspects of social engineering and unconventional methods for gathering target information. Understanding zero-trust design philosophy and principlesIn this Help Net Security interview, Phil Vachon, Head of Infrastructure in the Office of the CTO at Bloomberg, discusses the varying definitions of zero trust among security professionals and companies, emphasizing its broad design philosophy.

A critical vulnerability in GitLab CE/EE can be easily exploited by attackers to reset GitLab user account passwords.Users who have two-factor authentication enabled on their account are safe from account takeover.

Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. Based on statitics from wordpress.org, there are roughly 150,000 sites that run a vulnerable version of the plugin that is lower than 2.8.