top of page
ALL POSTS
Passwordless Phishing: How Attackers Hijack Microsoft 365 Through Device Code Authentication
Key Findings A sophisticated phishing-as-a-service kit called EvilTokens exploits Microsoft's legitimate OAuth 2.0 device authorization flow to hijack Microsoft 365 accounts without stealing passwords Attackers trick victims into entering a device code on a real Microsoft login page, which grants the attacker valid access tokens to the compromised account The attack bypasses traditional phishing detection methods by using genuine Microsoft authentication pages, eliminating fa
Jun 204 min read
Meta's Account Recovery Tool Vulnerability Exposes 20,000+ Instagram Users to Unauthorized Password Resets
Key Findings Meta's AI-powered Instagram account recovery tool, known as High Touch Support (HTS), contained a critical flaw that exposed over 20,000 accounts to unauthorized password resets The vulnerability existed for approximately seven weeks, from April 17 to early June 2026, before Meta discovered it on May 31 The flaw allowed attackers to request password reset links for any Instagram account and have them sent to email addresses they controlled, bypassing identity ver
Jun 84 min read
Hackers Exploited Meta's AI Support Bot to Compromise Instagram Accounts
Key Findings Meta's AI support assistant was exploited to hijack high-profile Instagram accounts including the Obama White House account and U.S. Space Force Chief Master Sergeant account over the weekend of May 31 Hackers used a VPN to spoof location, then tricked the AI bot into adding unauthorized email addresses to target accounts and resetting passwords The exploit bypassed two-factor authentication entirely and was defeated only by accounts with multi-factor authenticat
Jun 23 min read
AITM Phishing Campaign Targets TikTok Business Accounts with Cloudflare Evasion Tactics
Key Findings Push Security identified a new AITM phishing campaign targeting TikTok for Business accounts to hijack them for malvertising and fraud Attackers use fake TikTok and Google-themed pages with Cloudflare Turnstile bot protection to bypass security scanners Newly registered domains are created rapidly and hosted behind Cloudflare, making them difficult to track Compromised accounts are used for malvertising, credential theft, malware distribution, and ad fraud Many u
Mar 272 min read
GitLab Issues High-Severity 2FA Bypass and DoS Flaws, Urgent Update Patches
Key Findings GitLab has released urgent security updates to address several high-severity vulnerabilities, including a critical two-factor authentication (2FA) bypass flaw and multiple denial-of-service (DoS) issues. The 2FA bypass vulnerability (CVE-2026-0723) could allow an attacker to bypass the authentication mechanism designed to protect accounts, potentially leading to account takeovers. The DoS vulnerabilities affect various GitLab components, including the Jira Connec
Jan 212 min read
bottom of page
