AWS Cloud Development Kit flaw exposed accounts to full takeover

October 24, 2024 at 06:42PM Amazon Web Services resolved a critical vulnerability in its Cloud Development Kit (CDK), which allowed potential account hijacking through predictable S3 bucket names. Discovered by Aqua, the flaw affected about 1% of users. AWS has implemented changes in version v2.149.0 to enhance security, requiring user action for older versions. **Meeting … Read more

Hijacking Scheme Takes Over High-Profile TikTok Accounts

June 5, 2024 at 03:16PM High-profile TikTok accounts are being exploited and hijacked in a takeover campaign, with threat actors sending malware-infested direct messages. The malware allows account hijacking without the victim clicking on links or downloading files. TikTok is collaborating with account holders to resolve the issue and prevent future attacks. Notable accounts targeted … Read more

TikTok fixes zero-day bug used to hijack high-profile accounts

June 4, 2024 at 05:59PM Multiple high-profile TikTok accounts were hijacked by attackers exploiting a zero-day vulnerability in the platform’s direct messages feature. Victims included Sony, CNN, and Paris Hilton. The exploit required targets to open a malicious message, without needing to download a payload or click on embedded links. TikTok is working to restore … Read more

Mandiant’s brute-forced X account exposes perils of skimping on 2FA

January 11, 2024 at 12:35PM Mandiant’s investigation of the takeover of its X account revealed a successful brute-force attack due to a change in two-factor authentication policy. The use of SMS-based 2FA was removed, leaving accounts vulnerable. The compromise led to a scam pushing CLICKSINK drainer-as-a-service, highlighting the rise of such attacks targeting valuable cryptocurrency … Read more