Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

November 18, 2024 at 03:41PM A critical flaw in the Really Simple Security WordPress plug-in, affecting over 4 million sites, allows attackers to bypass authentication and gain administrative access. Rated 9.8 on the CVSS scale, the vulnerability has been patched in version 9.1.2. Users are urged to confirm updates to protect their sites. ### Meeting … Read more

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

November 17, 2024 at 11:57PM A critical authentication bypass vulnerability (CVE-2024-10924) in the Really Simple Security plugin for WordPress could allow attackers to gain full admin access. Affecting over 4 million sites, the vulnerability has been patched in version 9.1.2 after responsible disclosure. Similar vulnerabilities were also found in WPLMS Learning Management System. ### Meeting … Read more

Google Cloud Rolling Out Mandatory MFA for All Users

November 6, 2024 at 10:46AM Google Cloud is implementing mandatory multi-factor authentication (MFA) for all users signing in with a password, beginning this month. This measure aims to enhance security for users accessing Google Cloud services. **Meeting Takeaways:** 1. **Mandatory MFA Implementation**: Starting this month, Google Cloud will implement mandatory Multi-Factor Authentication (MFA) for all … Read more

Mamba 2FA Cybercrime Kit Targets Microsoft 365 Users

October 9, 2024 at 04:44PM The Mamba 2FA phishing kit targets Microsoft 365 users with deceptive login pages, sneaking past two-factor authentication. Priced at $250/month in cybercrime forums, it mimics various Microsoft services and collects credentials through Telegram. Active since November 2023, it previously operated on ICQ before moving to Telegram. ### Meeting Takeaways on … Read more

Dutch Police: ‘State actor’ likely behind recent data breach

October 3, 2024 at 02:59PM Dutch national police (Politie) suspects a state actor of the recent data breach, compromising officers’ contact details and private information. They are implementing stronger security measures, including two-factor authentication, and closely monitoring systems for unauthorized access. The investigation is ongoing, and further details will be made public as they become … Read more

GitLab releases fix for critical SAML authentication bypass flaw

September 18, 2024 at 02:43PM GitLab has released security updates for a critical SAML authentication bypass vulnerability affecting self-managed installations of GitLab CE and EE. The flaw arises from a problem in the OmniAuth-SAML and Ruby-SAML libraries, allowing attackers to gain unauthorized access. GitLab strongly recommends immediate upgrades and suggests enabling two-factor authentication as a … Read more

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

September 12, 2024 at 01:12AM WordPress.org is set to make two-factor authentication mandatory for accounts with the ability to update plugins and themes, aiming to enhance security and prevent unauthorized access. In addition to 2FA, the platform is introducing SVN passwords to further secure code commit access. These measures are a response to ongoing security … Read more

Unfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid Clouds

August 15, 2024 at 05:10PM Researchers have discovered a vulnerability in Microsoft Entra ID that can enable attackers to bypass authentication in hybrid identity infrastructures. This involves manipulating the Pass-Through Authentication (PTA) agent, allowing them to log in as any synced AD user without knowing their actual password. Microsoft plans to address the issue, which … Read more

Twilio Users Kicked Out of Desktop App, Forced to Switch to Mobile

August 2, 2024 at 03:17PM Twilio has discontinued its Authy Desktop application for Linux, Windows, and macOS, prompting users to switch to the mobile version. Some users are experiencing synchronization issues with tokens when switching to the mobile app. Twilio has not provided a comment on this issue. Key takeaways from the meeting notes: 1. … Read more

Infoseccers claim Squarespace migration linked to DNS hijackings at Web3 firms

July 15, 2024 at 09:47AM Security researchers claim a series of DNS hijackings in web3 businesses are linked to Squarespace’s acquisition of Google Domains. Issue arose from Squarespace’s migration method, allowing cybercriminals to guess admin email addresses and register them. Attacks aimed to change DNS records, rerouting visitors to phishing sites. Firms impacted include Compound … Read more