An unpatched security issue in the Travis CI API has left tens of thousands of developers’ user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks. “More than 770 million logs of free tier users are available, from which you can easily […]
Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations. “An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM,” […]
Security specialists from the firm JFrog report the discovery of 11 malicious Python packages in the Python Package Index (PyPI) repository, apparently designed for the theft of access tokens to platforms such as Discord, in addition to intercepting passwords and deploying dependency confusion attacks. The list of malicious packages detected in this research is shown […]
Hackers exploited a vulnerability in the “View As” feature of Facebook. The social media giant Facebook has announced that it has suffered a massive cyberattack, resulting in 50 million users account impacted. In a statement, the vice president of product management at Facebook, Guy Rosen said that hackers exploited a vulnerability in Facebook’s ‘view as’ feature which lets […]
GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI. “Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the […]
Short Bytes: A security researcher has located a flaw in Facebook’s device login feature that allows one to easily authorise apps on IoT devices. Due to the lack of CSRF protection, an attacker can fool Facebook’s systems and grab the access_token of the victim. Facebook has now fixed the bug and awarded $5,000 bounty to the […]