One does not simply exfiltrate a reset token using an email array.

And yet, Frodo (Matei "Mal" Bădănoiu) and Samwise (Raul Bledea) from Pentest-Tools.com did exactly that in FuelCMS.

Know someone's email? That's enough. Slip your address alongside theirs in a “forgot password” request and the token lands in your inbox. Their account is yours. You shall not (safely) parse!🧙

Chain it with PTT-2025-026 and you're looking at a 9.8 Critical unauthenticated RCE. One array to rule them all! 💍

Full PoC here: https://pentest-tools.com/research

#offensivesecurity #vulnerabilityresearch #infosec #accounttakeover

How I Found a Critical IDOR Leading to Account Takeover in Two EdTech Platforms
The vulnerability was an Insecure Direct Object Reference (IDOR) in two EdTech platforms, allowing account takeover through user profile manipulation. The flaw resulted from improper input validation, leading to user profiles being accessible via URL parameters. By constructing carefully crafted URLs containing other users' IDs, the researcher accessed their profiles without proper authentication. The attack vector involved using Burp Suite's Intruder tool to automate IDOR requests, sending payloads with incremental user IDs. The mechanism revolved around the application trusting the provided IDs without verifying their ownership or performing proper authorization checks. This IDOR flaw enabled the researcher to impersonate other users, potentially causing serious account takeovers. The researcher did not disclose specific bounty amounts or program responses. Proper mitigation requires implementing strict input validation and enforcing proper access control checks. Key lesson: Always validate user inputs and enforce proper access control to prevent unauthorized data access. #BugBounty #Cybersecurity #WebSecurity #IDOR #AccountTakeover #InputValidation

https://medium.com/@impyhacker/how-i-found-a-critical-idor-leading-to-account-takeover-in-two-edtech-platforms-44439a66ceb3?source=rss------bug_bounty-5

XSS Bypass to Zero Click Account Takeover in AI Chatbot
This vulnerability involves an XSS attack that leads to a zero-click account takeover in an AI chatbot. The application failed to sanitize user input when rendering messages, allowing the injection of malicious JavaScript. By exploiting this flaw, the attacker crafted a payload that overwrote the account token (JSESSIONID) with a malicious cookie, thereby gaining access to the victim's account without clicking any links or performing any further actions. The chatbot did not enforce any Content Security Policy (CSP), making it vulnerable to such attacks. The researcher received a $5,000 bounty for discovering and reporting this critical vulnerability. To prevent similar attacks, enforce strict CSP policies, validate user input, and ensure proper input sanitization. Key lesson: Never trust user input blindly, especially in critical areas like session tokens. #BugBounty #Cybersecurity #WebSecurity #XSS #AccountTakeover

https://infosecwriteups.com/xss-bypass-to-zero-click-account-takeover-in-ai-chatbot-a19acee8266f?source=rss------bug_bounty-5

Operational Summary:
Jurisdiction: Poland / Germany
Target Platform: Facebook
Impact: 100,000+ credentials seized
Suspects Charged: 11
Alleged Crimes: 400+

Tactics Observed:
• Fake news portal infrastructure
• Credential harvesting via spoofed login forms
• Account takeover operations
• Fraud leveraging payment systems (BLIK referenced)
• Money laundering

Strategic lesson:
Phishing + credential reuse + weak authentication continues to scale across borders.

Mitigation priorities:
• Phishing-resistant MFA
• FIDO2 / hardware keys
• Domain monitoring & takedown speed
• User education + anomaly detection

Source: https://the420.in/poland-cybercrime-bureau-facebook-phishing-100k-logins-germany-case/

Follow @technadu for threat intelligence updates.

Add your technical mitigation strategies below.

#Infosec #ThreatIntel #Phishing #AccountTakeover #FacebookSecurity #FraudPrevention #MFA #Cybercrime #SecurityOperations #EUCyber #TechNadu

“Starkiller” phishing service proxies real login pages and relays MFA in real time.
Targets include brands like Microsoft and Google.

Result:
Passwords captured.
MFA intercepted.
Session cookies stolen.
Reported by Abnormal AI.

Phishing is evolving into enterprise-grade tooling.

Source: https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

Are passkeys the only sustainable defense?
Follow @technadu for independent cybersecurity reporting.

Join the discussion below.

#CyberSecurity #Phishing #MFA #AccountTakeover #ZeroTrust #Infosec #DigitalIdentity #ThreatIntel

The Logic Flaw That Leads to Total Control: Mastering Account Takeovers in 2026
This vulnerability falls under the Authentication Bypass class, specifically Logical Account Takeover. ZACK0X01's tutorial reveals that attackers can bypass multi-factor authentication (MFA) by exploiting subtle disconnects in authentication flows. The researcher manipulates responses and leverages Insecure Direct Object References (IDOR) to gain control of any user account. By observing patterns in error messages, the researcher found opportunities to intercept MFA codes or bypass MFA checks entirely. The critical severity (CVSS ~9.8) demonstrates the devastating impact: complete account takeover and unauthorized access to sensitive data. The tutorial offers actionable insights for finding this high-impact vulnerability class in web applications. Key lesson: Look beyond syntax errors, focus on business logic flaws to master account takeovers. #BugBounty #WebSecurity #AuthenticationBypass #IDOR #AccountTakeover

https://infosecwriteups.com/the-logic-flaw-that-leads-to-total-control-mastering-account-takeovers-in-2026-aecef6d30bd9?source=rss------bug_bounty-5

Germany’s advisory underscores a critical shift: identity and account compromise via trusted features.

Threat actors are leveraging:
• Device-linking QR workflows
• SMS verification interception
• Support impersonation tactics

This is a reminder that encrypted transport ≠ secure endpoint usage.

Source: https://therecord.media/germany-warns-phishing-campaign-signal-gov-officials-journalists

💬 How are you mitigating messaging account takeover risks in high-risk user groups?
🔔 Follow @technadu for threat intelligence updates

#Infosec #ThreatIntelligence #SocialEngineering #SignalSecurity #CyberEspionage #AccountTakeover #ZeroTrust #TechNadu

Well that was fun. Got a cold call from somebody at "Google" claiming that the owner of my Gmail account was reported deceased. Pretty sure I'm not dead yet.

Looks like it was an AI-assisted account takeover attempt. Be careful out there. Google won't call you. #scam #scammers #accounttakeover

https://tech.yahoo.com/general/articles/watch-gmail-account-takeover-scam-121826913.html

Germany’s BfV and BSI warn of Signal account hijacking via social engineering, not exploits.

Threat actors impersonate support services or abuse the linked-device feature to access chats and contacts of high-value targets. The campaign underscores how legitimate platform features can be weaponized in espionage operations.

💬 What mitigations actually work against messaging-based account takeover?

Source: https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/

🔔 Follow @technadu for ongoing threat intelligence coverage

#InfoSec #SignalSecurity #AccountTakeover #SocialEngineering #CyberEspionage #ThreatActors #DigitalSecurity #TechNadu