🚀 New Talk Confirmed for BSides Luxembourg 2026!

Leaky API Keys, Log Tampering, and Account Takeover – Aleksa Zatezalo

Modern cloud systems are highly secure in isolation, but real-world risk emerges at the seams — where services integrate. This talk explores how seemingly minor misconfigurations in logging pipelines, API integrations, and third-party services can quietly escalate into high-impact security breaches.

Through three real-world inspired vulnerability scenarios, the session demonstrates how leaked API keys from client-side logs, misconfigured S3 uploads, and insecure integrations (such as Supabase and financial data pipelines) can be chained into account takeover paths. The focus is on understanding the underlying anti-patterns rather than isolated bugs.

Attendees will leave with a structured framework to identify these cross-service weaknesses and practical remediation strategies that go beyond patching symptoms — targeting the architectural root causes that enable entire classes of exploitation.

Aleksa Zatezalo is a security engineer and software developer with experience in cloud security consulting, offensive security tooling, and contributions to Metasploit. He currently works at Praetorian and is OSCP-certified, pursuing OSCE3, with a strong focus on applied offensive security research.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule: https://pretalx.com/bsidesluxembourg-2026/schedule/

📱 Want an easy way to follow the schedule?
Use Hacker Tracker: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #CloudSecurity #APIKeys #AccountTakeover #DevSecOps #CyberSecurity

One does not simply exfiltrate a reset token using an email array.

And yet, Frodo (Matei "Mal" Bădănoiu) and Samwise (Raul Bledea) from Pentest-Tools.com did exactly that in FuelCMS.

Know someone's email? That's enough. Slip your address alongside theirs in a “forgot password” request and the token lands in your inbox. Their account is yours. You shall not (safely) parse!🧙

Chain it with PTT-2025-026 and you're looking at a 9.8 Critical unauthenticated RCE. One array to rule them all! 💍

Full PoC here: https://pentest-tools.com/research

#offensivesecurity #vulnerabilityresearch #infosec #accounttakeover

How I Found a Critical IDOR Leading to Account Takeover in Two EdTech Platforms
The vulnerability was an Insecure Direct Object Reference (IDOR) in two EdTech platforms, allowing account takeover through user profile manipulation. The flaw resulted from improper input validation, leading to user profiles being accessible via URL parameters. By constructing carefully crafted URLs containing other users' IDs, the researcher accessed their profiles without proper authentication. The attack vector involved using Burp Suite's Intruder tool to automate IDOR requests, sending payloads with incremental user IDs. The mechanism revolved around the application trusting the provided IDs without verifying their ownership or performing proper authorization checks. This IDOR flaw enabled the researcher to impersonate other users, potentially causing serious account takeovers. The researcher did not disclose specific bounty amounts or program responses. Proper mitigation requires implementing strict input validation and enforcing proper access control checks. Key lesson: Always validate user inputs and enforce proper access control to prevent unauthorized data access. #BugBounty #Cybersecurity #WebSecurity #IDOR #AccountTakeover #InputValidation

https://medium.com/@impyhacker/how-i-found-a-critical-idor-leading-to-account-takeover-in-two-edtech-platforms-44439a66ceb3?source=rss------bug_bounty-5

XSS Bypass to Zero Click Account Takeover in AI Chatbot
This vulnerability involves an XSS attack that leads to a zero-click account takeover in an AI chatbot. The application failed to sanitize user input when rendering messages, allowing the injection of malicious JavaScript. By exploiting this flaw, the attacker crafted a payload that overwrote the account token (JSESSIONID) with a malicious cookie, thereby gaining access to the victim's account without clicking any links or performing any further actions. The chatbot did not enforce any Content Security Policy (CSP), making it vulnerable to such attacks. The researcher received a $5,000 bounty for discovering and reporting this critical vulnerability. To prevent similar attacks, enforce strict CSP policies, validate user input, and ensure proper input sanitization. Key lesson: Never trust user input blindly, especially in critical areas like session tokens. #BugBounty #Cybersecurity #WebSecurity #XSS #AccountTakeover

https://infosecwriteups.com/xss-bypass-to-zero-click-account-takeover-in-ai-chatbot-a19acee8266f?source=rss------bug_bounty-5

Operational Summary:
Jurisdiction: Poland / Germany
Target Platform: Facebook
Impact: 100,000+ credentials seized
Suspects Charged: 11
Alleged Crimes: 400+

Tactics Observed:
• Fake news portal infrastructure
• Credential harvesting via spoofed login forms
• Account takeover operations
• Fraud leveraging payment systems (BLIK referenced)
• Money laundering

Strategic lesson:
Phishing + credential reuse + weak authentication continues to scale across borders.

Mitigation priorities:
• Phishing-resistant MFA
• FIDO2 / hardware keys
• Domain monitoring & takedown speed
• User education + anomaly detection

Source: https://the420.in/poland-cybercrime-bureau-facebook-phishing-100k-logins-germany-case/

Follow @technadu for threat intelligence updates.

Add your technical mitigation strategies below.

#Infosec #ThreatIntel #Phishing #AccountTakeover #FacebookSecurity #FraudPrevention #MFA #Cybercrime #SecurityOperations #EUCyber #TechNadu

“Starkiller” phishing service proxies real login pages and relays MFA in real time.
Targets include brands like Microsoft and Google.

Result:
Passwords captured.
MFA intercepted.
Session cookies stolen.
Reported by Abnormal AI.

Phishing is evolving into enterprise-grade tooling.

Source: https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

Are passkeys the only sustainable defense?
Follow @technadu for independent cybersecurity reporting.

Join the discussion below.

#CyberSecurity #Phishing #MFA #AccountTakeover #ZeroTrust #Infosec #DigitalIdentity #ThreatIntel

The Logic Flaw That Leads to Total Control: Mastering Account Takeovers in 2026
This vulnerability falls under the Authentication Bypass class, specifically Logical Account Takeover. ZACK0X01's tutorial reveals that attackers can bypass multi-factor authentication (MFA) by exploiting subtle disconnects in authentication flows. The researcher manipulates responses and leverages Insecure Direct Object References (IDOR) to gain control of any user account. By observing patterns in error messages, the researcher found opportunities to intercept MFA codes or bypass MFA checks entirely. The critical severity (CVSS ~9.8) demonstrates the devastating impact: complete account takeover and unauthorized access to sensitive data. The tutorial offers actionable insights for finding this high-impact vulnerability class in web applications. Key lesson: Look beyond syntax errors, focus on business logic flaws to master account takeovers. #BugBounty #WebSecurity #AuthenticationBypass #IDOR #AccountTakeover

https://infosecwriteups.com/the-logic-flaw-that-leads-to-total-control-mastering-account-takeovers-in-2026-aecef6d30bd9?source=rss------bug_bounty-5

Germany’s advisory underscores a critical shift: identity and account compromise via trusted features.

Threat actors are leveraging:
• Device-linking QR workflows
• SMS verification interception
• Support impersonation tactics

This is a reminder that encrypted transport ≠ secure endpoint usage.

Source: https://therecord.media/germany-warns-phishing-campaign-signal-gov-officials-journalists

💬 How are you mitigating messaging account takeover risks in high-risk user groups?
🔔 Follow @technadu for threat intelligence updates

#Infosec #ThreatIntelligence #SocialEngineering #SignalSecurity #CyberEspionage #AccountTakeover #ZeroTrust #TechNadu

Well that was fun. Got a cold call from somebody at "Google" claiming that the owner of my Gmail account was reported deceased. Pretty sure I'm not dead yet.

Looks like it was an AI-assisted account takeover attempt. Be careful out there. Google won't call you. #scam #scammers #accounttakeover

https://tech.yahoo.com/general/articles/watch-gmail-account-takeover-scam-121826913.html