#auth

A list of topics we covered in the week of December 15 to December 21 of 2025

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said

US authorities have charged Zahid Hasan with running TechTreek, a $2.9 million online marketplace selling fake ID templates. The investigation, involving the FBI and Bangladesh police, uncovered a global scheme selling fraudulent passports and social security cards to over 1,400 customers.

### Summary A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts. ### Details When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The `wget` and `curl` command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection. An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands targeting a victim host. Since there was no rate limiting mechanism in place, the attacker could generate unlimited outbound HTTP traffic toward the victim. The requests originate from the honeypot's IP address, effectively masking the attacker's identity and turning the honeypot into...

The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash. The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for

From photos of former president Bill Clinton to images of strange scrapbooks, the Justice Department’s release is curious but far from revelatory.

**Vulnerability Overview** If an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. **Vulnerable Code** 1. It receives the request body (flow), updates the DB, and then passes it to the file-writing sink. https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L154-L168 ```python @router.post("/", response_model=FlowRead, status_code=201) async def create_flow( *, session: DbSession, flow: FlowCreate, current_user: CurrentActiveUser, ): try: db_flow = await _new_flow(session=session, flow=flow, user_id=current_user.id) await session.commit() await session.refresh(db_flo...

### Impact Users importing contacts from untrusted sources. Specifically crafted contact data can lead to some of DOM modifications for the link button next to the field e.g. the link address can be overriden. CSS can be manipulated to give the button arbitrary look and change it's size so that any click on the screen would lead to the specified URL. Modifying event listeners does *not* seem to be possible so no JS can be executed (which would also be prevented by CSP). ## Technical details The data is included as part of the [mithril's hyperscript selector](https://mithril.js.org/hyperscript.html#css-selectors). It is possible to define a value like `][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh` which will be included in the selector passed to Mithril and will be interpreted as part of the code. ### Patches https://github.com/tutao/tutanota/commit/e28345f5f78f628f9d5c04e785f79543f01dca8b ### Workarounds Do not open contact viewer on unpatched versions. If t...

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. ### Mitigation Disable LDAP referrals in all LDAP user providers in all realms if projects cannot upgrade to the patched versions.

**Description** The OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. \[1\] ```py state_data: dict[str, str] = {} state = generate_state_token(state_data, state_secret) authorization_url = await oauth_client.get_authorization_url( authorize_redirect_url, state, scopes, ) ``` *fastapi\_users/router/oauth.py:65-71* On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. \[2\] ```py try: decode_jwt(state, state_secret, [STATE_TOKEN_AUDIENCE])...