#auth

Two Russian-born Australian citizens have been arrested and charged in the country for spying on behalf of Russia as part of a "complex" law enforcement operation codenamed BURGAZADA. This includes a 40-year-old woman, an Australian Defence Force (ADF) Army Private, and her husband, a 62-year-old self-employed laborer. Media reports have identified them as Kira Korolev and Igor Korolev,

In today's digital age, passwords serve as the keys to our most sensitive information, from social media accounts to banking and business systems. This immense power brings with it significant responsibility—and vulnerability. Most people don't realize their credentials have been compromised until the damage is done. Imagine waking up to drained bank accounts, stolen identities, or a company's

Apple has sent a warning to people targeted by mercenary spyware in 98 countries.

The U.S. Department of Justice (DoJ) said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-Kremlin disinformation in the country and abroad on a large scale. "The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service. While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur. Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.

A new resolution echoes what 16 members of Congress have already said to the White House: It must do more to free one of the most storied crypto-focused federal agents in history.

### Impact The Auth0 WordPress plugin allows site administrators to opt-in to allowing the use of a `wle` parameter, which can be passed to the WordPress login page by end users. When this parameter is supplied using an expected value (which is randomly generated by the plugin, by default), the end user can fallback to using WordPress' native authentication behavior. (This is generally intended as an emergency fallback for administrators to still be able to access their dashboard in the event something goes wrong.) In previous versions of the plugin, under specific conditions, this parameter could potentially accept an arbitrary string that would be improperly rendered, potentially allowing for a cross-site scripting (XSS) attack on the login page. ### Patches Please upgrade to v4.6.1 of the plugin to resolve the issue.

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.

### Impact Due to a bug in Red's Core API, 3rd-party cogs using the [`@commands.can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.can_manage_channel) command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The [`@commands.mod_or_can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.mod_or_can_manage_channel), [`@commands.admin_or_can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.admin_or_can_manage_channel), and [`@commands.guildowner_or_can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.guildowne...

The cybercrime boss, who helped lead the prolific Zeus malware gang and was on the FBI’s “most wanted” list for years, has been sentenced to 18 years and ordered to pay more than $73 million.