How a Single Click Can Fully Compromise a Zoho Account: DOM XSS and PostMessage Misconfiguration Explained

A security researcher uncovered two critical Zoho flaws—a DOM‑based XSS on www.zoho.com.cn/assist/videos and a PostMessage configuration error on www.zoho.com—that together enable an attacker to hijack a user’s account with a single malicious link, read emails, capture OTPs, and gain full control.

Account TakeoverDOM XSSPostMessage

0 likes · 8 min read

How a Single Click Can Fully Compromise a Zoho Account: DOM XSS and PostMessage Misconfiguration Explained

Black & White Path

Jun 5, 2026 · Information Security

Meta’s AI Chatbot Fix Is a Joke: Hackers Still Hijack Accounts via Prompt Injection

Security researchers discovered that despite Meta’s claim of fixing the AI‑assistant vulnerability, the backend API remains exploitable, allowing Iranian hackers to hijack high‑profile Instagram accounts through simple prompt‑injection attacks, and new victims continue to report compromises.

AI chatbotAccount TakeoverMeta

0 likes · 6 min read

Meta’s AI Chatbot Fix Is a Joke: Hackers Still Hijack Accounts via Prompt Injection

dbaplus Community

Feb 1, 2026 · Information Security

How a Fired Contractor Crippled a Major US Company with a Simple PowerShell Script

In May 2021, a dismissed IT contractor exploited weak account deprovisioning at Waste Management, used a self‑written PowerShell script to reset thousands of passwords, shutting down the entire corporate network and causing over $860,000 in losses, highlighting the severe risk of insider threats.

Account TakeoverDOJ caseEnterprise Security

0 likes · 7 min read

How a Fired Contractor Crippled a Major US Company with a Simple PowerShell Script

IT Services Circle

Nov 27, 2025 · Information Security

How a Fired Contractor Crippled Waste Management with a Simple PowerShell Script

A former IT contractor at Waste Management exploited his insider knowledge after being terminated, using a self‑written PowerShell script to reset thousands of accounts, causing a nationwide outage that cost over $860,000 and highlighted critical gaps in enterprise permission revocation processes.

Account TakeoverCISAEnterprise Security

0 likes · 7 min read

How a Fired Contractor Crippled Waste Management with a Simple PowerShell Script

Programmer DD

Nov 6, 2020 · Information Security

How a Tiny URL Parameter Let Me Hijack a GitHub Gist Account and Earn $10k

Security researcher William Bowling discovered that Rails' url_for helper can be abused via controllable parameters to create open redirects and account takeover on GitHub Gist, allowing theft of OAuth tokens and earning a $10,000 bounty.

Account TakeoverGitHubOAuth

0 likes · 8 min read

How a Tiny URL Parameter Let Me Hijack a GitHub Gist Account and Earn $10k