The U.S. federal government's cybersecurity agency warns of hackers exploiting a vulnerability in GitLab patched in January, allowing account hijacking via 'forgot your password' function, highlighting the importance of patch application and measures to prevent supply chain attacks
GitLab reported no abuse when the patch was released, but experts warn of opportunistic hacking post-patch release, with Verizon's data showing patch installation delay compared to threat actor scanning speed. The vulnerability, rated maximum on CVSS, allows attackers to reset passwords by sending the link to a controlled inbox, even without knowing the account's email, emphasizing the need for MFA-enabled accounts to change passwords. ```https://www.bankinfosecurity.com/gitlab-hackers-use-forgot-your-password-to-hijack-accounts-a-24991