2fa

A critical vulnerability in Microsoft 365 Copilot, dubbed SearchLeak, allowed attackers to steal 2FA codes via parameter-to-prompt injection by exploiting raw HTML rendering before guardrail enforcement. Microsoft has fixed the vulnerability, but the underlying issue of prompt injection remains a challenge.

A developer and friend built op.inc, a free service that provides AI agents with real phone numbers for 2FA and account creation, avoiding VoIP blockages. They plan to open-source the API.

Google's Threat Intelligence Group reports that hackers are using AI-generated code to discover and weaponize a zero-day vulnerability that could bypass two-factor authentication, marking a notable escalation in AI-driven cybercrime.