Someone used my open source project to phish 14,000 people
4 hours ago
- #Open Source Security
- #SaaS Threat Model
- #Phishing Incident
- An open-source project management tool's cloud version was used for phishing, sending 14,520 invitations from 942 fake accounts.
- Attackers exploited legitimate features like verified email domain and signup flow without vulnerabilities, highlighting design oversights.
- The cleanup involved revoking email keys, deleting accounts, and hardening security with captcha, rate limits, disposable email blocking, and workspace-name filtering.
- The incident revealed differing threat models between self-hosted and SaaS versions, emphasizing the operator's reputation risks in multi-tenant systems.
- Future changes include stricter security measures for the cloud tier and a shift in mindset to treat it as infrastructure with broader responsibilities.