Tokens or partial code could be utilized by threat actors to exploit the vulnerability which stems from an improper authentication issue to circumvent security checks and infiltrate restricted app segments, noted cybersecurity researcher Allam Rachid. "This vulnerability has been present for several years in the Next.js source code, evolving with the middleware and its changes over the versions," said Rachid, who along with Allam Yasser discovered and reported the bug to Next.js maintainer Vercel late last month only for the patch to arrive weeks later. Vercel's delayed fix for the issue has raised concerns even as the firm's Chief Information Security Officer Ty Sbano noted the absence of any active exploits. "While our teams had verified the issue did not impact most infrastructure platforms, we failed to proactively share that context quickly enough. We're already working on ways we can improve how we share information moving forward," said Sbano.
The supermarket chain is tripling the number of stores utilizing facial recognition, expanding from over 55 current locations to a projected 200 by year-end.
The attack, which leveraged a deprecated OAuth flow called Resource Owner Password Credentials (ROPC), made over 81 million login attempts between June 12 and June 26, compromising at least 78 Microsoft accounts across 64 organizations.