2fa-bypass - TrustStrike Labs

vulnerability

2026-05-12

Google says hackers used AI to build first known zero-day for 2FA bypass in unnamed web admin tool

Google's Threat Intelligence Group says it caught the first known case of a real attacker using a large language model to find and weaponize a zero-day - a 2FA bypass in a popular but unnamed open-source web-based system administration tool. Google has high confidence the Python exploit was AI-generated, citing textbook code structure, abundant educational docstrings, and a hallucinated CVSS score in the script. The flaw was a high-level logic bug, the kind LLMs excel at spotting, rather than a memory corruption issue. Google rules out Gemini and warns that AI-assisted exploit development is being industrialized via account-pooling and proxy relays for premium models.

ai llm zero-day 2fa-bypass admin-panel

Check: Audit open-source web-based system administration tools your team self-hosts (Webmin, Cockpit, ISPConfig, etc). Check whether 2FA is the only barrier protecting admin access, and review recent admin logins for anomalies.
Affected: The specific affected product remains undisclosed - Google notified the developer and the attack was disrupted pre-mass-exploitation. Generally, any popular open-source web-based system administration tool with a 2FA implementation that relies on a semantic logic check rather than tightly-bound session validation is exposed to this class of AI-discovered logic bug.
Fix: Wait for vendor disclosure when Google's reporting names the product. In the meantime, layer additional controls in front of any web admin panel: place it behind a VPN or zero-trust gateway, require source-IP allowlisting, and rotate admin credentials. Treat 2FA-only protection on internet-exposed admin tools as a single point of failure regardless of the vendor.

threat

2026-05-01

Vietnamese fraudsters used Google's no-code app platform to send Facebook phishing emails that passed every spam check, then sold the stolen accounts back to victims

Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.

accountdumpling vietnam facebook appsheet google phishing spf-dkim-dmarc-bypass guardio social-engineering 2fa-bypass

Check: Brief every staff member who manages a Facebook business account that any email from 'noreply@appsheet.com' claiming to be Meta is hostile, regardless of how legitimate the formatting looks.
Affected: Facebook Business account owners worldwide, with 68.6% of victims based in the US. Acute risk for marketing teams, social media managers, and small business owners who manage Facebook ad accounts. Any organization using the same Facebook business account for paid ads since 2024 is in the broader target pool. Stolen accounts often hold credit card data and ad spend history.
Fix: Block emails from noreply@appsheet.com unless your organization legitimately uses Google AppSheet. Train staff that real Meta support never asks for 2FA codes via email. Enable Meta Business Manager 2FA with hardware keys (not SMS). For organizations already compromised, contact Meta Business Help directly through facebook.com - the 'recovery service' is the same operation that took the account.