DigiNews

Summary

This article recounts a phishing campaign that abused an open-source project Kaneo's cloud-hosted version, revealing how attackers exploited signup flows to send tens of thousands of invitations from throwaway domains. It highlights the lack of safeguards in cloud-hosted SaaS for open-source projects, the cleanup steps taken, and concrete mitigations (captcha, disposable email blocking, rate limits, and domain checks) to prevent future abuse. The piece also reflects on the divide between self-hosted and hosted threat models and the responsibilities of maintainers when hosting a cloud service.