This is crazy. Lawmakers in several US states are contemplating banning VPNs, because…think of the children! As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of “protecting children” in A.B. 105/S.B. 130. It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “s [...]
Every December, TryHackMe’s Advent of Cyber brings the security community together around a simple idea: learn something new by getting hands-on. Each day during the festive season reveals a beginner- [...]
Stripo Inc disclosed a bug submitted by odaysec: https://hackerone.com/reports/2932960 [...]
curl disclosed a bug submitted by quello_stanco: https://hackerone.com/reports/3445174 [...]
curl disclosed a bug submitted by helspy: https://hackerone.com/reports/3444904 [...]
What is Intigriti’s stance on AI? At Intigriti, we believe AI is a powerful ally to, not a replacement of, our community of security researchers. We will use AI to empower our researchers to hunt for bugs smarter, faster, and more efficiently, while recognizing the value of human creativity and ingenuity that machines cannot replicate. By creating AI-powered tools informed by researcher and cust [...]
Content Security Policies (CSPs) are often deployed as the last line of defense against client-side attacks such as cross-site scripting (XSS) and clickjacking. Since their first introduction in 2012, they've enabled developers to control which and what resources are allowed to load and evaluate within a given DOM context. However, it still commonly occurs that developers rely on this countermeasu [...]
A meter-long flying neon squid (Ommastrephes bartramii) was found dead on an Israeli beach. The species is rare in the Mediterranean. [...]
In a new paper, “Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models,” researchers found that turning LLM prompts into poetry resulted in jailbreaking the models: Abstract: We present evidence that adversarial poetry functions as a universal single-turn jailbreak technique for Large Language Models (LLMs). Across 25 frontier proprietary and open-w [...]
A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his r [...]
Revive Adserver disclosed a bug submitted by kassem_s94: https://hackerone.com/reports/3434156 [...]
This quote is from House of Huawei: The Secret History of China’s Most Powerful Company. “Long before anyone had heard of Ren Zhengfei or Huawei, Wan Runnan had been China’s star entrepreneur in the 1980s, with his company, the Stone Group, touted as “China’s IBM.” Wan had believed that economic change could lead to political change. He had thrown his support be [...]
Earlier this month, Microsoft uncovered SesameOp, a new backdoor malware that abuses the OpenAI Assistants API as a covert command-and-control (C2) channel. The discovery has drawn significant attention within the cybersecurity community. Security teams can no longer focus solely on endpoint malware. Attackers are weaponizing public and legitimate AI assistant APIs and defenders must adjust. W [...]
curl disclosed a bug submitted by kak1: https://hackerone.com/reports/3442060 [...]
curl disclosed a bug submitted by lim_e: https://hackerone.com/reports/3442024 [...]
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security research community. This month, we've decided to take on a challenge ourselves as a way to give back to the community. In response to one of our recent articles, we decided to focus on JSON Web Token (JWT) vulnerabilities. This article provides a step-by-step walkthrough for solving Novem [...]
Democracy is colliding with the technologies of artificial intelligence. Judging from the audience reaction at the recent World Forum on Democracy in Strasbourg, the general expectation is that democracy will be the worse for it. We have another narrative. Yes, there are risks to democracy from AI, but there are also opportunities. We have just published the book Rewiring Democracy: How AI will Tr [...]
A common worry for IT and security teams is that, when operating an effective vulnerability management model, they will be flooded with potential vulnerability reports they likely don’t have the capacity to work through. But the real issue here is not volume; it’s noise. Invalid or low-quality submissions can drain resources, cover up, or deprioritize critical signals that have real business imp [...]
Learn more about the Shai-Hulud 2.0 npm worm. [...]
Flickr disclosed a bug submitted by maskopatol: https://hackerone.com/reports/1916400 - Bounty: $479 [...]
curl disclosed a bug submitted by cainvsilf: https://hackerone.com/reports/3432833 [...]
On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet tra [...]
M&T Bank Vulnerability Disclosure disclosed a bug submitted by ozgun32: https://hackerone.com/reports/3426761 [...]
The International Association of Cryptologic Research—the academic cryptography association that’s been putting conferences like Crypto (back when “crypto” meant “cryptography”) and Eurocrypt since the 1980s—had to nullify an online election when trustee Moti Yung lost his decryption key. For this election and in accordance with the bylaws of the IACR, the [...]
curl disclosed a bug submitted by letshack9707: https://hackerone.com/reports/3434543 [...]
I did not know Adidas sold a sneaker called “Squid.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Basecamp disclosed a bug submitted by stackered: https://hackerone.com/reports/3329310 - Bounty: $2000 [...]
It’s been a month since Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship was published. From what we know, sales are good. Some of the book’s forty-three chapters are available online: chapters 2, 12, 28, 34, 38, and 41. We need more reviews—six on Amazon is not enough, and no one has yet posted a viral TikTok review. One review was published i [...]
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3328367 [...]
From Anthropic: In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree—using AI not just as an advisor, but to execute the cyberattacks themselves. The threat actor—whom we assess with high confidence was a Chinese state-sponso [...]
Can you ever imagine the impact on your business if it went offline on Black Friday or Cyber Monday due to a cyberattack? Black Friday is the biggest day in the retail calendar. It’s also the riskiest. As you gear up for huge surges in online traffic, ask yourself: have you protected the APIs on which the business runs? The Black Friday API Boom When you think about Black Fri [...]
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Finding an RCE using AI in GitHub CORS exploitation cheat sheet Scanning codebases with AI Bypassing paywalls SSTIs in AI models And so much more! Let’s dive in! Company News Intigriti wins 2025 UK IT Industry Awards We are thrilled to announce that Intigriti has won Security Innovation [...]
In March 2024, Mozilla said it was winding down its collaboration with Onerep — an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites — after KrebsOnSecurity revealed Onerep’s founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later [...]
Posted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. Being able to communicate and connect with friends and family should be easy regardless of the phone they use. That’s why Android has been building experiences that help you stay connected across platforms. As part of our efforts to continue to make cross-pla [...]
Google has filed a complaint in court that details the scam: In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people into “disclosing sensitive information like passwords, credit car [...]
curl disclosed a bug submitted by gaurav_7777: https://hackerone.com/reports/3434510 [...]
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3328343 [...]
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3295503 [...]
A recap of Datadog's awards from the 2025 Latio Cloud Security Market Report [...]
AWS VDP disclosed a bug submitted by savannabungee: https://hackerone.com/reports/3328291 [...]
An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites. But security experts say doing so may have also triggered an impromptu network penetration test for organizations that have come to rely on [...]
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3413890 [...]
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3413764 [...]
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3411750 [...]
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3404968 [...]
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3403727 [...]
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3403450 [...]
Revive Adserver disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3401612 [...]
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3401464 [...]
Revive Adserver disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3400506 [...]
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399809 [...]
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399218 [...]
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399191 [...]
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3398283 [...]
Brick-and-click sales leaving no dollar behind The evolution of the internet and, with it, international levels of e-commerce, meant that Black Friday soon became the unofficial start of winter purchases ahead of holiday festivities across the globe. In the early 2000s, Cyber Monday, held on the Monday after Thanksgiving, materialized to encourage people to shop online following the black-Friday [...]
curl disclosed a bug submitted by xkernel: https://hackerone.com/reports/3431180 [...]
Trail of Bits is publicly disclosing two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography that is downloaded over 10 million times weekly and is used by close to 3,000 projects. These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified [...]
Cloudflare Public Bug Bounty disclosed a bug submitted by david96: https://hackerone.com/reports/3027461 [...]
We are thrilled to announce that Intigriti has won Security Innovation of the Year at the UK IT Industry Awards 2025. A powerful recognition for innovation The UK IT Industry Awards are designed to celebrate organizations, teams, projects, technologies, and individuals who continue to help shape the future of IT. This accolade is a testament to the ingenuity, dedication, and forward-thinking appro [...]
lemlist disclosed a bug submitted by 0hmz: https://hackerone.com/reports/3417162 [...]
curl disclosed a bug submitted by xkernel: https://hackerone.com/reports/3427670 [...]
Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weakness [...]
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3427460 [...]
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3427343 [...]
curl disclosed a bug submitted by djogho: https://hackerone.com/reports/3427194 [...]