InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Arbitrary free in curl's config file parsing. on 23/11/2025
curl disclosed a bug submitted by letshack9707: https://hackerone.com/reports/3434543 [...]
hacking twitch chat on 23/11/2025
Mostly Stupid Hacks on 22/11/2025
AI Jailbreaks That Made Me Go WTF on 22/11/2025
RAW videos from REAL hackers on 22/11/2025
Career Questions with Rob Fuller @mubix! on 22/11/2025
Friday Squid Blogging: New “Squid” Sneaker on 21/11/2025
I did not know Adidas sold a sneaker called “Squid.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Improper bot-authentication allows to impersonate any user when sending messages in a room on 21/11/2025
Basecamp disclosed a bug submitted by stackered: https://hackerone.com/reports/3329310 - Bounty: $2000 [...]
More on Rewiring Democracy on 21/11/2025
It’s been a month since Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship was published. From what we know, sales are good. Some of the book’s forty-three chapters are available online: chapters 2, 12, 28, 34, 38, and 41. We need more reviews—six on Amazon is not enough, and no one has yet posted a viral TikTok review. One review was published i [...]
Path traversal via archive.extract - CVE 2021-3281 incomplete patch on 21/11/2025
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3328367 [...]
Top 5 WTF Prompt Injections on 21/11/2025
hacker final boss on 21/11/2025
AI as Cyberattacker on 21/11/2025
From Anthropic: In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree—using AI not just as an advisor, but to execute the cyberattacks themselves. The threat actor—whom we assess with high confidence was a Chinese state-sponso [...]
APIs Are the Retail Engine: How to Secure Them This Black Friday by Tim Erlin on 21/11/2025
Can you ever imagine the impact on your business if it went offline on Black Friday or Cyber Monday due to a cyberattack? Black Friday is the biggest day in the retail calendar. It’s also the riskiest. As you gear up for huge surges in online traffic, ask yourself: have you protected the APIs on which the business runs? The Black Friday API Boom When you think about Black Fri [...]
Intigriti Bug Bytes #230 - November 2025 🚀 by Ayoub on 21/11/2025
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Finding an RCE using AI in GitHub CORS exploitation cheat sheet Scanning codebases with AI Bypassing paywalls SSTIs in AI models And so much more! Let’s dive in! Company News Intigriti wins 2025 UK IT Industry Awards We are thrilled to announce that Intigriti has won Security Innovation [...]
Mozilla Says It’s Finally Done With Two-Faced Onerep by BrianKrebs on 20/11/2025
In March 2024, Mozilla said it was winding down its collaboration with Onerep — an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites — after KrebsOnSecurity revealed Onerep’s founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later [...]
Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharing on 20/11/2025
Posted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. Being able to communicate and connect with friends and family should be easy regardless of the phone they use. That’s why Android has been building experiences that help you stay connected across platforms. As part of our efforts to continue to make cross-pla [...]
Scam USPS and E-Z Pass Texts and Websites on 20/11/2025
Google has filed a complaint in court that details the scam: In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people into “disclosing sensitive information like passwords, credit car [...]
Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. Weve got a real memory-safety bug ins on 20/11/2025
curl disclosed a bug submitted by gaurav_7777: https://hackerone.com/reports/3434510 [...]
AI Hacking CTF | Win Prizes!!! | AMA on 20/11/2025
Lack of minimum value bid wheel verification on customer_bid in Rental Trips on 20/11/2025
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3328343 [...]
Customer can cancel a individual booking in a batch, causing locking of partner. on 20/11/2025
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3295503 [...]
Why Datadog is a 2025 Cloud Security Leader on 20/11/2025
A recap of Datadog's awards from the 2025 Latio Cloud Security Market Report [...]
Existence of completed pods allows for bypass of Kubernetes NetworkPolicy on 19/11/2025
AWS VDP disclosed a bug submitted by savannabungee: https://hackerone.com/reports/3328291 [...]
The Cloudflare Outage May Be a Security Roadmap by BrianKrebs on 19/11/2025
An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites. But security experts say doing so may have also triggered an impromptu network penetration test for organizations that have come to rely on [...]
Unrestricted setPerPage allows huge result sets / resource exhaustion / mass log retrieval on 19/11/2025
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3413890 [...]
Username normalization missing allows visually indistinguishable accounts (Whitespace-Based Impersonation) on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3413764 [...]
Stored-XSS in campaign name displayed in Banners modal on 19/11/2025
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3411750 [...]
Legal Restrictions on Vulnerability Disclosure on 19/11/2025
Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk. Thirty years ago, a debate raged over whether vul [...]
Stored-XSS in Banner Name field on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3404968 [...]
Reflected XSS in /admin/banner-zone.php (v6.0.0+) on 19/11/2025
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3403727 [...]
Information Disclosure via Verbose Error Messages on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3403450 [...]
IDOR Vulnerability in Banner Deletion on 19/11/2025
Revive Adserver disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3401612 [...]
Information Disclosure via Add user lookup in Account Management (User Access) on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3401464 [...]
Stored XSS in Conversion Statistics via Tracker Name on 19/11/2025
Revive Adserver disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3400506 [...]
Stored XSS on inventory-retrieve.php on 19/11/2025
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399809 [...]
Improper sanitisation of input in the settings could cause DoS on 19/11/2025
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399218 [...]
Reflected XSS in account-preferences-plugin.php on 19/11/2025
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399191 [...]
Authorization bypass allows changing email address of other users on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3398283 [...]
Black Friday and Cyber Monday price distortion identification by Eleanor Barlow on 19/11/2025
Brick-and-click sales leaving no dollar behind The evolution of the internet and, with it, international levels of e-commerce, meant that Black Friday soon became the unofficial start of winter purchases ahead of holiday festivities across the globe. In the early 2000s, Cyber Monday, held on the Monday after Thanksgiving, materialized to encourage people to shop online following the black-Friday [...]
Double free in tool_ssls_load() on 18/11/2025
curl disclosed a bug submitted by xkernel: https://hackerone.com/reports/3431180 [...]
Hack This Bot & Win Prizes! on 18/11/2025
Credentials in URL on 18/11/2025
Science drives progress and creativity fuels discovery on 18/11/2025
Microsoft Entra ID INSECURE DEFAULTS on 18/11/2025
AI and Voter Engagement on 18/11/2025
Social media has been a familiar, even mundane, part of life for nearly two decades. It can be easy to forget it was not always that way. In 2008, social media was just emerging into the mainstream. Facebook reached 100 million users that summer. And a singular candidate was integrating social media into his political campaign: Barack Obama. His campaign’s use of social media was so bracingl [...]
We found cryptography bugs in the elliptic library using Wycheproof on 18/11/2025
Trail of Bits is publicly disclosing two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography that is downloaded over 10 million times weekly and is used by close to 3,000 projects. These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified [...]
Bypass of Cloudflare's Cache Keys and WAF via header overflow on 18/11/2025
Cloudflare Public Bug Bounty disclosed a bug submitted by david96: https://hackerone.com/reports/3027461 [...]
Intigriti wins ‘Security Innovation of the Year’ at the 2025 UK IT Industry Awards by Eleanor Barlow on 18/11/2025
We are thrilled to announce that Intigriti has won Security Innovation of the Year at the UK IT Industry Awards 2025. A powerful recognition for innovation The UK IT Industry Awards are designed to celebrate organizations, teams, projects, technologies, and individuals who continue to help shape the future of IT. This accolade is a testament to the ingenuity, dedication, and forward-thinking appro [...]
Raid weekend update 21 reports done on 17/11/2025
it's not that complicated on 17/11/2025
Hacking with Nuclei: Uncovering .git Secrets on 17/11/2025
How to Use Nuclei And Automate Cross-Site Scripting Vulnerabilities on 17/11/2025
Authentication Bypass in Subscription Management Endpoint on 17/11/2025
lemlist disclosed a bug submitted by 0hmz: https://hackerone.com/reports/3417162 [...]
More Prompt||GTFO on 17/11/2025
The next three in this series on online events highlighting interesting uses of AI in cybersecurity are online: #4, #5, and #6. Well worth watching. [...]
Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash on 16/11/2025
curl disclosed a bug submitted by xkernel: https://hackerone.com/reports/3427670 [...]
Microsoft Patch Tuesday, November 2025 Edition by BrianKrebs on 16/11/2025
Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weakness [...]
Bug Bounty Tips From The Trenches With @ZACK0X01 on 16/11/2025
a new kind of Capture The Flag hacking on 16/11/2025
Incorrect sizeof() in Rustls Backend Memory Allocation on 15/11/2025
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3427460 [...]
Off-by-One Buffer Overflow in SMB Path Handler on 15/11/2025
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3427343 [...]
Malicious server forces .curlrc creation via curl -OJ leading to local file exfiltration on 15/11/2025
curl disclosed a bug submitted by djogho: https://hackerone.com/reports/3427194 [...]
Basic Network Segmentation on 15/11/2025
The State of Cybercrime in 2025 (with Nick Ascoli!) on 15/11/2025
Level up your Solidity LLM tooling with Slither-MCP on 15/11/2025
We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine. Slither-MCP benefits virtually every use case for LLMs by exposing Slither’s static analysis API via tools, allowing LLMs to find critical code faster, navigate codebases more efficiently, and ultimately improve smart contract authoring and auditing performance. How Slither-MCP works Slither [...]
"One Parameter to Rule Them All - How a User Flaw Unlocked an Admin Fortress" - Shinobi.security on 15/11/2025
Friday Squid Blogging: Pilot Whales Eat a Lot of Squid on 14/11/2025
Short-finned pilot wales (Globicephala macrorhynchus) eat at lot of squid: To figure out a short-finned pilot whale’s caloric intake, Gough says, the team had to combine data from a variety of sources, including movement data from short-lasting tags, daily feeding rates from satellite tags, body measurements collected via aerial drones, and sifting through the stomachs of unfortunate whales [...]
Responsible disclosure - public S3 bucket exposing JSON/config files on 14/11/2025
AWS VDP disclosed a bug submitted by xtawb: https://hackerone.com/reports/3382796 [...]
Practical Help Desk - Learn IT Fundamentals in 9 Hours on 14/11/2025
Upcoming Speaking Engagements on 14/11/2025
This is a current list of where and when I am scheduled to speak: My coauthor Nathan E. Sanders and I are speaking at the Rayburn House Office Building in Washington, DC at noon ET on November 17, 2025. The event is hosted by the POPVOX Foundation and the topic is “AI and Congress: Practical Steps to Govern and Prepare.” I’m speaking on “Integrity and Trustworthy AI” at North Hennepin Community C [...]
Authentication Token Theft via Open Redirect in Callback URL Parameter on 14/11/2025
lemlist disclosed a bug submitted by sle3pyhead: https://hackerone.com/reports/3419636 [...]
Hacking with Burp AI in the Chesspocalypse: API expert Corey Ball showcases how Burp AI can support pentesters. on 14/11/2025
AI isn’t just reshaping cybersecurity - it’s challenging testers to rethink their entire playbook. In his latest article, “Hacking with Burp AI in the Chesspocalypse”, API expert Corey Ball draws less [...]
I Had Claude MCP Hack Me on 14/11/2025
The Role of Humans in an AI-Powered World on 14/11/2025
As AI capabilities grow, we must delineate the roles that should remain exclusively human. The line seems to be between fact-based decisions and judgment-based decisions. For example, in a medical context, if an AI was demonstrably better at reading a test result and diagnosing cancer than a human, you would take the AI in a second. You want the more accurate tool. But justice is harder because ju [...]
How we avoided side-channels in our new post-quantum Go cryptography libraries on 14/11/2025
The Trail of Bits cryptography team is releasing our open-source pure Go implementations of ML-DSA (FIPS-204) and SLH-DSA (FIPS-205), two NIST-standardized post-quantum signature algorithms. These implementations have been engineered and reviewed by several of our cryptographers, so if you or your organization is looking to transition to post-quantum support for digital signatures, try them out! T [...]
How to make money in ethical hacking on 13/11/2025
The $0.05 Supply Chain Hack on 13/11/2025
Rust in Android: move fast and fix things on 13/11/2025
Posted by Jeff Vander Stoep, Android Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in new code quickly yields durable and compounding gains. This year we look at how this approach isn’t just fixing things, but helping us move faster. The 2025 data continues to validate the approach, with memory safety vulnerabilities falling below 20% of total [...]
Google Sues to Disrupt Chinese SMS Phishing Triad by BrianKrebs on 13/11/2025
Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google. In a lawsuit filed in the Southern District of New York on November 12, Google sued to unmask an [...]
If you miss these #bugbountytips you might as well gig up on 13/11/2025
microsoft turned me down on 13/11/2025
OWASP Top 10 Business Logic Abuse: What You Need to Know by Tim Erlin on 13/11/2025
Over the past few years, API security has gone from a relatively niche concern to a headline issue. A slew of high-profile breaches and compliance mandates like PCI DSS 4.0 have woken security teams up to the reality that APIs are the front door to their data, infrastructure, and revenue streams. OWASP recently published its first-ever Business Logic Abuse Top 10 List; a clear indication that [...]
Building checksec without boundaries with Checksec Anywhere on 13/11/2025
Since its original release in 2009, checksec has become widely used in the software security community, proving useful in CTF challenges, security posturing, and general binary analysis. The tool inspects executables to determine which exploit mitigations (e.g., ASLR, DEP, stack canaries, etc.) are enabled, rapidly gauging a program’s defensive hardening. This success inspired numerous spinoffs: a [...]
Live: PSAP Release | TCM Security | Blue Team | AMA on 13/11/2025
Lua Infostealer Analysis ("My Hawaii Vacation" CTF) on 12/11/2025
Cybersecurity Fundamentals for Beginners on 11/11/2025
libcurl FTP path normalization flaw allows decoded %2e%2e CWD .. and directory escape (Path Traversal, CWE-22) on 11/11/2025
curl disclosed a bug submitted by ahn0x: https://hackerone.com/reports/3418861 [...]
Hash exposed in public repository on 11/11/2025
curl disclosed a bug submitted by skymander: https://hackerone.com/reports/3419617 [...]
Two click Account Takeover on 11/11/2025
Basecamp disclosed a bug submitted by fr4via: https://hackerone.com/reports/3079738 [...]
Command Injection - CRITICISM on 11/11/2025
curl disclosed a bug submitted by tomar-re: https://hackerone.com/reports/3418760 [...]
Silent TLS Trust Model Hijacking via `CURL_CA_BUNDLE` Environment Variable Leads to MITM on 11/11/2025
curl disclosed a bug submitted by rootsecret3: https://hackerone.com/reports/3418776 [...]
Hunting for DOM-based XSS vulnerabilities: A complete guide by Ayoub on 11/11/2025
Traditional cross-site scripting (XSS) vulnerabilities were prevalent when server-side rendering (with languages like PHP, JSP, and ASP) was the norm. However, as applications become more complex and developers continue to shift application logic to the client-side, more complex client-side vulnerabilities are expected to arise. In this article, we will cover what DOM-based cross-site scripting (X [...]
Arbitrary Configuration File Inclusion: via External Control of File Name or Path on 10/11/2025
curl disclosed a bug submitted by rootsecret3: https://hackerone.com/reports/3418646 [...]
SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO parameters on 10/11/2025
curl disclosed a bug submitted by haider790h: https://hackerone.com/reports/3418616 [...]
libcurl MQTT `CURLOPT_POSTFIELDSIZE_LARGE` overflow leads to immediate DoS on 10/11/2025
curl disclosed a bug submitted by jiyong: https://hackerone.com/reports/3417428 [...]
Unsafe use of strcpy in Curl_ldap_err2string (packages/OS400/os400sys.c) stack-buffer-overflow (PoC + ASan) on 10/11/2025
curl disclosed a bug submitted by biswarup_das: https://hackerone.com/reports/3418528 [...]
This Is How Max Verstappen Was Hacked on 10/11/2025
SMTP CRLF Command Injection in CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT on 10/11/2025
curl disclosed a bug submitted by bau1u: https://hackerone.com/reports/3414088 [...]
A 2025 look at real-world Kubernetes version adoption on 10/11/2025
A 2025 look at real-world Kubernetes version adoption [...]