InfoSec Planet

See full content

See full content

curl disclosed a bug submitted by frizo_05: https://hackerone.com/reports/3346118 [...]

See full content

See full content

Note: This is a guest post by pentester and researcher, Tom Stacey (@t0xodile). You'd think that after almost 21 years since its initial public discovery, HTTP Request Smuggling would be barely exploi [...]

See full content

This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.: Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and dat [...]

See full content

APIs are a blessing and a curse. They’re the backbone of the modern internet. They also expose complex behaviors that are often poorly documented, stitched together across legacy and cloud systems, and updated faster than security teams can review.  Three key groups typically shoulder the burden of protecting them:  DevOps teams are already racing to keep uptime high and deployme [...]

See full content

Mutation testing reveals blind spots in test suites by systematically introducing bugs and checking if tests catch them. Blockchain developers should use mutation testing to measure the effectiveness of their test suites and find bugs that traditional testing can miss. [...]

See full content

curl disclosed a bug submitted by jfhgdsjkf: https://hackerone.com/reports/3344663 [...]

See full content

curl disclosed a bug submitted by smiliesandco: https://hackerone.com/reports/3341476 [...]

See full content

See full content

Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3228011 [...]

See full content

See full content

Shopify disclosed a bug submitted by fr4via: https://hackerone.com/reports/1737358 [...]

See full content

Shopify disclosed a bug submitted by ahmednasr1: https://hackerone.com/reports/2886723 [...]

See full content

See full content

Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3249406 [...]

See full content

Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull u [...]

See full content

See full content

See full content

See full content

See full content

See full content

See full content

See full content

See full content

See full content

See full content

See full content

See full content

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is insta [...]

See full content

Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system. [...]

See full content

We’ve added a pickle file scanner to Fickling that uses an allowlist approach to protect AI/ML environments from malicious pickle files that could compromise models or infrastructure. [...]

See full content

curl disclosed a bug submitted by batuhanilgarr: https://hackerone.com/reports/3340109 [...]

See full content

Posted by Daniel MoghimiRowhammer is a complex class of vulnerabilities across the industry. It is a hardware vulnerability in DRAM where repeatedly accessing a row of memory can cause bit flips in adjacent rows, leading to data corruption. This can be exploited by attackers to gain unauthorized access to data, escalate privileges, or cause denial of service. Hardware vendors have deployed various [...]

See full content

Django disclosed a bug submitted by eyalsec: https://hackerone.com/reports/3292573 [...]

See full content

See full content

Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,00 [...]

See full content

See full content

See full content

See full content

This is a current list of where and when I am scheduled to speak: I’m speaking and signing books at the Cambridge Public Library on October 22, 2025 at 6 PM ET. The event is sponsored by Harvard Bookstore. I’m giving a virtual talk about my book Rewiring Democracy at 1 PM ET on October 23, 2025. The event is hosted by Data & Society. More details to come. I’m speaking at the World Forum for D [...]

See full content

curl disclosed a bug submitted by anony_gaku: https://hackerone.com/reports/3337561 [...]

See full content

Insulet Corporation disclosed a bug submitted by mechatech84: https://hackerone.com/reports/1073725 [...]

See full content

WordPress disclosed a bug submitted by maxbr3n404: https://hackerone.com/reports/2999394 [...]

See full content

Research: Nondestructive detection of multiple dried squid qualities by hyperspectral imaging combined with 1D-KAN-CNN Abstract: Given that dried squid is a highly regarded marine product in Oriental countries, the global food industry requires a swift and noninvasive quality assessment of this product. The current study therefore uses visible­near-infrared (VIS-NIR) hyperspectral imaging and deep [...]

See full content

Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making notifications, companies often do not know the true identity of victims and may only have a single email address through which to provide the notification. [...]

See full content

See full content

See full content

Arman S., a full-time independent security researcher and bug bounty hunter, talked us through how he uses Burp Suite Professional and HackerOne in tandem to find and report high-value security vulner [...]

See full content

Django disclosed a bug submitted by eyalsec: https://hackerone.com/reports/2588426 [...]

See full content

See full content

In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring [...]

See full content

curl disclosed a bug submitted by 0xrey: https://hackerone.com/reports/3335085 [...]

See full content

See full content

APIs are now the beating heart of digital infrastructure. But as they have risen in importance, they’ve also become prime targets for attackers. Complex, often poorly understood API behaviors present rich opportunities for exploitation, and too often, security teams are left scrambling to protect critical infrastructure with outdated tools or cumbersome deployments. Wallarm’s Security Edge is [...]

See full content

TikTok disclosed a bug submitted by eneri: https://hackerone.com/reports/3012526 [...]

See full content

TikTok disclosed a bug submitted by ahmed_xyz: https://hackerone.com/reports/3037447 [...]

See full content

See full content

Posted by Eric Lynch, Senior Product Manager, Android Security, and Sherif Hanna, Group Product Manager, Google C2PA Core At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos. This announcement represents a series of steps towards greater digital media transparency: The Pixel 10 lineup is the first t [...]

See full content

Khan Academy disclosed a bug submitted by meowsint: https://hackerone.com/reports/3250691 [...]

See full content

See full content

Sui’s Move language significantly improves flash loan security by replacing Solidity’s reliance on callbacks and runtime checks with a “hot potato” model that enforces repayment at the language level. This shift makes flash loan security a language guarantee rather than a developer responsibility. [...]

See full content

curl disclosed a bug submitted by bigsleep: https://hackerone.com/reports/3294999 [...]

See full content

curl disclosed a bug submitted by cruocco: https://hackerone.com/reports/3330839 [...]

See full content

You asked, and we answered. At Intigriti, we’ve been paying close attention to the questions most frequently asked by those with a bug bounty program in place. That’s why we’ve launched this blog series dedicated to answering the most frequently asked questions, diving into hot topics, and sharing practical and expert-backed strategies to help you maximize your bug bounty success. So far in this s [...]

See full content

Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Goo [...]

See full content

See full content

curl disclosed a bug submitted by mohmed_shoukry: https://hackerone.com/reports/3331764 [...]

See full content

A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don’t see it leading to any practical real-world cryptanalysis. The fact that there are some weird circumstances that result in Fiat-Shamir insecurities isn [...]

See full content

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly mo [...]

See full content

See full content

When I announced my latest book last week, I forgot to mention that you can pre-order a signed copy here. I will ship the books the week of 10/20, when it is published. [...]

See full content

Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must not lose sight of the fact that a different administration could wield the same [...]

See full content

Throughout the past few years, APIs have become the backbone of digital infrastructure. They enable software-to-software communication, improve integration and interoperability, support modular architecture, and more.  But as API use has exploded, so has API traffic volume and complexity, making them increasingly difficult to secure. And the rise of AI agents and automation have complicat [...]

See full content

The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google’s CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from the GOP fundraising platform WinRed and sending them to the spa [...]

See full content

See full content

See full content

By using smart contract programmability, exchanges can build custody solutions that remain secure even when multisig keys are compromised. [...]

See full content

Shopify disclosed a bug submitted by naveenventure: https://hackerone.com/reports/3161827 [...]

See full content

See full content

Application security teams are under pressure. With expanding application estates, growing API usage, and faster release cycles, many teams struggle to keep up. Backlogs grow, releases are delayed, an [...]

See full content

See full content

curl disclosed a bug submitted by g3nj1z: https://hackerone.com/reports/3324901 [...]

See full content

By Ivan Novikov and Stepan Ilyin When we started Wallarm, we focused on the APIs that power modern apps. We built an API-first platform, used AI from day one, and secured early patents in behavior-based detection and automated policy creation. The result: real-time, inline blocking with automatic API discovery that protects production, not just dashboards. Today’s investment isn’t only fuel [...]

See full content

curl disclosed a bug submitted by reporascal_1: https://hackerone.com/reports/3324190 [...]

See full content

See full content

A vulnerability in Electron applications allows attackers to bypass code integrity checks by tampering with V8 heap snapshot files, enabling local backdoors in applications like Signal, 1Password, and Slack. [...]

See full content

See full content

See full content

You asked, and we answered. At Intigriti, we’ve been paying close attention to the questions most frequently asked by those with a bug bounty program in place. That’s why we’ve launched this blog series dedicated to answering the most asked questions, diving into hot topics, and sharing practical and expert-backed strategies to help you maximize your bug bounty success. So far in this series, we h [...]

See full content

Tucows (VDP) disclosed a bug submitted by c0rvuz: https://hackerone.com/reports/3255473 [...]

See full content

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1452774 [...]

See full content

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1851895 [...]

See full content

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1851886 [...]

See full content

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/2189797 [...]

See full content

Mars disclosed a bug submitted by blackbird_azar: https://hackerone.com/reports/3185001 [...]

See full content

Mars disclosed a bug submitted by egsec: https://hackerone.com/reports/3228888 [...]

See full content

Lichess disclosed a bug submitted by albetisi: https://hackerone.com/reports/2130385 [...]

See full content

Add-on (or plugin) ecosystems unlock an entire new world of integration possibilities while also complementing the platform's extensibility to developers. However, in practice, finding the right balance between adding extensibility and maintaining security often proves to be difficult. The root cause stems from a lack of following security best practices. Proper isolation is, for instance, never f [...]

See full content