InfoSec Planet

Roughly 30-50k software packages are published in the open-source ecosystem every day. So far this year, Phylum has found nearly 35,000 malicious packages, uncovering bad actors executing everything from typosquatting to dependency confusion to starjacking to Nation-State attacks. As current trends continue, the adoption of generative AI proliferates. We anticipate deregulation and new policies to [...]

See full content

See full content

Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security TeamRecently, OSS-Fuzz reported 26 new vulnerabilities to open source project maintainers, including one vulnerability in the critical OpenSSL library (CVE-2024-9143) that underpins much of internet infrastructure. The reports themselves aren’t unusual—we’ve reported and helped maintainers fix over 11,000 vulnerab [...]

See full content

Steve Bellovin is retiring. Here’s his retirement talk, reflecting on his career and what the cybersecurity field needs next. [...]

See full content

Mozilla disclosed a bug submitted by bashbdeer: https://hackerone.com/reports/2513333 [...]

See full content

Acronis disclosed a bug submitted by tomblorg: https://hackerone.com/reports/1891926 - Bounty: $100 [...]

See full content

Planet Labs disclosed a bug submitted by y0usef: https://hackerone.com/reports/1639011 [...]

See full content

See full content

See full content

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the [...]

See full content

See full content

Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2307913 [...]

See full content

Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2396630 [...]

See full content

Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2445106 [...]

See full content

Mars disclosed a bug submitted by e5p3ctr0x96: https://hackerone.com/reports/2089895 [...]

See full content

See full content

AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2805173 [...]

See full content

By Artem Dinaburg AI-enabled code assistants (like GitHub’s Copilot, Continue.dev, and Tabby) are making software development faster and more productive. Unfortunately, these tools are often bad at Solidity. So we decided to improve them! To make it easier to write, edit, and understand Solidity with AI-enabled tools, we have: Added support for Solidity into Tabby and Continue.dev, two local, pri [...]

See full content

Interesting analysis: Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of Justice document, as of December 2022 law enforcement in the country could rent spyware for €150 a day, re [...]

See full content

See full content

HackerOne disclosed a bug submitted by madara_: https://hackerone.com/reports/2798380 - Bounty: $2500 [...]

See full content

Cosmos disclosed a bug submitted by l33thaxor: https://hackerone.com/reports/2806356 - Bounty: $2000 [...]

See full content

See full content

REI's senior application security engineer discusses their program success, evolving goals, and the value of the security researcher community. [...]

See full content

Zero-day vulnerabilities are more commonly used, according to the Five Eyes: Key Findings In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, [...]

See full content

Nextcloud disclosed a bug submitted by cx75fa: https://hackerone.com/reports/2705507 [...]

See full content

See full content

APIs are the backbone of interconnected applications, enabling organizations to innovate, integrate, and scale rapidly. However, as enterprises continue to expand their digital ecosystems, they often encounter a common and complex challenge: API sprawl. Unchecked, API sprawl can lead to increased security risks, inefficient resource utilization, and the frustrating experience of redundant or hard [...]

See full content

See full content

See full content

See full content

Omise disclosed a bug submitted by ndizon_: https://hackerone.com/reports/1479889 [...]

See full content

Nextcloud disclosed a bug submitted by tuyenee: https://hackerone.com/reports/2671404 [...]

See full content

See full content

See full content

See full content

MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2762119 [...]

See full content

See full content

Nextcloud disclosed a bug submitted by maccs: https://hackerone.com/reports/2447316 - Bounty: $500 [...]

See full content

See full content

See full content

Fantastic video of a female Gonatus onyx squid swimming while carrying her egg sack. An earlier related post. Blog moderation policy. [...]

See full content

HAQL: HackerOne's simplified query interface for writing performant aggregate queries on tables modeled purposefully for data analysis. [...]

See full content

Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasuda, Core Developer Attackers regularly exploit spatial memory safety vulnerabilities, which occur when code accesses a memory allocation outside of its intended bounds, to compromise systems and sensitive data. These vulnerabilities represent a major security risk to users.  Based on an analysis of in-the-wild [...]

See full content

View survey results and analysis of how AI in SecOps is impacting red and blue team operations. [...]

See full content

See full content

Nextcloud disclosed a bug submitted by kesselb: https://hackerone.com/reports/2720030 [...]

See full content

See full content

Nextcloud disclosed a bug submitted by lukasreschke: https://hackerone.com/reports/2376900 [...]

See full content

Nextcloud disclosed a bug submitted by shushangw: https://hackerone.com/reports/2508422 - Bounty: $100 [...]

See full content

Stuart Schechter makes some good points on the history of bad password policies: Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades. First, was Morris and Th [...]

See full content

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for seve [...]

See full content

MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2764952 [...]

See full content

See full content

HackerOne disclosed a bug submitted by raditz: https://hackerone.com/reports/2709660 [...]

See full content

See full content

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring us one step close [...]

See full content

Everybody is reporting about a new security iPhone security feature with iOS 18: if the phone hasn’t been used for a few days, it automatically goes into its “Before First Unlock” state and has to be rebooted. This is a really good security feature. But various police departments don’t like it, because it makes it harder for them to unlock suspects’ phones. [...]

See full content

See full content

Read how HackerOne's internal security team disproved an alleged MFA bypass with a targeted Spot Check. [...]

See full content

See full content

See full content

LinkedIn disclosed a bug submitted by sevada797: https://hackerone.com/reports/2534458 [...]

See full content

Posted by Lyubov Farafonova, Product Manager and Steve Kafka, Group Product Manager, Android User safety is at the heart of everything we do at Google. Our mission to make technology helpful for everyone means building features that protect you while keeping your privacy top of mind. From Gmail’s defenses that stop more than 99.9% of spam, phishing and malware, to Google Messages’ advanced secur [...]

See full content

There is no doubt that attackers have shifted their attention to APIs. Wallarm’s API ThreatStats research identifies that 70% of attacks now target APIs instead of Web Applications. While APIs have become the backbone of innovation and connectivity for businesses, they have also introduced a vast attack surface that’s challenging to defend with traditional methods alone. To address these unique A [...]

See full content

Doppler disclosed a bug submitted by mr_root_0101: https://hackerone.com/reports/2801036 - Bounty: $250 [...]

See full content

See full content

Acronis disclosed a bug submitted by theelgo64: https://hackerone.com/reports/1901713 [...]

See full content

DeFlock is a crowd-sourced project to map license plate scanners. It only records the fixed scanners, of course. The mobile scanners on cars are not mapped. [...]

See full content

See full content

By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic. The vulnerability demonstrates an insecure practice we often observe in our audits of b [...]

See full content

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today. The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler [...]

See full content

See full content

There’s no doubt that API security is a hot topic these days. The continued growth in API-related breaches and increase in publicized API vulnerabilities has pushed API security to the top of CISO’s lists. The tools in the market for API security still have room for improvement, of course. One of the challenges security practitioners face with APIs is understanding the context in which an attack [...]

See full content

I’ve been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too. Turns out the same thing is true for non-technical backdoors: The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police acco [...]

See full content

See full content

See full content

See full content

See full content

API attacks can be costly. Really costly. Obvious financial impacts like legal fines, stolen finances, and incident response budgets can run into the hundreds of millions. However, other hidden costs often compound the issue, especially if you’re not expecting them.  This article will explore the obvious and hidden costs of API breaches, their long-term business impacts, and how you can c [...]

See full content

See full content

See full content

The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies. In an alert (PDF) published this week, the FBI said it has seen an upti [...]

See full content

See full content

Squid-A-Rama will be in Des Moines at the end of the month. Visitors will be able to dissect squid, explore fascinating facts about the species, and witness a live squid release conducted by local divers. How are they doing a live squid release? Simple: this is Des Moines, Washington; not Des Moines, Iowa. Blog moderation policy. [...]

See full content

See full content

The Open Source Initiative has published (news article here) its definition of “open source AI,” and it’s terrible. It allows for secret training data and mechanisms. It allows for development to be done in secret. Since for a neural network, the training data is the source code—it’s how the model gets programmed—the definition makes no sense. And it’s con [...]

See full content

Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987687 [...]

See full content

Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987680 [...]

See full content

See full content

Capture The Flag (CTF) challenges are fun to play, form a powerful training ground and help drastically develop your hacking skills. CTF competitions come in many forms, from malware analysis to web vulnerability challenges. Some CTF events also provide the winners with cash rewards (bounties), exclusive and limited-edition prizes (such as swag), and even job offers! However, t… [...]

See full content

curl disclosed a bug submitted by rootgh0st: https://hackerone.com/reports/2823554 [...]

See full content

See full content

AI and APIs have a symbiotic relationship. APIs power AI by providing the necessary data and functionality, while AI enhances API security through advanced threat detection and automated responses. In 2023, 83% of Internet traffic traveled through APIs, but there was a 21% increase in API-related vulnerabilities in Q3 2024, severely impacting AI. The relationship between AI and APIs expands capab [...]

See full content

See full content

See full content

AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2808412 [...]

See full content

See full content

Improper access control is the #3 most common security vulnerability. Learn what improper access control is, its impacts, and how to prevent it. [...]

See full content

See full content