InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
How Each Pillar of the 1st Amendment is Under Attack
by BrianKrebs on 31/03/2025
“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” -U.S. Constitution, First Amendment.
Image: Shutterstock, zimmytws.
In an address to Congress this month, Preside [...]
See full content
Friday Squid Blogging: Squid Werewolf Hacking Group
on 28/03/2025
In another rare squid/cybersecurity intersection, APT37 is also known as “Squid Werewolf.”
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
[...]
See full content
The Most Common Mistakes New SOC Analysts Make
on 28/03/2025
See full content
we're hosting a conference
on 28/03/2025
See full content
No rate limiting on form[register]
on 28/03/2025
Informatica disclosed a bug submitted by growler09: https://hackerone.com/reports/2583500 [...]
See full content
AIs as Trusted Third Parties
on 28/03/2025
This is a truly fascinating paper: “Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography.” The basic idea is that AIs can act as trusted third parties:
Abstract: We often interact with untrusted parties. Prioritization of privacy can limit the effectiveness of these interactions, as achieving certain goals necessitates sharing pr [...]
See full content
Understanding CVE-2025-29927: The Next.js Middleware Authorization Bypass Vulnerability
on 28/03/2025
Learn how the Next.js middleware authorization bypass vulnerability works, and how to detect and remediate it. [...]
See full content
Get Faster on the Linux Terminal with zoxide!
on 27/03/2025
See full content
New security requirements adopted by HTTPS certificate industry
on 27/03/2025
Posted by Chrome Root Program, Chrome Security Team
The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances [...]
See full content
Cloudflare WAF Bypass - Origin IP Exposure
on 27/03/2025
Hemi VDP disclosed a bug submitted by aaravhex: https://hackerone.com/reports/2991326 [...]
See full content
When Getting Phished Puts You in Mortal Danger
by BrianKrebs on 27/03/2025
Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.
The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-tran [...]
See full content
HTTP Response Header Injection in shopify/pitchfork + Rack 3
on 27/03/2025
Shopify disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2279572 - Bounty: $800 [...]
See full content
A Taxonomy of Adversarial Machine Learning Attacks and Mitigations
on 27/03/2025
NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures.
[...]
See full content
LIVE: WordPress Intrusion | Cybersecurity | Blue Team | AMA
on 27/03/2025
See full content
Titan Security Keys now available in more countries
on 26/03/2025
Posted by Christiaan Brand, Group Product ManagerWe’re excited to announce that starting today, Titan Security Keys are available for purchase in more than 10 new countries:IrelandPortugalThe NetherlandsDenmarkNorwaySwedenFinlandAustraliaNew ZealandSingaporePuerto RicoThis expansion means Titan Security Keys are now available in 22 markets, including previously announced countries like Austria, Be [...]
See full content
this MP3 file is malware
on 26/03/2025
See full content
AI Agents and API Security: The Hidden Risks Lurking in Your Business Logic
by Sergei Lega on 26/03/2025
Modern organizations are becoming increasingly reliant on agentic AI, and for good reason: AI agents can dramatically improve efficiency and automate mission-critical functions like customer support, sales, operations, and even security. However, this deep integration into business processes introduces risks that, without proper API security, can compromise sensitive data and decision-making.
[...]
See full content
AI Data Poisoning
on 26/03/2025
Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers:
Instead of simply blocking bots, Cloudflare’s new system lures them into a “maze” of realistic-looking but irrelevant pages, wasting the crawler’s computing resources. The approach is a notable shift from the standard block-and-defend st [...]
See full content
Null Pointer Dereference by Crafted Response from AI Model
on 26/03/2025
Brave Software disclosed a bug submitted by canalun: https://hackerone.com/reports/2958097 - Bounty: $100 [...]
See full content
Detecting NTFS Timestomping
on 25/03/2025
See full content
Report on Paragon Spyware
on 25/03/2025
Citizen Lab has a new report on Paragon’s spyware:
Key Findings:
Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for.
Infrastructure Analysis of Paragon Spyware. Based on a tip [...]
See full content
Intigriti insights into latest beg bounty scam
by Eleanor Barlow on 25/03/2025
The Intigriti team have recently observed an abuse scenario, trending across the industry, where malicious actors are posing as legitimate white-hat hackers, deceiving targeted companies into believing their actions are carried out in good faith.
Bad actors will always try to exploit the system, in any industry, for personal gain. At Intigriti, we help customers navigate this l… [...]
See full content
8 Tips for writing effective bug bounty reports
by blackbird-eu on 25/03/2025
So, you've found a valid security vulnerability in one of your bug bounty programs, now it's time to write the report. Finding the vulnerability was half the story. Writing effective reports is also an essential phase in bug bounty.
Clear, well-written, and to-the-point bug bounty reports often get triaged faster and have more chance of getting well received by companies. In th… [...]
See full content
Creating immutable users through a bug in Entra ID restricted administrative units
on 25/03/2025
Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) that could have allowed just this scenario to occur. [...]
See full content
The 'IngressNightmare' vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation
on 25/03/2025
Learn how the Kubernetes Ingress NGINX Controller vulnerabilities work, how to detect and remediate them. [...]
See full content
CNWPP How To Fail An Exam Part 4:4
on 24/03/2025
See full content
Non-Production API Endpoints for the Forecast Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
on 24/03/2025
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3022516 [...]
See full content
Twitter broken link hijacking in thewild.com
on 24/03/2025
Autodesk disclosed a bug submitted by yunxohang: https://hackerone.com/reports/3035275 [...]
See full content
This Simple URL Encoding Made me $50,000 in Bounties
on 24/03/2025
See full content
the CRITICAL 9.1 severity Next.js vulnerability
on 24/03/2025
See full content
More Countries are Demanding Backdoors to Encrypted Apps
on 24/03/2025
Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are—of course—are terrible idea.
Also: “A Feminist Argument Against Weakening Encryption.”
[...]
See full content
Cache Poisoning Allows Zero Interaction Store XSS
on 22/03/2025
Trendyol disclosed a bug submitted by samark19: https://hackerone.com/reports/2917062 [...]
See full content
CNWPP How To Fail An Exam Part 3:4
on 21/03/2025
See full content
Friday Squid Blogging: A New Explanation of Squid Camouflage
on 21/03/2025
New research:
An associate professor of chemistry and chemical biology at Northeastern University, Deravi’s recently published paper in the Journal of Materials Chemistry C sheds new light on how squid use organs that essentially function as organic solar cells to help power their camouflage abilities.
As usual, you can also use this squid post to talk about the security stories in the news that I [...]
See full content
Arrests in Tap-to-Pay Scheme Powered by Phishing
by BrianKrebs on 21/03/2025
Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay tr [...]
See full content
Learn API Hacking!
on 21/03/2025
See full content
My Writings Are in the LibGen AI Training Corpus
on 21/03/2025
The Atlantic has a search tool that allows you to search for specific works in the “LibGen” database of copyrighted works that Meta used to train its AI models. (The rest of the article is behind a paywall, but not the search tool.)
It’s impossible to know exactly which parts of LibGen Meta used to train its AI, and which parts it might have decided to exclude; this snapshot was taken [...]
See full content
The REAL Truth About AI in Cybersecurity
on 21/03/2025
See full content
NCSC Releases Post-Quantum Cryptography Timeline
on 21/03/2025
The UK’s National Computer Security Center (part of GCHQ) released a timeline—also see their blog post—for migration to quantum-computer-resistant cryptography.
It even made The Guardian.
[...]
See full content
3 Interview Questions You MUST Ask!
on 20/03/2025
See full content
Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com
on 20/03/2025
Shopify disclosed a bug submitted by samux: https://hackerone.com/reports/1457471 [...]
See full content
Critical GitHub Attack
on 20/03/2025
This is serious:
A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report.
[...]
See full content
DOGE to Fired CISA Staff: Email Us Your Personal Data
by BrianKrebs on 20/03/2025
A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administration’s continued disregard for basic cybersecurity protections. The message instructed recently-fired CISA employees to get in touch so they can be rehired and then immediately placed on leave, asking employees to send their Social Secu [...]
See full content
LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA
on 19/03/2025
See full content
Turn Your Cybersecurity to Cyberstrength with HackerOne
on 19/03/2025
See full content
Data Leaks and AI Agents: Why Your APIs Could Be Exposing Sensitive Information
by Sergei Lega on 19/03/2025
Most organizations are using AI in some way today, whether they know it or not. Some are merely beginning to experiment with it, using tools like chatbots. Others, however, have integrated agentic AI directly into their business procedures and APIs. While both types of organizations are undoubtedly realizing remarkable productivity and efficiency benefits, they may not know they are putting thems [...]
See full content
Uncle Rat Presents: 002-B: Uncle Rat's Ultimate Bug Bounty Guide - P 2 - Broad Scope And API Hacking
on 18/03/2025
See full content
Notepad Saves Your Notes - Even If You Don't!
on 18/03/2025
See full content
SSRF in Autodesk Rendering leading to account takeover
on 18/03/2025
Autodesk disclosed a bug submitted by metereorpreter: https://hackerone.com/reports/3024673 [...]
See full content
Django Debug Mode Enabled - Information Disclosure on api.wwm-dev.autodesk.com
on 18/03/2025
Autodesk disclosed a bug submitted by khoof: https://hackerone.com/reports/2965143 [...]
See full content
How To Get Hacked Downloading Torrents - Malware Analysis
on 18/03/2025
See full content
Quantifying the Financial Impact of Cybersecurity with Return on Mitigation (RoM)
on 18/03/2025
See full content
ms teams is now a C2 (command-and-control)
on 18/03/2025
See full content
How to Find Your First Help Desk Role!
on 17/03/2025
See full content
Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source
on 17/03/2025
Posted by Rex Pan and Xueqin Cui, Google Open Source Security TeamIn December 2022, we released the open source OSV-Scanner tool, and earlier this year, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, together with OSV.dev are components of an open platform for managing vulnerability metadata and enabling simple and accurate matching and remediation of known vulnerabilities. Our goal is [...]
See full content
This is How a Simple IDOR Earned Me a Max Bug Bounty Payout
on 17/03/2025
See full content
I took the TryHackMe Security Analyst Level 1 Certification (SAL1)
on 17/03/2025
See full content
CNWPP How To Fail An Exam Part 2:4
on 16/03/2025
See full content
Sensitive Information Disclosure via Back Button Post Logout on https://apps.nextcloud.com/account/
on 16/03/2025
Nextcloud disclosed a bug submitted by vulnerability_is_here: https://hackerone.com/reports/2946927 [...]
See full content
ClickFix: How to Infect Your PC in Three Easy Steps
by BrianKrebs on 14/03/2025
A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.
ClickFix attacks mimic the “Verify You are [...]
See full content
My Recap Of BSides Limburg 2025
on 14/03/2025
See full content
The German Hacking Championship
on 14/03/2025
See full content
IoT Hacking Tools You MUST Know: An In-Depth Review
on 14/03/2025
See full content
2FA Bypass leads to impersonation of legimate users
on 14/03/2025
Drugs.com disclosed a bug submitted by dedoxd2: https://hackerone.com/reports/2885636 [...]
See full content
Stored Cross-Site Scripting found in custom integration app on https://admin.b360.autodesk.com.
on 14/03/2025
Autodesk disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2971572 [...]
See full content
One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild
by Ivan Novikov on 14/03/2025
A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857.
Exploit Breakdown: How a Simple PUT Request Leads to Full RCE
This att [...]
See full content
Intigriti Bug Bytes #222 - March 2025 🚀
by Intigriti on 14/03/2025
Hey hackers,
Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community events—all to help you find more bugs!
Product updates
New Feature: Gain Deeper Insights into Researcher Activity
We're excited to introduce a new way for researchers to gain valuable insights into their time allocation across different domai… [...]
See full content
Hack Smart Devices For Only $2!
on 13/03/2025
See full content
Stored Cross-Site Scripting in mercadopago.com.ar
on 13/03/2025
MercadoLibre disclosed a bug submitted by elmago: https://hackerone.com/reports/1955485 [...]
See full content
Domain highlighting on External link warning is not working on Chrome & Microsoft Edge browsers on Mobile
on 13/03/2025
HackerOne disclosed a bug submitted by sarthakbhingare015: https://hackerone.com/reports/2553026 [...]
See full content
cgi scripts wordlist entry for windmail.exe has payload that sends arbitrary file read result to third-party
on 13/03/2025
PortSwigger Web Security disclosed a bug submitted by floyd: https://hackerone.com/reports/2733994 - Bounty: $200 [...]
See full content
they tried to hack me so i confronted them
on 13/03/2025
See full content
Burp Everywhere, All Around the World: Bringing AppSec Enthusiasts Together in 2025
on 13/03/2025
Security is a team sport. Whether you're a pentester, bug bounty hunter, student, or just love breaking (and fixing) things, our field thrives on shared knowledge, collaboration, and support. We want [...]
See full content
Access control vulnerability in the retail industry. Cross-Site Scripting (XSS) use case
by Eleanor Barlow on 13/03/2025
Why is the retail industry being targeted?
Large-scale operations and the extensive attack surface of the retail industry render it particularly susceptible to cybercrime, on a global scale. Websites, mobile apps, and company programs create numerous entry points for malicious actors. The high volume of payment transactions and financial incentives of successful attacks present… [...]
See full content
CNWPP How To Fail An Exam Part 1:4
on 12/03/2025
See full content
Uncle Rat's 4 Hour API Hacking MasterClass - Zero To Hero - OWASP top 10 - Tools - Demo's
on 12/03/2025
See full content
LIVE: USB and Log Analysis | Cybersecurity | Blue Team | AMA
on 12/03/2025
See full content
Hunting for privilege escalations by modifying the JS feat. renniepak #bugbounty #bugbountytips #bug
on 12/03/2025
See full content
The mysterious bug bounty methodology
on 12/03/2025
See full content
$50k XSS in a web3 website feat. renniepak #bugbounty #bugbountytips #bugbountyhunter
on 12/03/2025
See full content
Using javascript bookmarks to speed up bug hunting feat. renniepak #bugbounty #bugbountytips #bugbou
on 12/03/2025
See full content
An XSS payload tattooed on the forearm feat. renniepak #bugbounty #bugbountytips #bugbountyhunter
on 12/03/2025
See full content
The CSPBypass website feat. renniepak #bugbounty #bugbountytips #bugbountyhunter
on 12/03/2025
See full content
How to become an XSS expert with renniepak
on 12/03/2025
See full content
Behind the Scenes of Burp AI: How we built it, and what's next
on 12/03/2025
Why now? Artificial intelligence is rapidly transforming industries, and security testing is no exception. At PortSwigger, we’ve always been driven by innovation, but we don’t chase trends for the sak [...]
See full content
LEAKED Russian Hackers Internal Chats
on 12/03/2025
See full content
Best practices to avoid Bugcrowd platform violations with Anon Hunter (Sharik Khan)
on 12/03/2025
See full content
Microsoft: 6 Zero-Days in March 2025 Patch Tuesday
by BrianKrebs on 11/03/2025
Microsoft today issued more than 50 security updates for its various Windows operating systems, including fixes for a whopping six zero-day vulnerabilities that are already seeing active exploitation.
Two of the zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in NTFS, the default file system for Windows and Windows Server. Both require the attacker to trick a target [...]
See full content
Non-Production API Endpoints for the DocumentDB Elastic Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
on 11/03/2025
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3009411 [...]
See full content
CSRF to Reflected XSS at echo.urbandictionary.biz via spoofing content type
on 11/03/2025
Urban Dictionary disclosed a bug submitted by osama-hamad: https://hackerone.com/reports/1237321 [...]
See full content
Account Takeover Vulnerability in Shopify Collabs Platform Due to Missing Email Verification
on 11/03/2025
Shopify disclosed a bug submitted by kun_19: https://hackerone.com/reports/1679734 - Bounty: $800 [...]
See full content
Alleged Co-Founder of Garantex Arrested in India
by BrianKrebs on 11/03/2025
Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing [...]
See full content
4 platforms to practice hacking as a beginner 👆
on 11/03/2025
See full content
Get Hired In Cybersecurity Without Previous Experience
on 11/03/2025
See full content
XXE: A complete guide to exploiting advanced XXE vulnerabilities
by blackbird-eu on 11/03/2025
XML External Entity (XXE) vulnerabilities are one of the most overlooked yet impactful vulnerabilities in modern web applications. Although they've become seemingly harder to detect and exploit, their impact remains severe, often allowing attackers to read internal files, reach internal-only networks, and in severe cases even execute remote code execution!
In this article, we w… [...]
See full content
RCE through collaboration with tess
on 10/03/2025
See full content
How Ethical Hackers ACTUALLY Use ChatGPT With Real Examples
on 10/03/2025
See full content
My Top 7 Burp Suite Extensions - Community Edition - 2025
on 10/03/2025
See full content
MSPGEEKCON is back for 2025
on 09/03/2025
See full content
TECH SUPPORT GONE WRONG
on 08/03/2025
See full content