InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Hiding Bluetooth Trackers in Mail on 24/04/2026
It was used to track a Dutch naval ship: Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only show [...]
Do you know how to hack with AI? đŁ on 24/04/2026
CISO Vulnerability Pressure on 24/04/2026
The Governance Gap: How the EU AI Act Makes API Security a Compliance Imperative by Julian Richter on 24/04/2026
Your legal team just handed you a 400-page document and said "figure out compliance." The EU AI Act is live, your organization falls under its scope, which is broader than many expect. Even nonâEU companies must comply if their AIâŻsystems are used, deployed, or produce effects within theâŻEuropeanâŻUnion. In practice, that means that global organizations building or integrating AI models cannot tre [...]
Chained AI Attacks Go Mainstream on 24/04/2026
Intigriti Bug Bytes #235 - April 2026 đ by Ayoub on 24/04/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring:  Compromising an NPM package with 40M weekly downloads Bypassing Cloudflare WAF for a full ATO 20-part series on exploiting JWT vulnerabilities First Intigriti Bug Bounty Meetup And so much more! Let's dive in! Common misconceptions about bug bounty, debugged Bug bounty still gets misundersto [...]
Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS on 23/04/2026
Node.js disclosed a bug submitted by mbarbs: https://hackerone.com/reports/3556769 [...]
AI threats in the wild: The current state of prompt injections on the web on 23/04/2026
Posted by Thomas Brunner, Yu-Han Liu, Moni PandeAt Google, our Threat Intelligence teams are dedicated to staying ahead of real-world adversarial activity, proactively monitoring emerging threats before they can impact users. Right now, Indirect Prompt Injection (IPI) is a top priority for the security community, anticipating it as a primary attack vector for adversaries to target and compromise A [...]
We are the vibe on 23/04/2026
Hackers Stole Your Account (for free) on 23/04/2026
Trailmark turns code into graphs on 23/04/2026
We’re open-sourcing Trailmark, a library that parses source code into a queryable call graph of functions, classes, call relationships, and semantic metadata, then exposes that graph through a Python API that Claude skills can call directly. Install it now: uv pip install trailmark “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John [...]
FBI Extracts Deleted Signal Messages from iPhone Notification Database on 23/04/2026
404 Media reports (alternate site): The FBI was able to forensically extract copies of incoming Signal messages from a defendantâs iPhone, even after the app was deleted, because copies of the content were saved in the deviceâs push notification database…. The news shows how forensic extraction—Âwhen someone has physical access to a device and is able to run specialized software on it& [...]
Stay Ahead of Cyber Threats on 23/04/2026
RBAC bypass on App log endpoints via `permissionRequired` typo any authenticated user reads admin-only Enterprise App logs on 23/04/2026
Rocket.Chat disclosed a bug submitted by arccode: https://hackerone.com/reports/3589551 [...]
AI Powered Vulnerability Remediation on 23/04/2026
Vulnpocalypse Now? How AI is changing vulnerability discovery by Ed Parsons on 23/04/2026
What you will learn How vulnerability research and security testing may evolve in the future, based on expert insights and reflections from Intigriti COO Ed Parsons. How AI is reshaping vulnerability discovery, including the major trends and developments security teams should understand today. The âvulnpocalypseâ, and what it signals about the future of AI-assisted hacking. The risks, oppor [...]
Attacking the MCP Trust Boundary by Chandler Johnson on 22/04/2026
Every secure API draws a line between code and data. HTTP separates headers from bodies. SQL has prepared statements. Even email distinguishes the envelope from the message. The Model Context Protocol (MCP), the fast-growing standard for connecting AI agents to external services, inherits that gap from the models it sits on top of. Its central premise is that a language model reads tool descripti [...]
ICE Uses Graphite Spyware on 22/04/2026
ICE has admitted that it uses spyware from the Israeli company Graphite. [...]
Evolving Beyond Bug Bounties on 22/04/2026
How to approach a bug bounty target on 22/04/2026
Cybersecurity certs on 22/04/2026
Complete authentication bypass to admin permissions on 22/04/2026
Rocket.Chat disclosed a bug submitted by npc: https://hackerone.com/reports/3564655 [...]
200 Critical Bugs Overnight on 22/04/2026
Bug Bounty Guide - SSRF 101 on 21/04/2026
Use BLUR-IT to Increase Your OPSEC on 21/04/2026
CTF? on 21/04/2026
âScattered Spiderâ Member âTylerbâ Pleads Guilty by BrianKrebs on 21/04/2026
A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of doll [...]
The Dawn of AI Warfare (with Katrina Manson) on 21/04/2026
Why API Discovery Is the First Step to Securing AI by Tim Erlin on 21/04/2026
TL;DR AI risk doesnât live in the model. It lives in the APIs behind it. Every AI interaction triggers a chain of API calls across your environment. Many of those APIs arenât documented or tracked. Thatâs your real exposure. Shadow API discovery gives you visibility into those hidden endpoints, so you can find them before attackers do. If you donât know which APIs your AI relies on, you can [...]
Mexican Surveillance Company on 21/04/2026
Grupo Seguritech is a Mexican surveillance company that is expanding into the US. [...]
The Vulnerability Apocalypse: How CISOs Can Stay Ahead of AI-Powered Threats on 21/04/2026
AI Is Creating New Security Risks on 21/04/2026
The Payload Podcast #005 - Casey Smith on 21/04/2026
Attack Surface Meets AI on 21/04/2026
AI Finds Vulnerabilities Faster on 20/04/2026
Financial Services Is a Huge Target on 20/04/2026
SVG filter primitives bypass remote image blocking, enabling email tracking without consent. on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3486747 [...]
I Learned How to Jailbreak AI Chatbots on 20/04/2026
position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays. on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590586 [...]
Unquoted body background attribute enables CSS injection that bypasses remote image blocking on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590583 [...]
SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590576 [...]
Is âSatoshi Nakamotoâ Really Adam Back? on 20/04/2026
The New York Times has a long article where the author lays out an impressive array of circumstantial evidence that the inventor of Bitcoin is the cypherpunk Adam Back. I don’t know. The article is convincing, but it’s written to be convincing. I can’t remember if I ever met Adam. I was a member of the Cypherpunks mailing list for a while, but I was never really an active partici [...]
libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms on 19/04/2026
curl disclosed a bug submitted by valvelvel: https://hackerone.com/reports/3680680 [...]
Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host on 19/04/2026
curl disclosed a bug submitted by fg0x0: https://hackerone.com/reports/3680038 [...]
Stored XSS in attachment-display exploitable through SameSite on 19/04/2026
Nextcloud disclosed a bug submitted by aikido_security: https://hackerone.com/reports/3594137 [...]
libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay on 18/04/2026
curl disclosed a bug submitted by skksndk: https://hackerone.com/reports/3680234 [...]
Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs on 18/04/2026
Ruby on Rails disclosed a bug submitted by smlee: https://hackerone.com/reports/3601655 [...]
Sould I focus on BAC or multiple exploits on 18/04/2026
Friday Squid Blogging: New Giant Squid Video on 17/04/2026
Pretty fantastic video from Japan of a giant squid eating another squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle on 17/04/2026
curl disclosed a bug submitted by asdwe: https://hackerone.com/reports/3673277 [...]
JHT Livestream: mitmproxy & OpenWRT to read HTTPS traffic! on 17/04/2026
How to Investigate with Windows Prefetch Files on 17/04/2026
Mythos and Cybersecurity on 17/04/2026
Last week, Anthropic pulled back the curtain on Claude Mythos Preview, an AI model so capable at finding and exploiting software vulnerabilities that the company decided it was too dangerous to release to the public. Instead, access has been restricted to roughly 50 organizations—Microsoft, Apple, Amazon Web Services, CrowdStrike and other vendors of critical infrastructure—under an in [...]
We beat Googleâs zero-knowledge proof of quantum cryptanalysis on 17/04/2026
Two weeks ago, Googleâs Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Googleâs on all metrics. Our result is not due to some quantum breakthrou [...]
Common AI misconceptions debugged! by Greg Jenkins on 17/04/2026
What you will learn How AI is boosting researcher productivity How new researchers are approaching bug bounties Why the quality of submissions is not declining How effective triage and coordination are crucial AI and the growing ecosystem of tools built around it have now moved beyond early experimentation and into everyday use across the bug bounty community. What initially showed up as AI- [...]
Introducing the official Burp Ambassador Program on 16/04/2026
Why weâre launching the program What it means to be a Burp Ambassador What weâre aiming for Our Burp Ambassadors Alan Levy Corey Ball Federico Dotta Rana Khalil Tib3rius Looking ahead Get Involved - B [...]
Hereâs everything I have learned from making $2M in bounties. #bugbounty on 16/04/2026
Residual Malicious Payloads on HackerOne after Vulnerability Fixes on 16/04/2026
HackerOne disclosed a bug submitted by joejoe5: https://hackerone.com/reports/3168691 [...]
DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API on 16/04/2026
HackerOne disclosed a bug submitted by hellokbit: https://hackerone.com/reports/3287208 - Bounty: $12500 [...]
Human Trust of AI Agents on 16/04/2026
Interesting research: “Humans expect rationality and cooperation from LLM opponents in strategic games.” Abstract: As Large Language Models (LLMs) integrate into our social and economic interactions, we need to deepen our understanding of how humans respond to LLMs opponents in strategic settings. We present the results of the first controlled monetarily-incentivised laboratory experim [...]
lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a) on 16/04/2026
curl disclosed a bug submitted by hybirdss: https://hackerone.com/reports/3674275 [...]
The case for dependency cooldowns in a post-axios world on 16/04/2026
Understanding npm and the importance of dependency cooldowns. [...]
Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access on 15/04/2026
arkadiyt-projects disclosed a bug submitted by argareksapatii: https://hackerone.com/reports/3642600 [...]
What can we say? on 15/04/2026
SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet) on 15/04/2026
AWS VDP disclosed a bug submitted by killnet-edc: https://hackerone.com/reports/3591725 [...]
Defense in Depth, Medieval Style on 15/04/2026
This article on the walls of Constantinople is fascinating. The system comprised four defensive lines arranged in formidable layers: The brick-lined ditch, divided by bulkheads and often flooded, 15Â-20 meters wide and up to 7 meters deep. A low breastwork, about 2 meters high, enabling defenders to fire freely from behind. The outer wall, 8 meters tall and 2.8 meters thick, with 82 projecting to [...]
Patch Tuesday, April 2026 Edition by BrianKrebs on 14/04/2026
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited [...]
DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover on 14/04/2026
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3608199 - Bounty: $500 [...]
Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure on 14/04/2026
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3543475 - Bounty: $218 [...]
BOLA/IDOR in Out-of-Office API allows any authenticated user to read other users' absence data on 14/04/2026
Nextcloud disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3382343 [...]
Cybersecurity Books to Read: DFIR Investigative Mindset on 14/04/2026
Join this Q&A session! on 14/04/2026
Upcoming Speaking Engagements on 14/04/2026
This is a current list of where and when I am scheduled to speak: Iâm speaking at DemocracyXChange 2026 in Toronto, Ontario, Canada, on April 18, 2026. Iâm speaking at the SANS AI Cybersecurity Summit 2026 in Arlington, Virginia, USA, at 9:40 AM ET on April 20, 2026. I’m speaking at the Greater Good Gathering in New York City, USA, on Tuesday, April 21, 2026. Iâm speaking at the Nemertes [N [...]
[Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth on 14/04/2026
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3423950 [...]
[Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth on 14/04/2026
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3321406 [...]
Brave Shields Domain Reordering Leads to Origin Confusion on 13/04/2026
Brave Software disclosed a bug submitted by mousepadkalilinux12: https://hackerone.com/reports/3665151 - Bounty: $100 [...]
Turn your Nmap scan into a clean report in seconds ⥠#nmap #hacking #cybersecurity on 13/04/2026
Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute) on 13/04/2026
Nextcloud disclosed a bug submitted by py0zz1: https://hackerone.com/reports/3400143 - Bounty: $250 [...]
Is AI Killing Bug Bounty? on 13/04/2026
This XSS Tool Is AMAZING! on 13/04/2026
Argument Injection via curl Short-Flag Grouping on 13/04/2026
curl disclosed a bug submitted by midoussa7: https://hackerone.com/reports/3669305 [...]
How Intigriti uses AI in their submissions on 11/04/2026
Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers on 11/04/2026
curl disclosed a bug submitted by pwnpwn: https://hackerone.com/reports/3665363 [...]
Encryption context keys and values logged at INFO level on 10/04/2026
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620760 [...]
Bringing Rust to the Pixel Baseband on 10/04/2026
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities. For Pixel 10, Google is advancing its p [...]
Is ClaudeAI useful for bug bounty? on 10/04/2026
Open Redirect in Rocket.Chat on 10/04/2026
Rocket.Chat disclosed a bug submitted by soohyun: https://hackerone.com/reports/3418031 [...]
[Vertical Privilege Escalation] User can Unapproved any Approved Translation at [/translations/unapprove/] on 10/04/2026
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3020021 [...]
User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon on 10/04/2026
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3325582 [...]
A(I) future of Bug Bounty by Chris Holt on 10/04/2026
What you will learn How AI is changing bug bounty Where AI helps security teams Why human hackers matter What the future of bug bounty looks like AI and all the tools built around related technologies have been working their way into the Bug Bounty community for a little over a year now and by around March 2025 we started seeing notably AI-written reports. It is time to take stock of what imp [...]
Protecting Cookies with Device Bound Session Credentials on 09/04/2026
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to co [...]
HUGE AI-powered Microsoft Account phishing campaign on 09/04/2026
How New AI Models Are Reshaping Cyber Risk at Scale on 09/04/2026
Memory leak in gem decode logic can allow attacker to take down Rubygems.org application on 09/04/2026
RubyGems disclosed a bug submitted by mclaren650sspider: https://hackerone.com/reports/3079931 [...]
What are WebSockets? on 09/04/2026
Master C and C++ with our new Testing Handbook chapter on 09/04/2026
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code. Weâve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manu [...]
Is Cybersecurity Dead? Should You Start Bug Bounty? on 09/04/2026
libcurl: Integer truncation in curl_easy_ssls_import() causes TLS sessions to never expire on 09/04/2026
curl disclosed a bug submitted by adityasunny_06: https://hackerone.com/reports/3658049 [...]