InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Learn Python!

on 18/09/2025

See full content

Broad scope made simple #bugbounty #hacker #hack #hacking 101

on 18/09/2025

See full content

Timing Attack Vulnerability in curl Digest Authentication via Non-Constant-Time String Comparison

on 18/09/2025

curl disclosed a bug submitted by frizo_05: https://hackerone.com/reports/3346118 [...]

See full content

Bitcoin Core vs Knots and why you should run a node

on 18/09/2025

See full content

How to join the desync endgame: Practical tips from pentester Tom Stacey

on 18/09/2025

Note: This is a guest post by pentester and researcher, Tom Stacey (@t0xodile). You'd think that after almost 21 years since its initial public discovery, HTTP Request Smuggling would be barely exploi [...]

See full content

Time-of-Check Time-of-Use Attacks Against LLMs

on 18/09/2025

This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.: Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and dat [...]

See full content

Scaling API Security Without the Complexity: Lessons from Early Adopters

by Tim Erlin on 18/09/2025

APIs are a blessing and a curse. They’re the backbone of the modern internet. They also expose complex behaviors that are often poorly documented, stitched together across legacy and cloud systems, and updated faster than security teams can review.  Three key groups typically shoulder the burden of protecting them:  DevOps teams are already racing to keep uptime high and deployme [...]

See full content

Use mutation testing to find the bugs your tests don't catch

on 18/09/2025

Mutation testing reveals blind spots in test suites by systematically introducing bugs and checking if tests catch them. Blockchain developers should use mutation testing to measure the effectiveness of their test suites and find bugs that traditional testing can miss. [...]

See full content

Security Analysis Report: CURL Integer Overflow Vulnerability

on 18/09/2025

curl disclosed a bug submitted by jfhgdsjkf: https://hackerone.com/reports/3344663 [...]

See full content

int overflow in krb5_read_data() leads to (possible) massive `recv()` write

on 18/09/2025

curl disclosed a bug submitted by smiliesandco: https://hackerone.com/reports/3341476 [...]

See full content

Why can’t I find a #bugbounty I know how to #hack

on 17/09/2025

See full content

Critical Information Disclosure via /talos/api/v1/files/upload

on 17/09/2025

Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3228011 [...]

See full content

LIVE: SOC 201 Release | Incident Response | Threat Hunting | Cybersecurity

on 17/09/2025

See full content

URL Scheme Validation Bypass in Shopify Mobile App Allows Javascript Execution

on 17/09/2025

Shopify disclosed a bug submitted by fr4via: https://hackerone.com/reports/1737358 [...]

See full content

GraphQL Introspection Enabled on Shopify API Endpoint (Intended Behavior)

on 17/09/2025

Shopify disclosed a bug submitted by ahmednasr1: https://hackerone.com/reports/2886723 [...]

See full content

4 Recon Sources That Always Get Me Results

on 17/09/2025

See full content

MongoDB Query Logs & Schema Leak via Unauthenticated Endpoint

on 17/09/2025

Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3249406 [...]

See full content

Hacking Electronic Safes

on 17/09/2025

Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull u [...]

See full content

#powershellscripting for hackers

on 17/09/2025

See full content

Learn powershell with me!

on 17/09/2025

See full content

How to do Knowledge retention with a full time job #hacker #hack #hacking 101 g

on 16/09/2025

See full content

How to get started in bug bounties

on 16/09/2025

See full content

Subdomain brute forcing #bugbounty #hacker #hack #hacking 101

on 16/09/2025

See full content

How to succeed in bug bounties

on 16/09/2025

See full content

How do I pick a target

on 16/09/2025

See full content

Enum before exploit

on 16/09/2025

See full content

Hacking is not easy

on 16/09/2025

See full content

Hacking a Vape Pen

on 16/09/2025

See full content

Bugcrowd is the smarter choice

on 16/09/2025

See full content

​IAmJakoby - Built The Best Hacker Learning Tool Ever!

on 16/09/2025

See full content

Self-Replicating Worm Hits 180+ Software Packages

by BrianKrebs on 16/09/2025

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is insta [...]

See full content

Microsoft Still Uses RC4

on 16/09/2025

Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system. [...]

See full content

Fickling’s new AI/ML pickle file scanner

on 16/09/2025

We’ve added a pickle file scanner to Fickling that uses an allowlist approach to protect AI/ML environments from malicious pickle files that could compromise models or infrastructure. [...]

See full content

Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE

on 16/09/2025

curl disclosed a bug submitted by batuhanilgarr: https://hackerone.com/reports/3340109 [...]

See full content

Supporting Rowhammer research to protect the DRAM ecosystem

on 15/09/2025

Posted by Daniel MoghimiRowhammer is a complex class of vulnerabilities across the industry. It is a hardware vulnerability in DRAM where repeatedly accessing a row of memory can cause bit flips in adjacent rows, leading to data corruption. This can be exploited by attackers to gain unauthorized access to data, escalate privileges, or cause denial of service. Hardware vendors have deployed various [...]

See full content

SQL Injection when using FilteredRelation

on 15/09/2025

Django disclosed a bug submitted by eyalsec: https://hackerone.com/reports/3292573 [...]

See full content

Guess who makes us the best? YOU DO 🧡

on 15/09/2025

See full content

Lawsuit About WhatsApp Security

on 15/09/2025

Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,00 [...]

See full content

Attack plans for targets

on 15/09/2025

See full content

When do #bugbounty payouts happens 🤓#bugbounty

on 14/09/2025

See full content

I like to compare #bugbounty to casinos 🎰

on 14/09/2025

See full content

Upcoming Speaking Engagements

on 14/09/2025

This is a current list of where and when I am scheduled to speak: I’m speaking and signing books at the Cambridge Public Library on October 22, 2025 at 6 PM ET. The event is sponsored by Harvard Bookstore. I’m giving a virtual talk about my book Rewiring Democracy at 1 PM ET on October 23, 2025. The event is hosted by Data & Society. More details to come. I’m speaking at the World Forum for D [...]

See full content

Multiple Unsafe strcpy() Function Calls Leading to Potential Buffer Overflow Vulnerabilities in cURL 8.16.1-DEV

on 14/09/2025

curl disclosed a bug submitted by anony_gaku: https://hackerone.com/reports/3337561 [...]

See full content

DOM XSS on www.omnipod.com/freedom/birthdate-confirmation and www.omnipod.com/pif/thanks-freedom

on 13/09/2025

Insulet Corporation disclosed a bug submitted by mechatech84: https://hackerone.com/reports/1073725 [...]

See full content

Pivilege escalation of any new user to Keymaster caused by CSRF

on 13/09/2025

WordPress disclosed a bug submitted by maxbr3n404: https://hackerone.com/reports/2999394 [...]

See full content

Assessing the Quality of Dried Squid

on 12/09/2025

Research: Nondestructive detection of multiple dried squid qualities by hyperspectral imaging combined with 1D-KAN-CNN Abstract: Given that dried squid is a highly regarded marine product in Oriental countries, the global food industry requires a swift and noninvasive quality assessment of this product. The current study therefore uses visible­near-infrared (VIS-NIR) hyperspectral imaging and deep [...]

See full content

A Cyberattack Victim Notification Framework

on 12/09/2025

Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making notifications, companies often do not know the true identity of victims and may only have a single email address through which to provide the notification. [...]

See full content

Bjorn Scrap Battery Hack

on 12/09/2025

See full content

LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | AMA

on 12/09/2025

See full content

How this seasoned bug bounty hunter combines Burp Suite and HackerOne to uncover high-impact vulnerabilities

on 12/09/2025

Arman S., a full-time independent security researcher and bug bounty hunter, talked us through how he uses Burp Suite Professional and HackerOne in tandem to find and report high-value security vulner [...]

See full content

SQL injection in JSONField KeyTransform

on 12/09/2025

Django disclosed a bug submitted by eyalsec: https://hackerone.com/reports/2588426 [...]

See full content

Tips for Finding Your First CVE!

on 11/09/2025

See full content

Bulletproof Host Stark Industries Evades EU Sanctions

by BrianKrebs on 11/09/2025

In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring [...]

See full content

TOCTOU Race Condition in HTTP/2 Connection Reuse Leads to Certificate Validation Bypass

on 11/09/2025

curl disclosed a bug submitted by 0xrey: https://hackerone.com/reports/3335085 [...]

See full content

6.pdf

on 11/09/2025

See full content

Inside Wallarm Security Edge: Instant Protection at the API Edge

by Tim Erlin on 11/09/2025

APIs are now the beating heart of digital infrastructure. But as they have risen in importance, they’ve also become prime targets for attackers. Complex, often poorly understood API behaviors present rich opportunities for exploitation, and too often, security teams are left scrambling to protect critical infrastructure with outdated tools or cumbersome deployments. Wallarm’s Security Edge is [...]

See full content

Chained Broken Access Control in TikTok Live Backstage Enables Full Control of Public Leaderboard Activities

on 11/09/2025

TikTok disclosed a bug submitted by eneri: https://hackerone.com/reports/3012526 [...]

See full content

Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers).

on 11/09/2025

TikTok disclosed a bug submitted by ahmed_xyz: https://hackerone.com/reports/3037447 [...]

See full content

test livestream lololol

on 10/09/2025

See full content

How Pixel and Android are bringing a new level of trust to your images with C2PA Content Credentials

on 10/09/2025

Posted by Eric Lynch, Senior Product Manager, Android Security, and Sherif Hanna, Group Product Manager, Google C2PA Core At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos. This announcement represents a series of steps towards greater digital media transparency: The Pixel 10 lineup is the first t [...]

See full content

337k users and 1 employee leaked credentials

on 10/09/2025

Khan Academy disclosed a bug submitted by meowsint: https://hackerone.com/reports/3250691 [...]

See full content

Every Hacker Needs These Linux Commands // Bug Bounty Edition

on 10/09/2025

See full content

How Sui Move rethinks flash loan security

on 10/09/2025

Sui’s Move language significantly improves flash loan security by replacing Solidity’s reliance on callbacks and runtime checks with a “hot potato” model that enforces repayment at the language level. This shift makes flash loan security a language guarantee rather than a developer responsibility. [...]

See full content

CVE-2025-9086: Out of bounds read for cookie path

on 10/09/2025

curl disclosed a bug submitted by bigsleep: https://hackerone.com/reports/3294999 [...]

See full content

CVE-2025-10148: predictable WebSocket mask

on 10/09/2025

curl disclosed a bug submitted by cruocco: https://hackerone.com/reports/3330839 [...]

See full content

How should I scope third-party assets in my bug bounty program?

by Eleanor Barlow on 10/09/2025

You asked, and we answered. At Intigriti, we’ve been paying close attention to the questions most frequently asked by those with a bug bounty program in place. That’s why we’ve launched this blog series dedicated to answering the most frequently asked questions, diving into hot topics, and sharing practical and expert-backed strategies to help you maximize your bug bounty success. So far in this s [...]

See full content

Microsoft Patch Tuesday, September 2025 Edition

by BrianKrebs on 09/09/2025

Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Goo [...]

See full content

Can AI Pass Security Exams?

on 09/09/2025

See full content

Confirmed Security Misconfigurations on curl.se (BREACH, Missing Security Headers, ETag Info Disclosure)

on 09/09/2025

curl disclosed a bug submitted by mohmed_shoukry: https://hackerone.com/reports/3331764 [...]

See full content

New Cryptanalysis of the Fiat-Shamir Protocol

on 09/09/2025

A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don’t see it leading to any practical real-world cryptanalysis. The fact that there are some weird circumstances that result in Fiat-Shamir insecurities isn [...]

See full content

18 Popular Code Packages Hacked, Rigged to Steal Crypto

by BrianKrebs on 08/09/2025

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly mo [...]

See full content

LARGEST SUPPLY CHAIN HACK IN HISTORY ZOMG!!!!111

on 08/09/2025

See full content

Signed Copies of Rewiring Democracy

on 08/09/2025

When I announced my latest book last week, I forgot to mention that you can pre-order a signed copy here. I will ship the books the week of 10/20, when it is published. [...]

See full content

AI in Government

on 08/09/2025

Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must not lose sight of the fact that a different administration could wield the same [...]

See full content

The API Security Dilemma: Why Traditional Approaches Are Failing in the AI Era

by Tim Erlin on 08/09/2025

Throughout the past few years, APIs have become the backbone of digital infrastructure. They enable software-to-software communication, improve integration and interoperability, support modular architecture, and more.  But as API use has exploded, so has API traffic volume and complexity, making them increasingly difficult to secure. And the rise of AI agents and automation have complicat [...]

See full content

GOP Cries Censorship Over Spam Filters That Work

by BrianKrebs on 06/09/2025

The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google’s CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from the GOP fundraising platform WinRed and sending them to the spa [...]

See full content

Using Stacking to Find Malware

on 05/09/2025

See full content

Just Hacking Training - Windows Malware Development

on 05/09/2025

See full content

Safer cold storage on Ethereum

on 05/09/2025

By using smart contract programmability, exchanges can build custody solutions that remain secure even when multisig keys are compromised. [...]

See full content

Session Persistence Designed to Keep Users Logged In Across Multiple Devices (Intended Behaviour)

on 04/09/2025

Shopify disclosed a bug submitted by naveenventure: https://hackerone.com/reports/3161827 [...]

See full content

Dangers of Using AI Tools for Red Teaming

on 04/09/2025

See full content

Watch the webinar: Scale secure coverage without scaling headcount

on 04/09/2025

Application security teams are under pressure. With expanding application estates, growing API usage, and faster release cycles, many teams struggle to keep up. Backlogs grow, releases are delayed, an [...]

See full content

Top 5 Ways You Get Hacked

on 04/09/2025

See full content

libcurl: Host-Only Cookies Leak to Alternate IPv4 Forms

on 04/09/2025

curl disclosed a bug submitted by g3nj1z: https://hackerone.com/reports/3324901 [...]

See full content

Reflecting on Wallarm’s Journey: Growth, Resilience, and What Comes Next

by Ivan Novikov on 04/09/2025

By Ivan Novikov and Stepan Ilyin When we started Wallarm, we focused on the APIs that power modern apps. We built an API-first platform, used AI from day one, and secured early patents in behavior-based detection and automated policy creation. The result: real-time, inline blocking with automatic API discovery that protects production, not just dashboards. Today’s investment isn’t only fuel [...]

See full content

Heap-buffer-overflow (Out-of-Bounds Read) in DoH hostname encoding

on 04/09/2025

curl disclosed a bug submitted by reporascal_1: https://hackerone.com/reports/3324190 [...]

See full content

FREE Course Release! LIVE | AI Fundamentals | Q&A

on 04/09/2025

See full content

Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more

on 04/09/2025

A vulnerability in Electron applications allows attackers to bypass code integrity checks by tampering with V8 heap snapshot files, enabling local backdoors in applications like Signal, 1Password, and Slack. [...]

See full content

it's just too easy

on 03/09/2025

See full content

Why You Suck at Bug Bounty Hunting (And How To Fix It)

on 03/09/2025

See full content

How to attract security researchers to test on my bug bounty program?

by Eleanor Barlow on 03/09/2025

You asked, and we answered. At Intigriti, we’ve been paying close attention to the questions most frequently asked by those with a bug bounty program in place. That’s why we’ve launched this blog series dedicated to answering the most asked questions, diving into hot topics, and sharing practical and expert-backed strategies to help you maximize your bug bounty success. So far in this series, we h [...]

See full content

Business Logic Error Bypass of OTP Verification During Signup on hover.com

on 02/09/2025

Tucows (VDP) disclosed a bug submitted by c0rvuz: https://hackerone.com/reports/3255473 [...]

See full content

Unauthenticated Sensitive Information Disclosure on CVE-2021-38314

on 02/09/2025

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1452774 [...]

See full content

Bug Report #23JAN136 (subdomain takeover via shopify )

on 02/09/2025

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1851895 [...]

See full content

Bug Report #23JAN135 (subdomain takeover via shopify )

on 02/09/2025

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1851886 [...]

See full content

RXSS on stores on */visitorRegistration.pml via destination parameter

on 02/09/2025

Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/2189797 [...]

See full content

Order More Than Maximum Allowed Quantity

on 02/09/2025

Mars disclosed a bug submitted by blackbird_azar: https://hackerone.com/reports/3185001 [...]

See full content

Account Takeover in Password Reset Function

on 02/09/2025

Mars disclosed a bug submitted by egsec: https://hackerone.com/reports/3228888 [...]

See full content

Unauthorized Blogs Creation

on 02/09/2025

Lichess disclosed a bug submitted by albetisi: https://hackerone.com/reports/2130385 [...]

See full content

Hacking plugin ecosystems: A complete guide

by blackbird-eu on 02/09/2025

Add-on (or plugin) ecosystems unlock an entire new world of integration possibilities while also complementing the platform's extensibility to developers. However, in practice, finding the right balance between adding extensibility and maintaining security often proves to be difficult. The root cause stems from a lack of following security best practices. Proper isolation is, for instance, never f [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. ziot
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Ezequiel Pereira
  16. HackerOne
  17. surajdisoja.me
  18. InsiderPhD
  19. Intigriti
  20. John Hammond
  21. LiveOverflow
  22. NahamSec
  23. PortSwigger Blog
  24. Rana Khalil
  25. Richard’s Infosec blog
  26. Ron Chan
  27. ropnop blog
  28. STÖK
  29. Sun Knudsen
  30. The Cyber Mentor
  31. The unofficial HackerOne disclosure timeline
  32. The XSS Rat
  33. TomNomNom
  34. Wallarm