Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses on 22/12/2025
Basecamp disclosed a bug submitted by brumbelow: https://hackerone.com/reports/3445890 [...]
InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Microsoft Is Finally Killing RC4 on 22/12/2025
After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows. of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the much more secure AES encryption standard. But by default, Windows servers have continued to respond to RC4-based authentication requests and re [...]
well on 22/12/2025
Functional Regression in Digest Authentication: Failure to handle optional spaces and escaped quotes on 21/12/2025
curl disclosed a bug submitted by herdiyanitdev: https://hackerone.com/reports/3473384 [...]
A logic error in detect_proxy caused truncation of environment variable names for long protocol schemes. on 21/12/2025
curl disclosed a bug submitted by herdiyanitdev: https://hackerone.com/reports/3473182 [...]
The perfect tool ——- wait what’s that? on 21/12/2025
The perfect toolkit doesn’t exist on 21/12/2025
Unbounded memory consumption via compressed HTTP responses (gzip/brotli/zstd) on 21/12/2025
curl disclosed a bug submitted by gaurav0212: https://hackerone.com/reports/3471553 [...]
I asked 10+ hunters who made 500K$+ what their secret is on 20/12/2025
I need some help on 20/12/2025
Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response on 20/12/2025
curl disclosed a bug submitted by strokep: https://hackerone.com/reports/3470095 [...]
Learn Cyber Deception! on 20/12/2025
Friday Squid Blogging: Petting a Squid on 19/12/2025
Video from Reddit shows what could go wrong when you try to pet a—looks like a Humboldt—squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Missing AES-GCM Authentication Tag Validation and Improper Deprecation Handling on 19/12/2025
Node.js disclosed a bug submitted by sideni: https://hackerone.com/reports/3463949 [...]
Come check out my tool!! on 19/12/2025
IoT & Hardware Hacking for Beginners - Learn Fundamentals in 9+ Hours on 19/12/2025
Dismantling Defenses: Trump 2.0 Cyber Year in Review by BrianKrebs on 19/12/2025
The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and corruption. These shifts, along with the president’s efforts to restrict free speech and freedom of the press, hav [...]
CISO Spotlight: Lefteris Tzelepis on Leadership, Strategy, and the Modern Security Mandate by Tim Erlin on 19/12/2025
Lefteris Tzelepis, CISO at Steelmet /Viohalco Companies, was shaped by cybersecurity. From his early exposure to real-world attacks at the Greek Ministry of Defense to building and leading security programs inside complex enterprises, his career mirrors the evolution of the CISO role itself. Now a group CISO overseeing security across multiple organizations, Lefteris brings a practitioner’s mi [...]
AI Advertising Company Hacked on 19/12/2025
At least some of this is coming to light: Doublespeed, a startup backed by Andreessen Horowitz (a16z) that uses a phone farm to manage at least hundreds of AI-generated social media accounts and promote products has been hacked. The hack reveals what products the AI-generated accounts are promoting, often without the required disclosure that these are advertisements, and allowed the hacker to take [...]
Can chatbots craft correct code? on 19/12/2025
I recently attended the AI Engineer Code Summit in New York, an invite-only gathering of AI leaders and engineers. One theme emerged repeatedly in conversations with attendees building with AI: the belief that we’re approaching a future where developers will never need to look at code again. When I pressed these proponents, several made a similar argument: Forty years ago, when high-level program [...]
RXSS in https://jp.mcafee.com/apps/mdm/jp/3.0_asp/ on 19/12/2025
Trellix disclosed a bug submitted by lemonoftroy: https://hackerone.com/reports/1068477 [...]
File URL UNC Path Access (Windows SSRF) on 18/12/2025
curl disclosed a bug submitted by im4x: https://hackerone.com/reports/3470649 [...]
Economic DoS (Griefing) on IBC Relayers via `memo` Callback Gas Exploitation on 18/12/2025
Cosmos disclosed a bug submitted by tychebe: https://hackerone.com/reports/3425308 [...]
3 Cybersecurity Myths I HATE on 18/12/2025
Get off your ass and give your mom a real present for Christmas on 18/12/2025
Someone Boarded a Plane at Heathrow Without a Ticket or Passport on 18/12/2025
I’m sure there’s a story here: Sources say the man had tailgated his way through to security screening and passed security, meaning he was not detected carrying any banned items. The man deceived the BA check-in agent by posing as a family member who had their passports and boarding passes inspected in the usual way. [...]
[RCE] Remote Code Execution via React Server Components Vulnerability CVE-2025-55182 on 18/12/2025
IBM disclosed a bug submitted by kanon4: https://hackerone.com/reports/3458235 [...]
IoT Hacking Stream on 18/12/2025
Intigriti Bug Bytes #231 - December 2025 🚀 by Ayoub on 18/12/2025
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: React2Shell scanner (with WAF bypasses) Identifying server origin IP to bypass popular WAFs CSRF exploitation cheat sheet Finding vulnerabilities in sign-ups And so much more! Let’s dive in! INTIGRITI 1125 results are in November’s Intigriti Challenge was on us. 1125 brought hundreds of hack [...]
My coaching students pay make 6 times their investment back 😶🌫️ on 17/12/2025
Certificate Pinning Bypass with wolfSSL backend over HTTP/3 on 17/12/2025
curl disclosed a bug submitted by anonymous_237: https://hackerone.com/reports/3468098 [...]
Heap buffer overflow in Curl_ipv4_resolve_r due to incorrect buffer alignment and size calculation on AmigaOS on 17/12/2025
curl disclosed a bug submitted by badrodin22: https://hackerone.com/reports/3468410 [...]
Is #bugbounty Satured? Any Room For Beginners? on 17/12/2025
Deliberate Internet Shutdowns on 17/12/2025
For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted “to prevent immoral activities.” No additional explanation was given. The timing couldn’t have been worse: communities still reeling from a majo [...]
Introducing Pathfinding.cloud on 17/12/2025
Introducing Pathfinding.cloud, a library of AWS IAM privilege escalation paths [...]
Do Cheap Hidden Camera Detectors Work? on 16/12/2025
How To Set Yourself Up For Success In Bug Bounty on 16/12/2025
Most Parked Domains Now Serving Malicious Content by BrianKrebs on 16/12/2025
Direct navigation — the act of visiting a website by manually typing a domain name in a web browser — has never been riskier: A new study finds the vast majority of “parked” domains — mostly expired or dormant domain names, or common misspellings of popular websites — are now configured to redirect visitors to sites that foist scams and malware. A lookalike doma [...]
Chinese Surveillance and AI on 16/12/2025
New report: “The Party’s AI: How China’s New AI Systems are Reshaping Human Rights.” From a summary article: China is already the world’s largest exporter of AI powered surveillance technology; new surveillance technologies and platforms developed in China are also not likely to simply stay there. By exposing the full scope of China’s AI driven control apparatus [...]
Use GWP-ASan to detect exploits in production environments on 16/12/2025
Memory safety bugs like use-after-free and buffer overflows remain among the most exploited vulnerability classes in production software. While AddressSanitizer (ASan) excels at catching these bugs during development, its performance overhead (2 to 4 times) and security concerns make it unsuitable for production. What if you could detect many of the same critical bugs in live systems with virtuall [...]
Second-Order XSS via javascript protocol in MCP Server Portal Apps leads to ATO on 16/12/2025
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3316910 [...]
Heap Overflow in cURL AmigaOS Socket Implementation on 16/12/2025
curl disclosed a bug submitted by the-pink-panther: https://hackerone.com/reports/3466896 [...]
Curl Alt-Svc Parser Stack Buffer Overflow on 16/12/2025
curl disclosed a bug submitted by the-pink-panther: https://hackerone.com/reports/3466883 [...]
The state of #bugbounty hunting in 2026 on 15/12/2025
Against the Federal Moratorium on State-Level Regulation of AI on 15/12/2025
Cast your mind back to May of this year: Congress was in the throes of debate over the massive budget bill. Amidst the many seismic provisions, Senator Ted Cruz dropped a ticking time bomb of tech policy: a ten-year moratorium on the ability of states to regulate artificial intelligence. To many, this was catastrophic. The few massive AI companies seem to be swallowing our economy whole: their ene [...]
Hackers 🙋 on 15/12/2025
Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization on 15/12/2025
curl disclosed a bug submitted by ba5: https://hackerone.com/reports/3465094 [...]
Upcoming Speaking Engagements on 14/12/2025
This is a current list of where and when I am scheduled to speak: I’m speaking and signing books at the Chicago Public Library in Chicago, Illinois, USA, at 6:00 PM CT on February 5, 2026. Details to come. I’m speaking at Capricon 44 in Chicago, Illinois, USA. The convention runs February 5-8, 2026. My speaking time is TBD. I’m speaking at the Munich Cybersecurity Conference in Munich, Germany on [...]
This Is THE Recon Tool You NEED In 2026 on 14/12/2025
testing hackerone functions on 13/12/2025
curl disclosed a bug submitted by qqqqqqqqqqqqqqqq: https://hackerone.com/reports/3463619 [...]
Denial of Service (DoS) vulnerability in dedotdotify() URL path normalization on 13/12/2025
curl disclosed a bug submitted by sy2n0: https://hackerone.com/reports/3463608 [...]
Hacking Endpoint to Identity (Microsoft 365): "ConsentFix" on 13/12/2025
Certs too cheap 😳 on 13/12/2025
Friday Squid Blogging: Giant Squid Eating a Diamondback Squid on 12/12/2025
I have no context for this video—it’s from Reddit—but one of the commenters adds some context: Hey everyone, squid biologist here! Wanted to add some stuff you might find interesting. With so many people carrying around cameras, we’re getting more videos of giant squid at the surface than in previous decades. We’re also starting to notice a pattern, that around this t [...]
Infostealer Malware Logs Analyzed by... AI !?! on 12/12/2025
Building Trustworthy AI Agents on 12/12/2025
The promise of personal AI assistants rests on a dangerous assumption: that we can trust systems we haven’t made trustworthy. We can’t. And today’s versions are failing us in predictable ways: pushing us to do things against our own best interests, gaslighting us with doubt about things we are or that we know, and being unable to distinguish between who we are and who we have been. They struggle w [...]
Catching malicious package releases using a transparency log on 12/12/2025
We’re getting Sigstore’s rekor-monitor ready for production use, making it easier for developers to detect tampering and unauthorized uses of their identities in the Rekor transparency log. This work, funded by the OpenSSF, includes support for the new Rekor v2 log, certificate validation, and integration with The Update Framework (TUF). For package maintainers that publish attestations signed usi [...]
Burp On Tour 2025: bringing the AppSec community together around the world on 12/12/2025
In 2025, we set out with a simple mission: take Burp Suite on the road and meet the global AppSec community where you are. Burp On Tour was born from our desire to learn from you; the brilliant people [...]
Buffer Overflow in cURL Internal printf Function on 12/12/2025
curl disclosed a bug submitted by mlgzackfly: https://hackerone.com/reports/3462525 [...]
How AI is Changing Cybersecurity on 11/12/2025
Bonus points if they mention Bugcrowd 😉 on 11/12/2025
2026 API and AI Security Predictions: What Experts Expect in the Year Ahead by Annette Reed on 11/12/2025
This is a predictions blog. We know, we know; everyone does them, and they can get a bit same-y. Chances are, you’re already bored with reading them. So, we’ve decided to do things a little bit differently this year. Instead of bombarding you with just our own predictions, we’ve decided to cast the net far and wide. We’ve spoken to cybersecurity experts from around the world to answer wh [...]
DAST without disruption: Burp Suite DAST winter update 2025 on 11/12/2025
AppSec teams are under constant pressure to secure fast-moving applications without slowing anything down. But scanning windows, fragile authentication, and sprawling API estates often get in the way [...]
Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis on 11/12/2025
In 2023 GitHub introduced CodeQL multi-repository variant analysis (MRVA). This functionality lets you run queries across thousands of projects using pre-built databases and drastically reduces the time needed to find security bugs at scale. There’s just one problem: it’s largely built on VS Code and I’m a Vim user and a terminal junkie. That’s why I built mrva, a composable, terminal-first altern [...]
Terminal Output Not Great on 11/12/2025
curl disclosed a bug submitted by kelsier: https://hackerone.com/reports/3460184 [...]
LIVE: 🕵️ HTB Sherlocks! | Cybersecurity | Blue Team on 11/12/2025
HTTPS certificate industry phasing out less secure domain validation methods on 10/12/2025
Posted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers. These initiatives, d [...]
This Feature in Burp Suite Low-Key Changes Everything on 10/12/2025
Bugcrowd Security Flash: CVE-2025-55182 (React2Shell) UPDATE on 10/12/2025
Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users on 10/12/2025
In this post, we investigate a recent phishing campaign that targets Microsoft 365 users. [...]
Certificate Hostname Validation Bypass via Leading Dot in Hostname on 09/12/2025
curl disclosed a bug submitted by 4bccc: https://hackerone.com/reports/3455037 [...]
Microsoft Patch Tuesday, December 2025 Edition by BrianKrebs on 09/12/2025
Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities. Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilit [...]
Stack Buffer Overflow in cURL wolfSSL Backend (lib/vtls/wolfssl.c) on 09/12/2025
curl disclosed a bug submitted by lm3alm: https://hackerone.com/reports/3459636 [...]
Red Team vs. Blue Team Job Opportunities on 09/12/2025
Further Hardening Android GPUs on 09/12/2025
Posted by Liz Prucka, Hamzeh Zawawy, Rishika Hooda, Android Security and Privacy Team Last year, Google's Android Red Team partnered with Arm to conduct an in-depth security analysis of the Mali GPU, a component used in billions of Android devices worldwide. This collaboration was a significant step in proactively identifying and fixing vulnerabilities in the GPU software and firmware stack. [...]
Exploiting business logic error vulnerabilities by Ayoub on 09/12/2025
It's no secret that complexity is the biggest rival of safe applications. As web apps become more sophisticated, they create countless opportunities for logic flaws to arise. Unlike technical vulnerabilities that can be easily automated, business logic errors emerge from the gap between how developers expect systems to behave and how attackers can manipulate them. In this article, we explore how t [...]
I Found 14 Bugs In An Hour On Big Platforms - And Taught Others How To Do The SAME on 08/12/2025
Architecting Security for Agentic Capabilities in Chrome on 08/12/2025
Posted by Nathan Parker, Chrome security team Chrome has been advancing the web’s security for well over 15 years, and we’re committed to meeting new challenges and opportunities with AI. Billions of people trust Chrome to keep them safe by default, and this is a responsibility we take seriously. Following the recent launch of Gemini in Chrome and the preview of agentic capabilities, we want to [...]
Update on React Server Components RCE Vulnerability (CVE-2025-55182 / CVE-2025-66478) by Sergei Okhotin on 08/12/2025
The attack landscape has been dynamic following the disclosure of the React Server Components RCE vulnerability. New information has emerged regarding the initial Proof-of-Concept exploit, as well as improved detection methods, exploitation mechanics observed in the wild, and rapidly growing attack activity. This update summarizes the changes and observations we have made across Wallarm customers. [...]
carving emails & AI prompt injection hacking on 08/12/2025
2025 in Review: A Year of Smarter, Context-Aware API Security by Tim Erlin on 08/12/2025
As the year draws to a close, it’s worth pausing to look back on what has been an extraordinary year for Wallarm and, more importantly, for the businesses we protect. If 2024 was about laying the groundwork (tracking API sessions to understand behavioral attacks), then 2025 was the year we built upon that foundation, turning insight into action and visibility into measurable business impact. [...]
curl built with GnuTLS backend defaults to weak crypto parameters on 08/12/2025
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/3407352 [...]
Just ServiceUI.exe on 06/12/2025
I am in LOVE with these on 06/12/2025
Drones to Diplomas: How Russia’s Largest Private University is Linked to a $25M Essay Mill by BrianKrebs on 06/12/2025
A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine. The Nerdify homepage. The link between essay mills and Russian attack drones might seem improbable, but understanding it begins with a simple question: How do [...]
Beginner Blue Team Training! on 05/12/2025
HackerOne on AI-Driven Security: Community, Risk, and Innovation on 05/12/2025
How Baselining Helps Incident Response on 05/12/2025
Unauthenticated GraphQL access by prepending __schema to private operations on 05/12/2025
Enjin disclosed a bug submitted by pwnie: https://hackerone.com/reports/3452015 [...]
so malware is invisible now lol on 05/12/2025
How to detect React2Shell with Burp Suite on 05/12/2025
Detecting React2Shell with Burp Suite Two new critical vulnerabilities, collectively known as React2Shell (CVE-2025-55182 and CVE-2025-66478), are rapidly gaining traction in the security community. D [...]
Stored XSS Vulnerability via SVG File on 05/12/2025
Nextcloud disclosed a bug submitted by aptroom: https://hackerone.com/reports/3357808 - Bounty: $150 [...]
Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle on 05/12/2025
curl disclosed a bug submitted by rootx1337: https://hackerone.com/reports/3452725 [...]
admin_audit does not log actions on files in a group folder on 05/12/2025
Nextcloud disclosed a bug submitted by klipz: https://hackerone.com/reports/2890071 [...]
Deck app allowed user with "Can share" permission to modify permissions of other non-owners on 05/12/2025
Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3247499 - Bounty: $250 [...]
Calendar app allowed booking appointments without the generated token on 05/12/2025
Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3275810 [...]
Calendar attachments of local files are offered to downloaded on 05/12/2025
Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3112033 - Bounty: $100 [...]
Missing ownership check in Tables app allows moving columns into tables of other users on 05/12/2025
Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3137895 - Bounty: $250 [...]
Tables app allowed users to view columns metadata information of any table on 05/12/2025
Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3138721 - Bounty: $250 [...]
Participants were able to blindly delete poll drafts of other users by ID on 05/12/2025
Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3247386 - Bounty: $150 [...]