“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” -U.S. Constitution, First Amendment. Image: Shutterstock, zimmytws. In an address to Congress this month, Preside [...]
In another rare squid/cybersecurity intersection, APT37 is also known as “Squid Werewolf.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]
Informatica disclosed a bug submitted by growler09: https://hackerone.com/reports/2583500 [...]
This is a truly fascinating paper: “Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography.” The basic idea is that AIs can act as trusted third parties: Abstract: We often interact with untrusted parties. Prioritization of privacy can limit the effectiveness of these interactions, as achieving certain goals necessitates sharing pr [...]
Learn how the Next.js middleware authorization bypass vulnerability works, and how to detect and remediate it. [...]
Posted by Chrome Root Program, Chrome Security Team The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances [...]
Hemi VDP disclosed a bug submitted by aaravhex: https://hackerone.com/reports/2991326 [...]
Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life. The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-tran [...]
Shopify disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2279572 - Bounty: $800 [...]
NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures. [...]
Posted by Christiaan Brand, Group Product ManagerWe’re excited to announce that starting today, Titan Security Keys are available for purchase in more than 10 new countries:IrelandPortugalThe NetherlandsDenmarkNorwaySwedenFinlandAustraliaNew ZealandSingaporePuerto RicoThis expansion means Titan Security Keys are now available in 22 markets, including previously announced countries like Austria, Be [...]
Modern organizations are becoming increasingly reliant on agentic AI, and for good reason: AI agents can dramatically improve efficiency and automate mission-critical functions like customer support, sales, operations, and even security. However, this deep integration into business processes introduces risks that, without proper API security, can compromise sensitive data and decision-making. [...]
Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare’s new system lures them into a “maze” of realistic-looking but irrelevant pages, wasting the crawler’s computing resources. The approach is a notable shift from the standard block-and-defend st [...]
Brave Software disclosed a bug submitted by canalun: https://hackerone.com/reports/2958097 - Bounty: $100 [...]
Citizen Lab has a new report on Paragon’s spyware: Key Findings: Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for. Infrastructure Analysis of Paragon Spyware. Based on a tip [...]
The Intigriti team have recently observed an abuse scenario, trending across the industry, where malicious actors are posing as legitimate white-hat hackers, deceiving targeted companies into believing their actions are carried out in good faith. Bad actors will always try to exploit the system, in any industry, for personal gain. At Intigriti, we help customers navigate this l… [...]
So, you've found a valid security vulnerability in one of your bug bounty programs, now it's time to write the report. Finding the vulnerability was half the story. Writing effective reports is also an essential phase in bug bounty. Clear, well-written, and to-the-point bug bounty reports often get triaged faster and have more chance of getting well received by companies. In th… [...]
Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) that could have allowed just this scenario to occur. [...]
Learn how the Kubernetes Ingress NGINX Controller vulnerabilities work, how to detect and remediate them. [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3022516 [...]
Autodesk disclosed a bug submitted by yunxohang: https://hackerone.com/reports/3035275 [...]
Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are—of course—are terrible idea. Also: “A Feminist Argument Against Weakening Encryption.” [...]
Trendyol disclosed a bug submitted by samark19: https://hackerone.com/reports/2917062 [...]
New research: An associate professor of chemistry and chemical biology at Northeastern University, Deravi’s recently published paper in the Journal of Materials Chemistry C sheds new light on how squid use organs that essentially function as organic solar cells to help power their camouflage abilities. As usual, you can also use this squid post to talk about the security stories in the news that I [...]
Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay tr [...]
The Atlantic has a search tool that allows you to search for specific works in the “LibGen” database of copyrighted works that Meta used to train its AI models. (The rest of the article is behind a paywall, but not the search tool.) It’s impossible to know exactly which parts of LibGen Meta used to train its AI, and which parts it might have decided to exclude; this snapshot was taken [...]
The UK’s National Computer Security Center (part of GCHQ) released a timeline—also see their blog post—for migration to quantum-computer-resistant cryptography. It even made The Guardian. [...]
Shopify disclosed a bug submitted by samux: https://hackerone.com/reports/1457471 [...]
This is serious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report. [...]
A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administration’s continued disregard for basic cybersecurity protections. The message instructed recently-fired CISA employees to get in touch so they can be rehired and then immediately placed on leave, asking employees to send their Social Secu [...]
Most organizations are using AI in some way today, whether they know it or not. Some are merely beginning to experiment with it, using tools like chatbots. Others, however, have integrated agentic AI directly into their business procedures and APIs. While both types of organizations are undoubtedly realizing remarkable productivity and efficiency benefits, they may not know they are putting thems [...]
Autodesk disclosed a bug submitted by metereorpreter: https://hackerone.com/reports/3024673 [...]
Autodesk disclosed a bug submitted by khoof: https://hackerone.com/reports/2965143 [...]
Posted by Rex Pan and Xueqin Cui, Google Open Source Security TeamIn December 2022, we released the open source OSV-Scanner tool, and earlier this year, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, together with OSV.dev are components of an open platform for managing vulnerability metadata and enabling simple and accurate matching and remediation of known vulnerabilities. Our goal is [...]
Nextcloud disclosed a bug submitted by vulnerability_is_here: https://hackerone.com/reports/2946927 [...]
A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. ClickFix attacks mimic the “Verify You are [...]
Drugs.com disclosed a bug submitted by dedoxd2: https://hackerone.com/reports/2885636 [...]
Autodesk disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2971572 [...]
A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857. Exploit Breakdown: How a Simple PUT Request Leads to Full RCE This att [...]
Hey hackers, Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community events—all to help you find more bugs! Product updates New Feature: Gain Deeper Insights into Researcher Activity We're excited to introduce a new way for researchers to gain valuable insights into their time allocation across different domai… [...]
MercadoLibre disclosed a bug submitted by elmago: https://hackerone.com/reports/1955485 [...]
HackerOne disclosed a bug submitted by sarthakbhingare015: https://hackerone.com/reports/2553026 [...]
PortSwigger Web Security disclosed a bug submitted by floyd: https://hackerone.com/reports/2733994 - Bounty: $200 [...]
Security is a team sport. Whether you're a pentester, bug bounty hunter, student, or just love breaking (and fixing) things, our field thrives on shared knowledge, collaboration, and support. We want [...]
Why is the retail industry being targeted? Large-scale operations and the extensive attack surface of the retail industry render it particularly susceptible to cybercrime, on a global scale. Websites, mobile apps, and company programs create numerous entry points for malicious actors. The high volume of payment transactions and financial incentives of successful attacks present… [...]
Why now? Artificial intelligence is rapidly transforming industries, and security testing is no exception. At PortSwigger, we’ve always been driven by innovation, but we don’t chase trends for the sak [...]
Microsoft today issued more than 50 security updates for its various Windows operating systems, including fixes for a whopping six zero-day vulnerabilities that are already seeing active exploitation. Two of the zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in NTFS, the default file system for Windows and Windows Server. Both require the attacker to trick a target [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3009411 [...]
Urban Dictionary disclosed a bug submitted by osama-hamad: https://hackerone.com/reports/1237321 [...]
Shopify disclosed a bug submitted by kun_19: https://hackerone.com/reports/1679734 - Bounty: $800 [...]
Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing [...]
XML External Entity (XXE) vulnerabilities are one of the most overlooked yet impactful vulnerabilities in modern web applications. Although they've become seemingly harder to detect and exploit, their impact remains severe, often allowing attackers to read internal files, reach internal-only networks, and in severe cases even execute remote code execution! In this article, we w… [...]