A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned. Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. fede [...]
curl disclosed a bug submitted by oliverkremer: https://hackerone.com/reports/3408126 [...]
I can’t believe that I haven’t yet posted this picture of a giant squid at the Smithsonian. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Hiro disclosed a bug submitted by craxermgr: https://hackerone.com/reports/268221 [...]
Hiro disclosed a bug submitted by craxermgr: https://hackerone.com/reports/268224 [...]
Hiro disclosed a bug submitted by vyshnav_nk: https://hackerone.com/reports/300164 [...]
Hiro disclosed a bug submitted by myskar: https://hackerone.com/reports/304073 [...]
Hiro disclosed a bug submitted by myskar: https://hackerone.com/reports/377565 [...]
Hiro disclosed a bug submitted by droop3r: https://hackerone.com/reports/716647 [...]
Hiro disclosed a bug submitted by 0x1_aulia: https://hackerone.com/reports/910732 [...]
Hiro disclosed a bug submitted by frozensolid: https://hackerone.com/reports/541760 [...]
Hiro disclosed a bug submitted by anonymous--1000: https://hackerone.com/reports/3062299 - Bounty: $150 [...]
curl disclosed a bug submitted by sagorhawlader: https://hackerone.com/reports/3406123 [...]
curl disclosed a bug submitted by abdullah-107: https://hackerone.com/reports/3404025 [...]
Listen to the Audio on NextBigIdeaClub.com Below, co-authors Bruce Schneier and Nathan E. Sanders share five key insights from their new book, Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship. What’s the big idea? AI can be used both for and against the public interest within democracies. It is already being used in the governing of nations around the world [...]
Wallarm’s latest Q3 2025 API ThreatStats report [link placeholder] reveals that API vulnerabilities, exploits, and breaches are not just increasing; they’re evolving. Malicious actors are shifting from code-level weaknesses to business logic flaws, from web apps to partner integrations, and from REST to AI-powered APIs. Here’s what stood out this quarter, and what security leaders sho [...]
Did you know that most modern passports are actually embedded devices containing an entire filesystem, access controls, and support for several cryptographic protocols? Such passports display a small symbol indicating an electronic machine-readable travel document (eMRTD), which digitally stores the same personal data printed in traditional passport booklets in its embedded filesystem. Beyond allo [...]
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Cool trick to find disclosed secrets in internal web extensions A repository full of WAF bypasses Hacking Intercom misconfigurations Wayback Machine for hackers And so much more! Let’s dive in! INTIGRITI 1025 results are in October’s Intigriti challenge (by @chux13786509) brought hundreds of [...]
Threat insights from Datadog Security Labs for Q3 2025. [...]
Posted by Lyubov Farafonova, Product Manager, Phone by Google; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse; Vijay Pareek, Manager, Android Messaging Trust and Safety As Cybersecurity Awareness Month wraps up, we’re focusing on one of today's most pervasive digital threats: mobile scams. In the last 12 months, fraudsters have used advanced AI tools to create [...]
Interesting article about the arms race between AI systems that invent/design new biological pathogens, and AI systems that detect them before they’re created: The team started with a basic test: use AI tools to design variants of the toxin ricin, then test them against the software that is used to screen DNA orders. The results of the test suggested there was a risk of dangerous protein var [...]
Trail of Bits is disclosing vulnerabilities in eight different confidential computing systems that use Linux Unified Key Setup version 2 (LUKS2) for disk encryption. Using these vulnerabilities, a malicious actor with access to storage disks can extract all confidential data stored on that disk and can modify the contents of the disk arbitrarily. The vulnerabilities are caused by malleable metadat [...]
A look at recent npm supply chain compromises and how we can learn from them to better prepare for future incidents. [...]
curl disclosed a bug submitted by exploitguru101: https://hackerone.com/reports/3403880 [...]
Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they allowed it to remain more or less the same as it had been. Then they used the new quantum-safe ratchet to implement a parallel secure messaging system. No [...]
As Cybersecurity Awareness Month continues, we wanted to dive even deeper into the attack methods affecting APIs. We’ve already reviewed Broken Object Level Authentication (BOLA), injection attacks, and authentication flaws; this week, we’re exploring business logic abuse (BLA). Unlike technical flaws, business logic flaws exploit how an API is designed to behave. They are difficult t [...]
Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other [...]
One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user's permission before the first access to any public site without HTTPS. The “Always Use Secure Connections” setting warns users before accessing a site without HTTPS Chrome Security's mission is to [...]
curl disclosed a bug submitted by tjbecker_theori: https://hackerone.com/reports/3393539 [...]
Good Wall Street Journal article on criminal gangs that scam people out of their credit card information: Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York City Department of Finance for unpaid traffic violations. The texts are ploys to get unsuspecting victims to fork over their credit-card details. The gan [...]
curl disclosed a bug submitted by geeknik: https://hackerone.com/reports/3400761 [...]
curl disclosed a bug submitted by max_from_secmate: https://hackerone.com/reports/3395666 [...]
I assume I don’t have to explain last week’s Louvre jewel heist. I love a good caper, and have (like many others) eagerly followed the details. An electric ladder to a second-floor window, an angle grinder to get into the room and the display cases, security guards there more to protect patrons than valuables—seven minutes, in and out. There were security lapses: The Louvre, it t [...]
Mother Jones has a long article on surveillance arms manufacturers, their wares, and how they avoid export control laws: Operating from their base in Jakarta, where permissive export laws have allowed their surveillance business to flourish, First Wap’s European founders and executives have quietly built a phone-tracking empire, with a footprint extending from the Vatican to the Middle East [...]
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/1024749 [...]
curl disclosed a bug submitted by sippysir: https://hackerone.com/reports/3400831 [...]
Cybersecurity Awareness Month: why it matters and this year’s theme. We couldn’t let Cybersecurity Awareness Month slip by without posting a bit of a fun blog on the topic, with a Halloween twist! Launched by the National Cybersecurity Alliance and the U.S. Department of Homeland Security in 2004, Cybersecurity Awareness Month was formulated to encourage, as well as provide people with the right t [...]
curl disclosed a bug submitted by asdkjhasldkjahslfdkjfa: https://hackerone.com/reports/3399774 [...]
There is a new cigar named “El Pulpo The Squid.” Yes, that means “The Octopus The Squid.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3395221 [...]
Two people found the solution. They used the power of research, not cryptanalysis, finding clues amongst the Sanborn papers at the Smithsonian’s Archives of American Art. This comes as an awkward time, as Sanborn is auctioning off the solution. There were legal threats—I don’t understand their basis—and the solvers are not publishing their solution. [...]
This is bad: F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a “long-term.” Security researchers who have responded to similar intrusions in the past took the language to mean the hack [...]
Antwerp, Belgium, Oct. 23, 2025. Intigriti, a global crowdsourced security provider, is delighted to announce its latest partnership with non-profit Shield vzw within the framework agreement with the Federal Public Service (FPS) Health in Belgium. This partnership provides essential support and services on vulnerability disclosure programs for critical national infrastructure (CNI) organisations [...]
curl disclosed a bug submitted by idris_0x: https://hackerone.com/reports/3395227 [...]
curl disclosed a bug submitted by idris_0x: https://hackerone.com/reports/3395218 [...]
Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was home to dozens of [...]
In her latest video, CyberMaddy dives into the world of AI-driven ethical hacking, exploring how Burp AI performs in Repeater when tasked with finding web vulnerabilities like SQL injection, cross-sit [...]
What happens when you set Burp AI loose on a deliberately vulnerable web app? In his latest video, Tib3rius takes Burp’s new agentic Burp AI capabilities for a spin - and the results are seriously coo [...]
Modern AI agents increasingly execute system commands to automate filesystem operations, code analysis, and development workflows. While some of these commands are allowed to execute automatically for efficiency, others require human approval, which may seem like robust protection against attacks like command injection. However, we’ve commonly experienced a pattern of bypassing the human app [...]
Revive Adserver disclosed a bug submitted by env_bak: https://hackerone.com/reports/3091390 [...]
SingleStore disclosed a bug submitted by axolot23: https://hackerone.com/reports/3329361 [...]
What can we learn from the recent AWS outage, and how can we apply those lessons to our own infrastructure? What Happened? On October 20, 2025, AWS experienced a major disruption that rippled across the internet (and social media), affecting widely used services such as Zoom, Microsoft Teams, Slack, and Atlassian. The issue originated not in a single data center or customer workload, but in [...]
API security has never been more important because modern APIs are operational necessities. Unfortunately, many organizations are failing to adapt their security models to a rapidly changing API threat landscape. Like it or not, we live in an AI-first world, and API security must reflect that reality. The Postman 2025 State of API Report is confirmation of that fact. AI is Becoming Bu [...]
curl disclosed a bug submitted by aybanda: https://hackerone.com/reports/3392174 [...]
Cross-site scripting vulnerabilities are, by no doubt, one of the vulnerability types that'll keep haunting applications for a long time. This seamless injection bug can often be further escalated to allow attackers to perform malicious actions on behalf of the victim, or even worse, on behalf of a vulnerable server-side component, from reading and changing account information, such as passwords o [...]
Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user to any URL, including an OAuth consent attack. [...]
arkadiyt-projects disclosed a bug submitted by newby99: https://hackerone.com/reports/3383095 [...]
arkadiyt-projects disclosed a bug submitted by newby99: https://hackerone.com/reports/3384150 [...]
Discourse disclosed a bug submitted by theteatoast: https://hackerone.com/reports/3058919 [...]
PlayStation disclosed a bug submitted by theflow0: https://hackerone.com/reports/3104356 - Bounty: $5000 [...]
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity start [...]
curl disclosed a bug submitted by spolu-dust: https://hackerone.com/reports/3387499 [...]
According to Statista, revenue for the gaming and esports industry is expected to demonstrate an annual growth rate (CAGR 2025-2029) of 5.56%, resulting in a projected market volume of US$5.9bn by 2029. While this scale, visibility, and monetization have been fantastic for creators, developers, and providers, this same growth comes with amplified cybersecurity risk. Throughout 2025, threat actors [...]
Authentication issues seem like low-level attacks. But authentication today – especially API authentication – can be more difficult than people expect. Companies rely on APIs to carry sensitive information every day. If access to those APIs is not properly secured, all the sophisticated security solutions companies use to protect their data elsewhere are completely undermined. A single API [...]