InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
The Impact of Collaboration on 20/11/2024
2025 Software Supply Chain Security Trends & Predictions: AI, Shadow Application Development and Nation State Attacks by Aaron Bray on 20/11/2024
Roughly 30-50k software packages are published in the open-source ecosystem every day. So far this year, Phylum has found nearly 35,000 malicious packages, uncovering bad actors executing everything from typosquatting to dependency confusion to starjacking to Nation-State attacks. As current trends continue, the adoption of generative AI proliferates. We anticipate deregulation and new policies to [...]
LIVE: Hacking, AppSec and Cybersecurity | TryHackMe on 20/11/2024
Leveling Up Fuzzing: Finding more vulnerabilities with AI on 20/11/2024
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security TeamRecently, OSS-Fuzz reported 26 new vulnerabilities to open source project maintainers, including one vulnerability in the critical OpenSSL library (CVE-2024-9143) that underpins much of internet infrastructure. The reports themselves aren’t unusual—we’ve reported and helped maintainers fix over 11,000 vulnerab [...]
Steve Bellovin’s Retirement Talk on 20/11/2024
Steve Bellovin is retiring. Here’s his retirement talk, reflecting on his career and what the cybersecurity field needs next. [...]
csrftoken not unique to session or specific user and csrfmiddlewaretoken can be altered on 20/11/2024
Mozilla disclosed a bug submitted by bashbdeer: https://hackerone.com/reports/2513333 [...]
Reflected XSS in https://www.acronis.com/products/cyber-protect/trial/ on 20/11/2024
Acronis disclosed a bug submitted by tomblorg: https://hackerone.com/reports/1891926 - Bounty: $100 [...]
Api data leak on 20/11/2024
Planet Labs disclosed a bug submitted by y0usef: https://hackerone.com/reports/1639011 [...]
Holiday Hack Challenge Game Modes on 20/11/2024
How HackerOne Employees Stay Connected and Have Fun by Marina Briones on 20/11/2024
Fintech Giant Finastra Investigating Data Breach by BrianKrebs on 20/11/2024
The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the [...]
A Phish All Along on 20/11/2024
RXSS in via S parameter on 19/11/2024
Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2307913 [...]
sensitive data-creds for database - private key on 19/11/2024
Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2396630 [...]
CSRF in Delete Pet Function on 19/11/2024
Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2445106 [...]
Reflected XSS on formaction parameter on 19/11/2024
Mars disclosed a bug submitted by e5p3ctr0x96: https://hackerone.com/reports/2089895 [...]
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 4/4 on 19/11/2024
A potential risk in the cloudFrontExtensionsConsole which can be used to privilege escalation. on 19/11/2024
AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2805173 [...]
Evaluating Solidity support in AI coding assistants by Trail of Bits on 19/11/2024
By Artem Dinaburg AI-enabled code assistants (like GitHub’s Copilot, Continue.dev, and Tabby) are making software development faster and more productive. Unfortunately, these tools are often bad at Solidity. So we decided to improve them! To make it easier to write, edit, and understand Solidity with AI-enabled tools, we have: Added support for Solidity into Tabby and Continue.dev, two local, pri [...]
Why Italy Sells So Much Spyware on 19/11/2024
Interesting analysis: Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of Justice document, as of December 2022 law enforcement in the country could rent spyware for €150 a day, re [...]
Holiday Hack Challenge Starts THIS November on 19/11/2024
Hackerone supports accounts organitation takeover on 19/11/2024
HackerOne disclosed a bug submitted by madara_: https://hackerone.com/reports/2798380 - Bounty: $2500 [...]
Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse on 19/11/2024
Cosmos disclosed a bug submitted by l33thaxor: https://hackerone.com/reports/2806356 - Bounty: $2000 [...]
Phishing Email Telltale Indicators on 19/11/2024
How REI Strengthens Security with HackerOne’s Global Security Researcher Community by HackerOne on 19/11/2024
REI's senior application security engineer discusses their program success, evolving goals, and the value of the security researcher community. [...]
Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days on 18/11/2024
Zero-day vulnerabilities are more commonly used, according to the Five Eyes: Key Findings In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, [...]
Share information of Tables app is not limited to affected users on 18/11/2024
Nextcloud disclosed a bug submitted by cx75fa: https://hackerone.com/reports/2705507 [...]
5 Lessons That Made Me $1M Since 2022 on 18/11/2024
Taming API Sprawl: Best Practices for API Discovery and Management by Alexey Novgorodov on 18/11/2024
APIs are the backbone of interconnected applications, enabling organizations to innovate, integrate, and scale rapidly. However, as enterprises continue to expand their digital ecosystems, they often encounter a common and complex challenge: API sprawl. Unchecked, API sprawl can lead to increased security risks, inefficient resource utilization, and the frustrating experience of redundant or hard [...]
Collaborative Hacking with HHC 2024 on 18/11/2024
One-Click Compromise on 18/11/2024
Picking Locks Is A Sport - Lock Picking Biker on 17/11/2024
Open redirect Via X-Forwarded-Host on 17/11/2024
Omise disclosed a bug submitted by ndizon_: https://hackerone.com/reports/1479889 [...]
Nextcloud Tables app - inserting rows to an arbitrary table possible on 17/11/2024
Nextcloud disclosed a bug submitted by tuyenee: https://hackerone.com/reports/2671404 [...]
A Holiday Hacking Dream on 17/11/2024
LTT Account Takeover on 17/11/2024
TCM Security 2024 Black Friday Cyber Monday Sale is Here! on 16/11/2024
CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci on 16/11/2024
MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2762119 [...]
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 3/4 on 16/11/2024
User can copy locked folders and gain access to the contents on 16/11/2024
Nextcloud disclosed a bug submitted by maccs: https://hackerone.com/reports/2447316 - Bounty: $500 [...]
Holiday Hack Challenge 2024 on 16/11/2024
Fell For a Phish on 16/11/2024
Friday Squid Blogging: Female Gonatus Onyx Squid Carrying Her Eggs on 15/11/2024
Fantastic video of a female Gonatus onyx squid swimming while carrying her egg sack. An earlier related post. Blog moderation policy. [...]
Flexible Data Retrieval at Scale with HAQL by Robert Coleman on 15/11/2024
HAQL: HackerOne's simplified query interface for writing performant aggregate queries on tables modeled purposefully for data analysis. [...]
Retrofitting spatial safety to hundreds of millions of lines of C++ on 15/11/2024
Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasuda, Core Developer Attackers regularly exploit spatial memory safety vulnerabilities, which occur when code accesses a memory allocation outside of its intended bounds, to compromise systems and sensitive data. These vulnerabilities represent a major security risk to users. Based on an analysis of in-the-wild [...]
AI in SecOps: How AI is Impacting Red and Blue Team Operations by HackerOne on 15/11/2024
View survey results and analysis of how AI in SecOps is impacting red and blue team operations. [...]
Build Your Own Wi-Fi Hacking Tool (ESP32 Marauder) on 15/11/2024
Open redirect when logging in with user_oidc on 15/11/2024
Nextcloud disclosed a bug submitted by kesselb: https://hackerone.com/reports/2720030 [...]
World Building for SANS Holiday Hack Challenge on 15/11/2024
Attachments folder for Text app is accessible on Files Drop/Password protected shares on 15/11/2024
Nextcloud disclosed a bug submitted by lukasreschke: https://hackerone.com/reports/2376900 [...]
Mail auto configurator can be tricked into sending account information to wrong servers on 15/11/2024
Nextcloud disclosed a bug submitted by shushangw: https://hackerone.com/reports/2508422 - Bounty: $100 [...]
Good Essay on the History of Bad Password Policies on 15/11/2024
Stuart Schechter makes some good points on the history of bad password policies: Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades. First, was Morris and Th [...]
An Interview With the Target & Home Depot Hacker by BrianKrebs on 15/11/2024
In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for seve [...]
Unauthenticated phpinfo()files could lead to ability file read at h3f6.n1.ips.mtn.co.ug on 15/11/2024
MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2764952 [...]
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 2/4 on 14/11/2024
Takeover of hackerone.engineering via Medium on 14/11/2024
HackerOne disclosed a bug submitted by raditz: https://hackerone.com/reports/2709660 [...]
Cities Skylines II Malware [FULL REVERSE ENGINEERING ANALYSIS] on 14/11/2024
Attestations: A new generation of signatures on PyPI by William Woodruff on 14/11/2024
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring us one step close [...]
New iOS Security Feature Makes It Harder for Police to Unlock Seized Phones on 14/11/2024
Everybody is reporting about a new security iPhone security feature with iOS 18: if the phone hasn’t been used for a few days, it automatically goes into its “Before First Unlock” state and has to be rebooted. This is a really good security feature. But various police departments don’t like it, because it makes it harder for them to unlock suspects’ phones. [...]
HackerOne’s Fall Day of Service by debbie@hackerone.com on 14/11/2024
How HackerOne Disproved an MFA Bypass With a Spot Check by Ian Melven on 14/11/2024
Read how HackerOne's internal security team disproved an alleged MFA bypass with a targeted Spot Check. [...]
The 8th Annual Hacker-Powered Security Report: An overview on 13/11/2024
LIVE: C2 Hacking | Cybersecurity | TryHackMe on 13/11/2024
Can see phone numbers of others by providing mail address on 13/11/2024
LinkedIn disclosed a bug submitted by sevada797: https://hackerone.com/reports/2534458 [...]
Safer with Google: New intelligent, real-time protections on Android to keep you safe on 13/11/2024
Posted by Lyubov Farafonova, Product Manager and Steve Kafka, Group Product Manager, Android User safety is at the heart of everything we do at Google. Our mission to make technology helpful for everyone means building features that protect you while keeping your privacy top of mind. From Gmail’s defenses that stop more than 99.9% of spam, phishing and malware, to Google Messages’ advanced secur [...]
Your AppSec Journey Demystified: Driving Effective API Security with Wallarm and StackHawk by Tim Erlin on 13/11/2024
There is no doubt that attackers have shifted their attention to APIs. Wallarm’s API ThreatStats research identifies that 70% of attacks now target APIs instead of Web Applications. While APIs have become the backbone of innovation and connectivity for businesses, they have also introduced a vast attack surface that’s challenging to defend with traditional methods alone. To address these unique A [...]
Availability Impact from Exploiting Project Name Vulnerabilities on 13/11/2024
Doppler disclosed a bug submitted by mr_root_0101: https://hackerone.com/reports/2801036 - Bounty: $250 [...]
SaaS apps are vulnerable too!!! (ServiceNow Exploitation) on 13/11/2024
IDOR in backup recovery functionality on 13/11/2024
Acronis disclosed a bug submitted by theelgo64: https://hackerone.com/reports/1901713 [...]
Mapping License Plate Scanners in the US on 13/11/2024
DeFlock is a crowd-sourced project to map license plate scanners. It only records the fixed scanners, of course. The mobile scanners on cars are not mapped. [...]
To succeed in bug bounty, be a specialist feat. Louis Nyffenegger #bugbounty #bugbountytips on 13/11/2024
Killing Filecoin nodes by Trail of Bits on 13/11/2024
By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic. The vulnerability demonstrates an insecure practice we often observe in our audits of b [...]
Microsoft Patch Tuesday, November 2024 Edition by BrianKrebs on 12/11/2024
Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today. The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler [...]
Let's Run Some Malware - Any.Run Demonstration on 12/11/2024
Context is King: Using API Sessions for Security Context by Tim Erlin on 12/11/2024
There’s no doubt that API security is a hot topic these days. The continued growth in API-related breaches and increase in publicized API vulnerabilities has pushed API security to the top of CISO’s lists. The tools in the market for API security still have room for improvement, of course. One of the challenges security practitioners face with APIs is understanding the context in which an attack [...]
Criminals Exploiting FBI Emergency Data Requests on 12/11/2024
I’ve been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too. Turns out the same thing is true for non-technical backdoors: The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police acco [...]
A method for finding 0days feat. Louis Nyffenegger #bugbounty #bugbountytips #bugbountyhunter on 12/11/2024
Join Me In My Bug Bounty Cyber Crusades! on 11/11/2024
Afraid of heights on 11/11/2024
Do This For Your First $100,000 in Bounties on 11/11/2024
The Hidden Costs of API Breaches: Quantifying the Long-Term Business Impact by Tim Erlin on 11/11/2024
API attacks can be costly. Really costly. Obvious financial impacts like legal fines, stolen finances, and incident response budgets can run into the hundreds of millions. However, other hidden costs often compound the issue, especially if you’re not expecting them. This article will explore the obvious and hidden costs of API breaches, their long-term business impacts, and how you can c [...]
Most common websec problems specific to Ruby on Rails feat. Louis Nyffenegger #bugbounty #bugbountyt on 11/11/2024
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 1/4 on 10/11/2024
FBI: Spike in Hacked Police Emails, Fake Subpoenas by BrianKrebs on 09/11/2024
The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies. In an alert (PDF) published this week, the FBI said it has seen an upti [...]
I am missing bugs because of this #bugbounty #bugbountytips #bugbountyhunter on 09/11/2024
Friday Squid Blogging: Squid-A-Rama in Des Moines on 08/11/2024
Squid-A-Rama will be in Des Moines at the end of the month. Visitors will be able to dissect squid, explore fascinating facts about the species, and witness a live squid release conducted by local divers. How are they doing a live squid release? Simple: this is Des Moines, Washington; not Des Moines, Iowa. Blog moderation policy. [...]
Car Hacking: With or Without a Flipper Zero on 08/11/2024
AI Industry is Trying to Subvert the Definition of “Open Source AI” on 08/11/2024
The Open Source Initiative has published (news article here) its definition of “open source AI,” and it’s terrible. It allows for secret training data and mechanisms. It allows for development to be done in secret. Since for a neural network, the training data is the source code—it’s how the model gets programmed—the definition makes no sense. And it’s con [...]
Leakage of traffic in plaintext towards the IP address of VPN server on 08/11/2024
Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987687 [...]
Leaking VPN traffic through non-RFC1918 local IP addresses on 08/11/2024
Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987680 [...]
A common problem people make when learning websec feat. Louis Nyffenegger #bugbounty #bugbountytips on 08/11/2024
A beginner's roadmap for playing CTFs: 10 practical tips for beginners by novasecio on 08/11/2024
Capture The Flag (CTF) challenges are fun to play, form a powerful training ground and help drastically develop your hacking skills. CTF competitions come in many forms, from malware analysis to web vulnerability challenges. Some CTF events also provide the winners with cash rewards (bounties), exclusive and limited-edition prizes (such as swag), and even job offers! However, t… [...]
Buffer overflow in strcpy on 07/11/2024
curl disclosed a bug submitted by rootgh0st: https://hackerone.com/reports/2823554 [...]
That’s why most people are bad at code review feat. Louis Nyffenegger #bugbounty #bugbountytips on 07/11/2024
AI-Powered APIs: Expanding Capabilities and Attack Surfaces by Ivan Novikov on 07/11/2024
AI and APIs have a symbiotic relationship. APIs power AI by providing the necessary data and functionality, while AI enhances API security through advanced threat detection and automated responses. In 2023, 83% of Internet traffic traveled through APIs, but there was a 21% increase in API-related vulnerabilities in Q3 2024, severely impacting AI. The relationship between AI and APIs expands capab [...]
Game Hacking 102: Pwn Adventure 3 on 07/11/2024
Unlocking Engagement with Employee Feedback by Pamela Greenberg on 06/11/2024
A potential risk in the experimental-programmatic-access-ccft which can be used to privilege escalation. on 06/11/2024
AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2808412 [...]