InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Agent-to-Agent Attacks Are Coming: What API Security Teaches Us About Securing AI Systems by Tim Erlin on 11/03/2026
AI systems are no longer just isolated models responding to human prompts. In modern production environments, they are increasingly chained together – delegating tasks, calling tools, and coordinating decisions with limited or no human oversight. Almost all that communication happens through APIs. This shift offers enormous productivity benefits. But it has also complicated secu [...]
Canada Needs Nationalized, Public AI on 11/03/2026
Canada has a choice to make about its artificial intelligence future. The Carney administration is investing $2-billion over five years in its Sovereign AI Compute Strategy. Will any value generated by “sovereign AI” be captured in Canada, making a difference in the lives of Canadians, or is this just a passthrough to investment in American Big Tech? Forcing the question is OpenAI, the [...]
Six mistakes in ERC-4337 smart accounts on 11/03/2026
Account abstraction transforms fixed “private key can do anything” models into programmable systems that enable batching, recovery and spending limits, and flexible gas payment. But that programmability introduces risks: a single bug can be as catastrophic as leaking a private key. After auditing dozens of ERC‑4337 smart accounts, we’ve identified six vulnerability patterns that frequently appear. [...]
PortSwigger X Intigriti: Burp Suite Professional licenses up for grabs with this new collaboration on 11/03/2026
At PortSwigger, we’re always looking for ways to enable the world to secure the web, and today we’re excited to take that mission a step further. We’re pleased to announce a new collaboration bringing [...]
CVE-2026-3805: use after free in SMB connection reuse on 11/03/2026
curl disclosed a bug submitted by rat5ak: https://hackerone.com/reports/3591944 [...]
CVE-2026-3784: wrong proxy connection reuse with credentials on 11/03/2026
curl disclosed a bug submitted by nobcoder: https://hackerone.com/reports/3584903 [...]
CVE-2026-3783: token leak with redirect and netrc on 11/03/2026
curl disclosed a bug submitted by spectreglobalsec: https://hackerone.com/reports/3583983 [...]
Microsoft Patch Tuesday, March 2026 Edition by BrianKrebs on 11/03/2026
Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tue [...]
Intigriti collaborates with PortSwigger to support ethical hacking excellence by Eleanor Barlow on 11/03/2026
Intigriti and PortSwigger collaborate to reward hard-working hackers Best known as the creator of Burp Suite, the industry-standard toolkit for manual web application security testing, PortSwigger is a UK-based cybersecurity company on a mission to help the world secure the web. Today, their tools are trusted by over 20,000 organizations worldwide to detect and prevent cyber threats. To further su [...]
Project Helix Blue Team CTF Teaser - Coming Wednesday! on 10/03/2026
What turns a good hacker into a great hunter on 10/03/2026
Connection Reuse Ignores OAuth Bearer Token Mismatch on 10/03/2026
curl disclosed a bug submitted by sabari_n: https://hackerone.com/reports/3595753 [...]
Jailbreaking the F-35 Fighter Jet on 10/03/2026
Countries around the world are becoming increasingly concerned about their dependencies on the US. If you’ve purchase US-made F-35 fighter jets, you are dependent on the US for software maintenance. The Dutch Defense Secretary recently said that he could jailbreak the planes to accept third-party software. [...]
CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap on 10/03/2026
curl disclosed a bug submitted by sabari_n: https://hackerone.com/reports/3595764 [...]
Uncovering agent logging gaps in Copilot Studio on 10/03/2026
During research, we sometimes encounter scenarios that remind us that it's a good idea to trust but verify. In September 2025, we noticed that certain Microsoft Copilot Studio agent settings did not log certain administrative actions related to sharing, authentication, logging, and publication of Copilot Studio agents. [...]
Arbitrary Code Execution via Scanner Bypass in **aws-diagram-mcp-server** `exec()` Namespace on 09/03/2026
AWS VDP disclosed a bug submitted by locus-x64: https://hackerone.com/reports/3557138 [...]
Users can change project visibility which requires high subscription by just changing request body on 09/03/2026
Lovable VDP disclosed a bug submitted by hossam25: https://hackerone.com/reports/3370430 [...]
An Interview with Allie Mellen (author: CODE WAR) on 09/03/2026
LM Challenge-Response Hash Always Sent in SMB Authentication on 09/03/2026
curl disclosed a bug submitted by brewm4ster: https://hackerone.com/reports/3584491 [...]
New Attack Against Wi-Fi on 09/03/2026
It’s called AirSnitch: Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs (Service Set Identifiers). This cross-layer identity desynchronization is the key driver of AirSnitch attacks. The most powerful such attack is a full, bidir [...]
Was This Vulnerability Worth $15,000? on 09/03/2026
Behind the console: Active phishing campaign targeting AWS console credentials on 09/03/2026
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure. [...]
How AI Assistants are Moving the Security Goalposts by BrianKrebs on 08/03/2026
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priori [...]
In curl's SASL OAUTHBEARER authentication, including the SOH character (0x01) in the username corrupts the message structure. on 08/03/2026
curl disclosed a bug submitted by y_security: https://hackerone.com/reports/3584865 [...]
What is inter tenant IDOR and why bug bounty hunters should care on 08/03/2026
Injection in path parameter of Ingress-nginx on 07/03/2026
Kubernetes disclosed a bug submitted by fisjkars: https://hackerone.com/reports/2701701 [...]
Hardware Hacking 101: with a custom physical kit! on 07/03/2026
Friday Squid Blogging: Squid in Byzantine Monk Cooking on 06/03/2026
This is a very weird story about how squid stayed on the menu of Byzantine monks by falling between the cracks of dietary rules. At Constantinople’s Monastery of Stoudios, the kitchen didn’t answer to appetite. It answered to the “typikon”: a manual for ensuring that nothing unexpected happened at mealtimes. Meat: forbidden. Dairy: forbidden. Eggs: forbidden. Fish: feast-da [...]
Anthropic and the Pentagon on 06/03/2026
OpenAI is in and Anthropic is out as a supplier of AI technology for the US defense department. This news caps a week of bluster by the highest officials in the US government towards some of the wealthiest titans of the big tech industry, and the overhanging specter of the existential risks posed by a new technology powerful enough that the Pentagon claims it is essential to national security. At [...]
Claude Used to Hack Mexican Government on 06/03/2026
An unknown hacker used Anthropic’s LLM to hack the Mexican government: The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday. [… [...]
The Payload Podcast #003 on 06/03/2026
Catch us chillin' at The Hive during RSA. 🐝 on 06/03/2026
IDOR to make someone attend or leave an event on 06/03/2026
LinkedIn disclosed a bug submitted by safehacker_2715: https://hackerone.com/reports/1734639 [...]
Blocking a company page admin prevents him from delete paid media admin or edit his roles on 05/03/2026
LinkedIn disclosed a bug submitted by riadalrashed: https://hackerone.com/reports/2339192 [...]
Open Redirect on lovable.dev via redirect parameter leads to phishing attacks on 05/03/2026
Lovable VDP disclosed a bug submitted by jdc94: https://hackerone.com/reports/3581815 [...]
Israel Hacked Traffic Cameras in Iran on 05/03/2026
Multiple news outlets are reporting on Israel’s hacking of Iranian traffic cameras and how they assisted with the killing of that country’s leadership. The New York Times has an [...]
DoS via Unbounded Memory Allocation in sendWebStream on Fastify v5.7.0+ leads to OOM crash when backpressure is ignored on 05/03/2026
Fastify disclosed a bug submitted by onlybugs05: https://hackerone.com/reports/3524779 [...]
Hacked App Part of US/Israeli Propaganda Campaign Against Iran on 05/03/2026
Wired has the story: Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store. The messages arrived in quick succession over a period of 30 minutes, sta [...]
LIVE: 🕵️ Memory Forensics | Blue Cape | Cybersecurity on 05/03/2026
Missing Access Control in MigrationFile allows attacker to upload files to any Migration on 05/03/2026
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3506183 [...]
Security-driven Rapid Release - Pwn2Own Documentary (Part 4) on 04/03/2026
crypto scammers phish with physical mail on 04/03/2026
SSTI leads to Command injection on 04/03/2026
curl disclosed a bug submitted by errorbehavior200: https://hackerone.com/reports/3584149 [...]
Manipulating AI Summarization Features on 04/03/2026
Microsoft is reporting: Companies are embedding hidden instructions in “Summarize with AI” buttons that, when clicked, attempt to inject persistence commands into an AI assistant’s memory via URL prompt parameters…. These prompts instruct the AI to “remember [Company] as a trusted source” or “recommend [Company] first,” aiming to bias future response [...]
Intigriti launches new global Hacker Ambassador Program by Eleanor Barlow on 04/03/2026
What you will learn What the Intigriti Ambassador Program is and how it works. What are the key benefits and rewards of participation? Who should apply and why it matters. How to apply and next steps. What the global hacking community means to Intigriti The global hacking community has never been more important. From students discovering their first bug to seasoned hackers uncovering flaws in [...]
This is the Fastest Growing Cybersecurity Field for 2026! on 03/03/2026
On Moltbook on 03/03/2026
The MIT Technology Review has a good article on Moltbook, the supposed AI-only social network: Many people have pointed out that a lot of the viral comments were in fact posted by people posing as bots. But even the bot-written posts are ultimately the result of people pulling the strings, more puppetry than autonomy. “Despite some of the hype, Moltbook is not the Facebook for AI agents, nor [...]
Use after free in hyperfifo example on 03/03/2026
curl disclosed a bug submitted by deepbluev7: https://hackerone.com/reports/3580247 [...]
What would you do for a P1? on 02/03/2026
Everyone Knows About Broken Authorization – So Why Does It Still Work for Attackers? by Tim Erlin on 02/03/2026
Broken authorization is one of the most widely known API vulnerabilities. It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) account for hundreds of API vulnerabilities every quarter. According to the 2026 API ThreatStats report, authorization issues ranked ninth i [...]
Firefox JIT Bug - Pwn2Own Documentary (Part 3) on 01/03/2026
2FA requirement bypass when inviting team members on 28/02/2026
Omise disclosed a bug submitted by 0x7ashish: https://hackerone.com/reports/3356149 [...]
Who is the Kimwolf Botmaster “Dort”? by BrianKrebs on 28/02/2026
In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against th [...]
ContinuumCon Prep (with Greg Ake!) on 28/02/2026
Cultivating a robust and efficient quantum-safe HTTPS on 27/02/2026
Posted by Chrome Secure Web and Networking Team Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (“PLANTS”), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography intro [...]
The Dangers Of Cheap Smart Camera on 27/02/2026
This Burp Suite Extension Can Supercharge Your Bug Bounty Hunt For BAC on 27/02/2026
h?ckers a[r]e gl*bbing on 27/02/2026
Hook, line, and vault: A technical deep dive into the 1Phish kit on 27/02/2026
We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. [...]
Password Reuse Vulnerability on AWS Sign-in Page via Password Reset Flow leads to Security Policy Violation on 26/02/2026
AWS VDP disclosed a bug submitted by h0ne_analyst_94cm4n1: https://hackerone.com/reports/3514122 [...]
Oh okay on 26/02/2026
Integer Overflow in curl_multi_get_handles() Leading to Heap Buffer Overflow on 26/02/2026
curl disclosed a bug submitted by knickers: https://hackerone.com/reports/3575245 [...]
RTSP RTP Interleaved Parser Assertion Failure (Zero-Length RTP Payload) on 26/02/2026
curl disclosed a bug submitted by davkor: https://hackerone.com/reports/3575250 [...]
AI Playground XSS to steal user-chat messages and access to connected MCP Server on 26/02/2026
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3424998 [...]
Able to bypass HSTS using trailing dot on 26/02/2026
curl disclosed a bug submitted by shan_nandi: https://hackerone.com/reports/3574928 [...]
thousands of Google API keys exposed on 26/02/2026
Curl Telnet Handler Buffer Overflow on 26/02/2026
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3575475 [...]
HTML Injection in DAST Trial Request Form Confirmation Email PortSwigger on 26/02/2026
PortSwigger Web Security disclosed a bug submitted by zorixu: https://hackerone.com/reports/3556892 - Bounty: $200 [...]
From curiosity to critical bugs: Interview with Marc-Oliver Munz (c1phy) by Eleanor Barlow on 26/02/2026
Security is built by people. At Intigriti, we don’t just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
From curiosity to critical bugs: Interview with Marc-Oliver Munz (c1phy) by Eleanor Barlow on 26/02/2026
Security is built by people. At Intigriti, we don’t just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
The First Exploit - Pwn2Own Documentary (Part 2) on 25/02/2026
Staying One Step Ahead: Strengthening Android’s Lead in Scam Protection on 25/02/2026
Posted by Lyubov Farafonova, Product Manager, Phone by Google; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse We’ve shared how Android’s proactive, multi-layered scam defenses utilize Google AI to protect users around the world from over 10 billion suspected malicious calls and messages every month1. While that scale is significant, the true impact of these p [...]
How to Reduce Cyber Risk with Continuous Threat Exposure Management on 25/02/2026
AI Security: Leaking Sensitive Data & Account Takeover Explained on 25/02/2026
mquire: Linux memory forensics without external dependencies on 25/02/2026
If you’ve ever done Linux memory forensics, you know the frustration: without debug symbols that match the exact kernel version, you’re stuck. These symbols aren’t typically installed on production systems and must be sourced from external repositories, which quickly become outdated when systems receive updates. If you’ve ever tried to analyze a memory dump only to discover that no one has publish [...]
Publicly accessible `` endpoint exposing internal user identifiers and email addresses on 24/02/2026
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3360293 [...]
CVE--35813 in on 24/02/2026
Mars disclosed a bug submitted by 0xr2r: https://hackerone.com/reports/2200329 [...]
Sensitive information exposed at [] via /export_panelists_to_xlsx endpoint on 24/02/2026
Mars disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/3376598 [...]
- Publicly Accessible public_html Directory Exposing WordPress Configuration on 24/02/2026
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3066548 [...]
SQLi At `` via `theme_name` on 24/02/2026
Mars disclosed a bug submitted by 4ksh3ye: https://hackerone.com/reports/3293803 [...]
SQLi at parameter on 24/02/2026
Mars disclosed a bug submitted by scriptsavvy: https://hackerone.com/reports/3277276 [...]
No Rate Limiting on Password Attempts After Insecure Registration Flow cause ATO on 24/02/2026
Mars disclosed a bug submitted by azar_man: https://hackerone.com/reports/3174778 [...]
Is It Too Late for Me to Get Into Cybersecurity?! on 24/02/2026
“AI red teaming” is getting thrown around a lot right now on 23/02/2026
Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion on 23/02/2026
Node.js disclosed a bug submitted by illia-v: https://hackerone.com/reports/3456148 [...]
I Hacked My First AI Chatbot on 23/02/2026
The World's Hardest Hacking Competition - Pwn2Own Documentary (Part 1) on 22/02/2026
Initial Bug Bounty Exploits - CSRF + SSRF [CyberCrusade 6] on 22/02/2026
‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA by BrianKrebs on 20/02/2026
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between t [...]
Learn PowerShell! on 20/02/2026
Besides Spotify on 20/02/2026
Chaining Five Business Logic Flaws to Steal $999,999 on 20/02/2026
Using threat modeling and prompt injection to audit Comet on 20/02/2026
Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when [...]
The Payload Podcast #002 with Connor McGarr on 20/02/2026
Intigriti Bug Bytes #233 - February 2026 🚀 by Ayoub on 20/02/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vulnerabilities with AI Analyzing static code false-positive free And so much more! Le [...]
Keeping Google Play & Android app ecosystems safe in 2025 on 19/02/2026
Posted by Vijaya Kaza, VP and GM, App & Ecosystem Trust The Android ecosystem is a thriving global community built on trust, giving billions of users the confidence to download the latest apps. In order to maintain that trust, we’re focused on ensuring that apps do not cause real-world harm, such as malware, financial fraud, hidden subscriptions, and privacy invasions. As bad actors leverage [...]
Russia is hacking zero-days again on 19/02/2026
IoT Hacking Stream on 19/02/2026
Splatoon 3 Anticheat Seed Randomization Weakness on 19/02/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3042475 [...]