InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

2025 Software Supply Chain Security Trends & Predictions: AI, Shadow Application Development and Nation State Attacks

by Aaron Bray on 20/11/2024

Roughly 30-50k software packages are published in the open-source ecosystem every day. So far this year, Phylum has found nearly 35,000 malicious packages, uncovering bad actors executing everything from typosquatting to dependency confusion to starjacking to Nation-State attacks. As current trends continue, the adoption of generative AI proliferates. We anticipate deregulation and new policies to [...]

See full content

LIVE: Hacking, AppSec and Cybersecurity | TryHackMe

on 20/11/2024

See full content

Leveling Up Fuzzing: Finding more vulnerabilities with AI

on 20/11/2024

Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security TeamRecently, OSS-Fuzz reported 26 new vulnerabilities to open source project maintainers, including one vulnerability in the critical OpenSSL library (CVE-2024-9143) that underpins much of internet infrastructure. The reports themselves aren’t unusual—we’ve reported and helped maintainers fix over 11,000 vulnerab [...]

See full content

Steve Bellovin’s Retirement Talk

on 20/11/2024

Steve Bellovin is retiring. Here’s his retirement talk, reflecting on his career and what the cybersecurity field needs next. [...]

See full content

csrftoken not unique to session or specific user and csrfmiddlewaretoken can be altered

on 20/11/2024

Mozilla disclosed a bug submitted by bashbdeer: https://hackerone.com/reports/2513333 [...]

See full content

Reflected XSS in https://www.acronis.com/products/cyber-protect/trial/

on 20/11/2024

Acronis disclosed a bug submitted by tomblorg: https://hackerone.com/reports/1891926 - Bounty: $100 [...]

See full content

Api data leak

on 20/11/2024

Planet Labs disclosed a bug submitted by y0usef: https://hackerone.com/reports/1639011 [...]

See full content

Holiday Hack Challenge Game Modes

on 20/11/2024

See full content

How HackerOne Employees Stay Connected and Have Fun

by Marina Briones on 20/11/2024

See full content

Fintech Giant Finastra Investigating Data Breach

by BrianKrebs on 20/11/2024

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the [...]

See full content

A Phish All Along

on 20/11/2024

See full content

RXSS in via S parameter

on 19/11/2024

Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2307913 [...]

See full content

sensitive data-creds for database - private key

on 19/11/2024

Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2396630 [...]

See full content

CSRF in Delete Pet Function

on 19/11/2024

Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2445106 [...]

See full content

Reflected XSS on formaction parameter

on 19/11/2024

Mars disclosed a bug submitted by e5p3ctr0x96: https://hackerone.com/reports/2089895 [...]

See full content

Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 4/4

on 19/11/2024

See full content

A potential risk in the cloudFrontExtensionsConsole which can be used to privilege escalation.

on 19/11/2024

AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2805173 [...]

See full content

Evaluating Solidity support in AI coding assistants

by Trail of Bits on 19/11/2024

By Artem Dinaburg AI-enabled code assistants (like GitHub’s Copilot, Continue.dev, and Tabby) are making software development faster and more productive. Unfortunately, these tools are often bad at Solidity. So we decided to improve them! To make it easier to write, edit, and understand Solidity with AI-enabled tools, we have: Added support for Solidity into Tabby and Continue.dev, two local, pri [...]

See full content

Why Italy Sells So Much Spyware

on 19/11/2024

Interesting analysis: Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of Justice document, as of December 2022 law enforcement in the country could rent spyware for €150 a day, re [...]

See full content

Holiday Hack Challenge Starts THIS November

on 19/11/2024

See full content

Hackerone supports accounts organitation takeover

on 19/11/2024

HackerOne disclosed a bug submitted by madara_: https://hackerone.com/reports/2798380 - Bounty: $2500 [...]

See full content

Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse

on 19/11/2024

Cosmos disclosed a bug submitted by l33thaxor: https://hackerone.com/reports/2806356 - Bounty: $2000 [...]

See full content

Phishing Email Telltale Indicators

on 19/11/2024

See full content

How REI Strengthens Security with HackerOne’s Global Security Researcher Community

by HackerOne on 19/11/2024

REI's senior application security engineer discusses their program success, evolving goals, and the value of the security researcher community. [...]

See full content

Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days

on 18/11/2024

Zero-day vulnerabilities are more commonly used, according to the Five Eyes: Key Findings In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, [...]

See full content

Share information of Tables app is not limited to affected users

on 18/11/2024

Nextcloud disclosed a bug submitted by cx75fa: https://hackerone.com/reports/2705507 [...]

See full content

5 Lessons That Made Me $1M Since 2022

on 18/11/2024

See full content

Taming API Sprawl: Best Practices for API Discovery and Management

by Alexey Novgorodov on 18/11/2024

APIs are the backbone of interconnected applications, enabling organizations to innovate, integrate, and scale rapidly. However, as enterprises continue to expand their digital ecosystems, they often encounter a common and complex challenge: API sprawl. Unchecked, API sprawl can lead to increased security risks, inefficient resource utilization, and the frustrating experience of redundant or hard [...]

See full content

Collaborative Hacking with HHC 2024

on 18/11/2024

See full content

One-Click Compromise

on 18/11/2024

See full content

Picking Locks Is A Sport - Lock Picking Biker

on 17/11/2024

See full content

Open redirect Via X-Forwarded-Host

on 17/11/2024

Omise disclosed a bug submitted by ndizon_: https://hackerone.com/reports/1479889 [...]

See full content

Nextcloud Tables app - inserting rows to an arbitrary table possible

on 17/11/2024

Nextcloud disclosed a bug submitted by tuyenee: https://hackerone.com/reports/2671404 [...]

See full content

A Holiday Hacking Dream

on 17/11/2024

See full content

LTT Account Takeover

on 17/11/2024

See full content

TCM Security 2024 Black Friday Cyber Monday Sale is Here!

on 16/11/2024

See full content

CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci

on 16/11/2024

MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2762119 [...]

See full content

Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 3/4

on 16/11/2024

See full content

User can copy locked folders and gain access to the contents

on 16/11/2024

Nextcloud disclosed a bug submitted by maccs: https://hackerone.com/reports/2447316 - Bounty: $500 [...]

See full content

Holiday Hack Challenge 2024

on 16/11/2024

See full content

Fell For a Phish

on 16/11/2024

See full content

Friday Squid Blogging: Female Gonatus Onyx Squid Carrying Her Eggs

on 15/11/2024

Fantastic video of a female Gonatus onyx squid swimming while carrying her egg sack. An earlier related post. Blog moderation policy. [...]

See full content

Flexible Data Retrieval at Scale with HAQL

by Robert Coleman on 15/11/2024

HAQL: HackerOne's simplified query interface for writing performant aggregate queries on tables modeled purposefully for data analysis. [...]

See full content

Retrofitting spatial safety to hundreds of millions of lines of C++

on 15/11/2024

Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasuda, Core Developer Attackers regularly exploit spatial memory safety vulnerabilities, which occur when code accesses a memory allocation outside of its intended bounds, to compromise systems and sensitive data. These vulnerabilities represent a major security risk to users.  Based on an analysis of in-the-wild [...]

See full content

AI in SecOps: How AI is Impacting Red and Blue Team Operations

by HackerOne on 15/11/2024

View survey results and analysis of how AI in SecOps is impacting red and blue team operations. [...]

See full content

Build Your Own Wi-Fi Hacking Tool (ESP32 Marauder)

on 15/11/2024

See full content

Open redirect when logging in with user_oidc

on 15/11/2024

Nextcloud disclosed a bug submitted by kesselb: https://hackerone.com/reports/2720030 [...]

See full content

World Building for SANS Holiday Hack Challenge

on 15/11/2024

See full content

Attachments folder for Text app is accessible on Files Drop/Password protected shares

on 15/11/2024

Nextcloud disclosed a bug submitted by lukasreschke: https://hackerone.com/reports/2376900 [...]

See full content

Mail auto configurator can be tricked into sending account information to wrong servers

on 15/11/2024

Nextcloud disclosed a bug submitted by shushangw: https://hackerone.com/reports/2508422 - Bounty: $100 [...]

See full content

Good Essay on the History of Bad Password Policies

on 15/11/2024

Stuart Schechter makes some good points on the history of bad password policies: Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades. First, was Morris and Th [...]

See full content

An Interview With the Target & Home Depot Hacker

by BrianKrebs on 15/11/2024

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for seve [...]

See full content

Unauthenticated phpinfo()files could lead to ability file read at h3f6.n1.ips.mtn.co.ug

on 15/11/2024

MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2764952 [...]

See full content

Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 2/4

on 14/11/2024

See full content

Takeover of hackerone.engineering via Medium

on 14/11/2024

HackerOne disclosed a bug submitted by raditz: https://hackerone.com/reports/2709660 [...]

See full content

Cities Skylines II Malware [FULL REVERSE ENGINEERING ANALYSIS]

on 14/11/2024

See full content

Attestations: A new generation of signatures on PyPI

by William Woodruff on 14/11/2024

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring us one step close [...]

See full content

New iOS Security Feature Makes It Harder for Police to Unlock Seized Phones

on 14/11/2024

Everybody is reporting about a new security iPhone security feature with iOS 18: if the phone hasn’t been used for a few days, it automatically goes into its “Before First Unlock” state and has to be rebooted. This is a really good security feature. But various police departments don’t like it, because it makes it harder for them to unlock suspects’ phones. [...]

See full content

HackerOne’s Fall Day of Service

by debbie@hackerone.com on 14/11/2024

See full content

How HackerOne Disproved an MFA Bypass With a Spot Check

by Ian Melven on 14/11/2024

Read how HackerOne's internal security team disproved an alleged MFA bypass with a targeted Spot Check. [...]

See full content

The 8th Annual Hacker-Powered Security Report: An overview

on 13/11/2024

See full content

LIVE: C2 Hacking | Cybersecurity | TryHackMe

on 13/11/2024

See full content

Can see phone numbers of others by providing mail address

on 13/11/2024

LinkedIn disclosed a bug submitted by sevada797: https://hackerone.com/reports/2534458 [...]

See full content

Safer with Google: New intelligent, real-time protections on Android to keep you safe

on 13/11/2024

Posted by Lyubov Farafonova, Product Manager and Steve Kafka, Group Product Manager, Android User safety is at the heart of everything we do at Google. Our mission to make technology helpful for everyone means building features that protect you while keeping your privacy top of mind. From Gmail’s defenses that stop more than 99.9% of spam, phishing and malware, to Google Messages’ advanced secur [...]

See full content

Your AppSec Journey Demystified: Driving Effective API Security with Wallarm and StackHawk

by Tim Erlin on 13/11/2024

There is no doubt that attackers have shifted their attention to APIs. Wallarm’s API ThreatStats research identifies that 70% of attacks now target APIs instead of Web Applications. While APIs have become the backbone of innovation and connectivity for businesses, they have also introduced a vast attack surface that’s challenging to defend with traditional methods alone. To address these unique A [...]

See full content

Availability Impact from Exploiting Project Name Vulnerabilities

on 13/11/2024

Doppler disclosed a bug submitted by mr_root_0101: https://hackerone.com/reports/2801036 - Bounty: $250 [...]

See full content

SaaS apps are vulnerable too!!! (ServiceNow Exploitation)

on 13/11/2024

See full content

IDOR in backup recovery functionality

on 13/11/2024

Acronis disclosed a bug submitted by theelgo64: https://hackerone.com/reports/1901713 [...]

See full content

Mapping License Plate Scanners in the US

on 13/11/2024

DeFlock is a crowd-sourced project to map license plate scanners. It only records the fixed scanners, of course. The mobile scanners on cars are not mapped. [...]

See full content

To succeed in bug bounty, be a specialist feat. Louis Nyffenegger #bugbounty #bugbountytips

on 13/11/2024

See full content

Killing Filecoin nodes

by Trail of Bits on 13/11/2024

By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic. The vulnerability demonstrates an insecure practice we often observe in our audits of b [...]

See full content

Microsoft Patch Tuesday, November 2024 Edition

by BrianKrebs on 12/11/2024

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today. The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler [...]

See full content

Let's Run Some Malware - Any.Run Demonstration

on 12/11/2024

See full content

Context is King: Using API Sessions for Security Context

by Tim Erlin on 12/11/2024

There’s no doubt that API security is a hot topic these days. The continued growth in API-related breaches and increase in publicized API vulnerabilities has pushed API security to the top of CISO’s lists. The tools in the market for API security still have room for improvement, of course. One of the challenges security practitioners face with APIs is understanding the context in which an attack [...]

See full content

Criminals Exploiting FBI Emergency Data Requests

on 12/11/2024

I’ve been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too. Turns out the same thing is true for non-technical backdoors: The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police acco [...]

See full content

A method for finding 0days feat. Louis Nyffenegger #bugbounty #bugbountytips #bugbountyhunter

on 12/11/2024

See full content

Join Me In My Bug Bounty Cyber Crusades!

on 11/11/2024

See full content

Afraid of heights

on 11/11/2024

See full content

Do This For Your First $100,000 in Bounties

on 11/11/2024

See full content

The Hidden Costs of API Breaches: Quantifying the Long-Term Business Impact

by Tim Erlin on 11/11/2024

API attacks can be costly. Really costly. Obvious financial impacts like legal fines, stolen finances, and incident response budgets can run into the hundreds of millions. However, other hidden costs often compound the issue, especially if you’re not expecting them.  This article will explore the obvious and hidden costs of API breaches, their long-term business impacts, and how you can c [...]

See full content

Most common websec problems specific to Ruby on Rails feat. Louis Nyffenegger #bugbounty #bugbountyt

on 11/11/2024

See full content

Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 1/4

on 10/11/2024

See full content

FBI: Spike in Hacked Police Emails, Fake Subpoenas

by BrianKrebs on 09/11/2024

The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies. In an alert (PDF) published this week, the FBI said it has seen an upti [...]

See full content

I am missing bugs because of this #bugbounty #bugbountytips #bugbountyhunter

on 09/11/2024

See full content

Friday Squid Blogging: Squid-A-Rama in Des Moines

on 08/11/2024

Squid-A-Rama will be in Des Moines at the end of the month. Visitors will be able to dissect squid, explore fascinating facts about the species, and witness a live squid release conducted by local divers. How are they doing a live squid release? Simple: this is Des Moines, Washington; not Des Moines, Iowa. Blog moderation policy. [...]

See full content

Car Hacking: With or Without a Flipper Zero

on 08/11/2024

See full content

AI Industry is Trying to Subvert the Definition of “Open Source AI”

on 08/11/2024

The Open Source Initiative has published (news article here) its definition of “open source AI,” and it’s terrible. It allows for secret training data and mechanisms. It allows for development to be done in secret. Since for a neural network, the training data is the source code—it’s how the model gets programmed—the definition makes no sense. And it’s con [...]

See full content

Leakage of traffic in plaintext towards the IP address of VPN server

on 08/11/2024

Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987687 [...]

See full content

Leaking VPN traffic through non-RFC1918 local IP addresses

on 08/11/2024

Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987680 [...]

See full content

A common problem people make when learning websec feat. Louis Nyffenegger #bugbounty #bugbountytips

on 08/11/2024

See full content

A beginner's roadmap for playing CTFs: 10 practical tips for beginners

by novasecio on 08/11/2024

Capture The Flag (CTF) challenges are fun to play, form a powerful training ground and help drastically develop your hacking skills. CTF competitions come in many forms, from malware analysis to web vulnerability challenges. Some CTF events also provide the winners with cash rewards (bounties), exclusive and limited-edition prizes (such as swag), and even job offers! However, t… [...]

See full content

Buffer overflow in strcpy

on 07/11/2024

curl disclosed a bug submitted by rootgh0st: https://hackerone.com/reports/2823554 [...]

See full content

That’s why most people are bad at code review feat. Louis Nyffenegger #bugbounty #bugbountytips

on 07/11/2024

See full content

AI-Powered APIs: Expanding Capabilities and Attack Surfaces

by Ivan Novikov on 07/11/2024

AI and APIs have a symbiotic relationship. APIs power AI by providing the necessary data and functionality, while AI enhances API security through advanced threat detection and automated responses. In 2023, 83% of Internet traffic traveled through APIs, but there was a 21% increase in API-related vulnerabilities in Q3 2024, severely impacting AI. The relationship between AI and APIs expands capab [...]

See full content

Game Hacking 102: Pwn Adventure 3

on 07/11/2024

See full content

Unlocking Engagement with Employee Feedback

by Pamela Greenberg on 06/11/2024

See full content

A potential risk in the experimental-programmatic-access-ccft which can be used to privilege escalation.

on 06/11/2024

AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2808412 [...]

See full content

LIVE: Ransomware Memory Forensics | Cybersecurity | Blue Team

on 06/11/2024

See full content

How an Improper Access Control Vulnerability Led to Account Theft in One Click

by Sandeep Singh on 06/11/2024

Improper access control is the #3 most common security vulnerability. Learn what improper access control is, its impacts, and how to prevent it. [...]

See full content

How not to get stuck when learning web security? Louis Nyffenegger from PentesterLab

on 06/11/2024

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. victoria.dev
  12. Brett Buerhaus
  13. Bug Bounty Reports Explained
  14. Bugcrowd
  15. cat ~/footstep.ninja/blog.txt
  16. Ezequiel Pereira
  17. HackerOne
  18. HackerOne
  19. surajdisoja.me
  20. InsiderPhD
  21. Intigriti
  22. John Hammond
  23. LiveOverflow
  24. NahamSec
  25. PortSwigger Blog
  26. Rana Khalil
  27. Richard’s Infosec blog
  28. Ron Chan
  29. ropnop blog
  30. STÖK
  31. Sun Knudsen
  32. The Cyber Mentor
  33. The unofficial HackerOne disclosure timeline
  34. The XSS rat
  35. TomNomNom
  36. Wallarm