InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
2025 Software Supply Chain Security Trends & Predictions: AI, Shadow Application Development and Nation State Attacks
by Aaron Bray on 20/11/2024
Roughly 30-50k software packages are published in the open-source ecosystem every day. So far this year, Phylum has found nearly 35,000 malicious packages, uncovering bad actors executing everything from typosquatting to dependency confusion to starjacking to Nation-State attacks. As current trends continue, the adoption of generative AI proliferates. We anticipate deregulation and new policies to [...]
See full content
LIVE: Hacking, AppSec and Cybersecurity | TryHackMe
on 20/11/2024
See full content
Leveling Up Fuzzing: Finding more vulnerabilities with AI
on 20/11/2024
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security TeamRecently, OSS-Fuzz reported 26 new vulnerabilities to open source project maintainers, including one vulnerability in the critical OpenSSL library (CVE-2024-9143) that underpins much of internet infrastructure. The reports themselves aren’t unusual—we’ve reported and helped maintainers fix over 11,000 vulnerab [...]
See full content
Steve Bellovin’s Retirement Talk
on 20/11/2024
Steve Bellovin is retiring. Here’s his retirement talk, reflecting on his career and what the cybersecurity field needs next.
[...]
See full content
csrftoken not unique to session or specific user and csrfmiddlewaretoken can be altered
on 20/11/2024
Mozilla disclosed a bug submitted by bashbdeer: https://hackerone.com/reports/2513333 [...]
See full content
Reflected XSS in https://www.acronis.com/products/cyber-protect/trial/
on 20/11/2024
Acronis disclosed a bug submitted by tomblorg: https://hackerone.com/reports/1891926 - Bounty: $100 [...]
See full content
Api data leak
on 20/11/2024
Planet Labs disclosed a bug submitted by y0usef: https://hackerone.com/reports/1639011 [...]
See full content
Holiday Hack Challenge Game Modes
on 20/11/2024
See full content
How HackerOne Employees Stay Connected and Have Fun
by Marina Briones on 20/11/2024
See full content
Fintech Giant Finastra Investigating Data Breach
by BrianKrebs on 20/11/2024
The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the [...]
See full content
A Phish All Along
on 20/11/2024
See full content
RXSS in via S parameter
on 19/11/2024
Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2307913 [...]
See full content
sensitive data-creds for database - private key
on 19/11/2024
Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2396630 [...]
See full content
CSRF in Delete Pet Function
on 19/11/2024
Mars disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2445106 [...]
See full content
Reflected XSS on formaction parameter
on 19/11/2024
Mars disclosed a bug submitted by e5p3ctr0x96: https://hackerone.com/reports/2089895 [...]
See full content
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 4/4
on 19/11/2024
See full content
A potential risk in the cloudFrontExtensionsConsole which can be used to privilege escalation.
on 19/11/2024
AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2805173 [...]
See full content
Evaluating Solidity support in AI coding assistants
by Trail of Bits on 19/11/2024
By Artem Dinaburg
AI-enabled code assistants (like GitHub’s Copilot, Continue.dev, and Tabby) are making software development faster and more productive. Unfortunately, these tools are often bad at Solidity. So we decided to improve them!
To make it easier to write, edit, and understand Solidity with AI-enabled tools, we have:
Added support for Solidity into Tabby and Continue.dev, two local, pri [...]
See full content
Why Italy Sells So Much Spyware
on 19/11/2024
Interesting analysis:
Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of Justice document, as of December 2022 law enforcement in the country could rent spyware for €150 a day, re [...]
See full content
Holiday Hack Challenge Starts THIS November
on 19/11/2024
See full content
Hackerone supports accounts organitation takeover
on 19/11/2024
HackerOne disclosed a bug submitted by madara_: https://hackerone.com/reports/2798380 - Bounty: $2500 [...]
See full content
Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse
on 19/11/2024
Cosmos disclosed a bug submitted by l33thaxor: https://hackerone.com/reports/2806356 - Bounty: $2000 [...]
See full content
Phishing Email Telltale Indicators
on 19/11/2024
See full content
How REI Strengthens Security with HackerOne’s Global Security Researcher Community
by HackerOne on 19/11/2024
REI's senior application security engineer discusses their program success, evolving goals, and the value of the security researcher community. [...]
See full content
Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days
on 18/11/2024
Zero-day vulnerabilities are more commonly used, according to the Five Eyes:
Key Findings
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, [...]
See full content
Share information of Tables app is not limited to affected users
on 18/11/2024
Nextcloud disclosed a bug submitted by cx75fa: https://hackerone.com/reports/2705507 [...]
See full content
5 Lessons That Made Me $1M Since 2022
on 18/11/2024
See full content
Taming API Sprawl: Best Practices for API Discovery and Management
by Alexey Novgorodov on 18/11/2024
APIs are the backbone of interconnected applications, enabling organizations to innovate, integrate, and scale rapidly. However, as enterprises continue to expand their digital ecosystems, they often encounter a common and complex challenge: API sprawl. Unchecked, API sprawl can lead to increased security risks, inefficient resource utilization, and the frustrating experience of redundant or hard [...]
See full content
Collaborative Hacking with HHC 2024
on 18/11/2024
See full content
One-Click Compromise
on 18/11/2024
See full content
Picking Locks Is A Sport - Lock Picking Biker
on 17/11/2024
See full content
Open redirect Via X-Forwarded-Host
on 17/11/2024
Omise disclosed a bug submitted by ndizon_: https://hackerone.com/reports/1479889 [...]
See full content
Nextcloud Tables app - inserting rows to an arbitrary table possible
on 17/11/2024
Nextcloud disclosed a bug submitted by tuyenee: https://hackerone.com/reports/2671404 [...]
See full content
A Holiday Hacking Dream
on 17/11/2024
See full content
LTT Account Takeover
on 17/11/2024
See full content
TCM Security 2024 Black Friday Cyber Monday Sale is Here!
on 16/11/2024
See full content
CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci
on 16/11/2024
MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2762119 [...]
See full content
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 3/4
on 16/11/2024
See full content
User can copy locked folders and gain access to the contents
on 16/11/2024
Nextcloud disclosed a bug submitted by maccs: https://hackerone.com/reports/2447316 - Bounty: $500 [...]
See full content
Holiday Hack Challenge 2024
on 16/11/2024
See full content
Fell For a Phish
on 16/11/2024
See full content
Friday Squid Blogging: Female Gonatus Onyx Squid Carrying Her Eggs
on 15/11/2024
Fantastic video of a female Gonatus onyx squid swimming while carrying her egg sack.
An earlier related post.
Blog moderation policy.
[...]
See full content
Flexible Data Retrieval at Scale with HAQL
by Robert Coleman on 15/11/2024
HAQL: HackerOne's simplified query interface for writing performant aggregate queries on tables modeled purposefully for data analysis. [...]
See full content
Retrofitting spatial safety to hundreds of millions of lines of C++
on 15/11/2024
Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasuda, Core Developer
Attackers regularly exploit spatial memory safety vulnerabilities, which occur when code accesses a memory allocation outside of its intended bounds, to compromise systems and sensitive data. These vulnerabilities represent a major security risk to users.
Based on an analysis of in-the-wild [...]
See full content
AI in SecOps: How AI is Impacting Red and Blue Team Operations
by HackerOne on 15/11/2024
View survey results and analysis of how AI in SecOps is impacting red and blue team operations. [...]
See full content
Build Your Own Wi-Fi Hacking Tool (ESP32 Marauder)
on 15/11/2024
See full content
Open redirect when logging in with user_oidc
on 15/11/2024
Nextcloud disclosed a bug submitted by kesselb: https://hackerone.com/reports/2720030 [...]
See full content
World Building for SANS Holiday Hack Challenge
on 15/11/2024
See full content
Attachments folder for Text app is accessible on Files Drop/Password protected shares
on 15/11/2024
Nextcloud disclosed a bug submitted by lukasreschke: https://hackerone.com/reports/2376900 [...]
See full content
Mail auto configurator can be tricked into sending account information to wrong servers
on 15/11/2024
Nextcloud disclosed a bug submitted by shushangw: https://hackerone.com/reports/2508422 - Bounty: $100 [...]
See full content
Good Essay on the History of Bad Password Policies
on 15/11/2024
Stuart Schechter makes some good points on the history of bad password policies:
Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades.
First, was Morris and Th [...]
See full content
An Interview With the Target & Home Depot Hacker
by BrianKrebs on 15/11/2024
In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for seve [...]
See full content
Unauthenticated phpinfo()files could lead to ability file read at h3f6.n1.ips.mtn.co.ug
on 15/11/2024
MTN Group disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2764952 [...]
See full content
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 2/4
on 14/11/2024
See full content
Takeover of hackerone.engineering via Medium
on 14/11/2024
HackerOne disclosed a bug submitted by raditz: https://hackerone.com/reports/2709660 [...]
See full content
Cities Skylines II Malware [FULL REVERSE ENGINEERING ANALYSIS]
on 14/11/2024
See full content
Attestations: A new generation of signatures on PyPI
by William Woodruff on 14/11/2024
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740.
These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring us one step close [...]
See full content
New iOS Security Feature Makes It Harder for Police to Unlock Seized Phones
on 14/11/2024
Everybody is reporting about a new security iPhone security feature with iOS 18: if the phone hasn’t been used for a few days, it automatically goes into its “Before First Unlock” state and has to be rebooted.
This is a really good security feature. But various police departments don’t like it, because it makes it harder for them to unlock suspects’ phones.
[...]
See full content
HackerOne’s Fall Day of Service
by debbie@hackerone.com on 14/11/2024
See full content
How HackerOne Disproved an MFA Bypass With a Spot Check
by Ian Melven on 14/11/2024
Read how HackerOne's internal security team disproved an alleged MFA bypass with a targeted Spot Check. [...]
See full content
The 8th Annual Hacker-Powered Security Report: An overview
on 13/11/2024
See full content
LIVE: C2 Hacking | Cybersecurity | TryHackMe
on 13/11/2024
See full content
Can see phone numbers of others by providing mail address
on 13/11/2024
LinkedIn disclosed a bug submitted by sevada797: https://hackerone.com/reports/2534458 [...]
See full content
Safer with Google: New intelligent, real-time protections on Android to keep you safe
on 13/11/2024
Posted by Lyubov Farafonova, Product Manager and Steve Kafka, Group Product Manager, Android
User safety is at the heart of everything we do at Google. Our mission to make technology helpful for everyone means building features that protect you while keeping your privacy top of mind. From Gmail’s defenses that stop more than 99.9% of spam, phishing and malware, to Google Messages’ advanced secur [...]
See full content
Your AppSec Journey Demystified: Driving Effective API Security with Wallarm and StackHawk
by Tim Erlin on 13/11/2024
There is no doubt that attackers have shifted their attention to APIs. Wallarm’s API ThreatStats research identifies that 70% of attacks now target APIs instead of Web Applications. While APIs have become the backbone of innovation and connectivity for businesses, they have also introduced a vast attack surface that’s challenging to defend with traditional methods alone. To address these unique A [...]
See full content
Availability Impact from Exploiting Project Name Vulnerabilities
on 13/11/2024
Doppler disclosed a bug submitted by mr_root_0101: https://hackerone.com/reports/2801036 - Bounty: $250 [...]
See full content
SaaS apps are vulnerable too!!! (ServiceNow Exploitation)
on 13/11/2024
See full content
IDOR in backup recovery functionality
on 13/11/2024
Acronis disclosed a bug submitted by theelgo64: https://hackerone.com/reports/1901713 [...]
See full content
Mapping License Plate Scanners in the US
on 13/11/2024
DeFlock is a crowd-sourced project to map license plate scanners.
It only records the fixed scanners, of course. The mobile scanners on cars are not mapped.
[...]
See full content
To succeed in bug bounty, be a specialist feat. Louis Nyffenegger #bugbounty #bugbountytips
on 13/11/2024
See full content
Killing Filecoin nodes
by Trail of Bits on 13/11/2024
By Simone Monica
In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic.
The vulnerability demonstrates an insecure practice we often observe in our audits of b [...]
See full content
Microsoft Patch Tuesday, November 2024 Edition
by BrianKrebs on 12/11/2024
Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.
The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler [...]
See full content
Let's Run Some Malware - Any.Run Demonstration
on 12/11/2024
See full content
Context is King: Using API Sessions for Security Context
by Tim Erlin on 12/11/2024
There’s no doubt that API security is a hot topic these days. The continued growth in API-related breaches and increase in publicized API vulnerabilities has pushed API security to the top of CISO’s lists. The tools in the market for API security still have room for improvement, of course. One of the challenges security practitioners face with APIs is understanding the context in which an attack [...]
See full content
Criminals Exploiting FBI Emergency Data Requests
on 12/11/2024
I’ve been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too.
Turns out the same thing is true for non-technical backdoors:
The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police acco [...]
See full content
A method for finding 0days feat. Louis Nyffenegger #bugbounty #bugbountytips #bugbountyhunter
on 12/11/2024
See full content
Join Me In My Bug Bounty Cyber Crusades!
on 11/11/2024
See full content
Afraid of heights
on 11/11/2024
See full content
Do This For Your First $100,000 in Bounties
on 11/11/2024
See full content
The Hidden Costs of API Breaches: Quantifying the Long-Term Business Impact
by Tim Erlin on 11/11/2024
API attacks can be costly. Really costly. Obvious financial impacts like legal fines, stolen finances, and incident response budgets can run into the hundreds of millions. However, other hidden costs often compound the issue, especially if you’re not expecting them.
This article will explore the obvious and hidden costs of API breaches, their long-term business impacts, and how you can c [...]
See full content
Most common websec problems specific to Ruby on Rails feat. Louis Nyffenegger #bugbounty #bugbountyt
on 11/11/2024
See full content
Broken Access Control Lesson Series - What is it? An introduction To Bug Bounty Piggy Bank - 1/4
on 10/11/2024
See full content
FBI: Spike in Hacked Police Emails, Fake Subpoenas
by BrianKrebs on 09/11/2024
The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.
In an alert (PDF) published this week, the FBI said it has seen an upti [...]
See full content
I am missing bugs because of this #bugbounty #bugbountytips #bugbountyhunter
on 09/11/2024
See full content
Friday Squid Blogging: Squid-A-Rama in Des Moines
on 08/11/2024
Squid-A-Rama will be in Des Moines at the end of the month.
Visitors will be able to dissect squid, explore fascinating facts about the species, and witness a live squid release conducted by local divers.
How are they doing a live squid release? Simple: this is Des Moines, Washington; not Des Moines, Iowa.
Blog moderation policy.
[...]
See full content
Car Hacking: With or Without a Flipper Zero
on 08/11/2024
See full content
AI Industry is Trying to Subvert the Definition of “Open Source AI”
on 08/11/2024
The Open Source Initiative has published (news article here) its definition of “open source AI,” and it’s terrible. It allows for secret training data and mechanisms. It allows for development to be done in secret. Since for a neural network, the training data is the source code—it’s how the model gets programmed—the definition makes no sense.
And it’s con [...]
See full content
Leakage of traffic in plaintext towards the IP address of VPN server
on 08/11/2024
Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987687 [...]
See full content
Leaking VPN traffic through non-RFC1918 local IP addresses
on 08/11/2024
Mozilla disclosed a bug submitted by vanhoefm: https://hackerone.com/reports/1987680 [...]
See full content
A common problem people make when learning websec feat. Louis Nyffenegger #bugbounty #bugbountytips
on 08/11/2024
See full content
A beginner's roadmap for playing CTFs: 10 practical tips for beginners
by novasecio on 08/11/2024
Capture The Flag (CTF) challenges are fun to play, form a powerful training ground and help drastically develop your hacking skills. CTF competitions come in many forms, from malware analysis to web vulnerability challenges. Some CTF events also provide the winners with cash rewards (bounties), exclusive and limited-edition prizes (such as swag), and even job offers!
However, t… [...]
See full content
Buffer overflow in strcpy
on 07/11/2024
curl disclosed a bug submitted by rootgh0st: https://hackerone.com/reports/2823554 [...]
See full content
That’s why most people are bad at code review feat. Louis Nyffenegger #bugbounty #bugbountytips
on 07/11/2024
See full content
AI-Powered APIs: Expanding Capabilities and Attack Surfaces
by Ivan Novikov on 07/11/2024
AI and APIs have a symbiotic relationship. APIs power AI by providing the necessary data and functionality, while AI enhances API security through advanced threat detection and automated responses. In 2023, 83% of Internet traffic traveled through APIs, but there was a 21% increase in API-related vulnerabilities in Q3 2024, severely impacting AI. The relationship between AI and APIs expands capab [...]
See full content
Game Hacking 102: Pwn Adventure 3
on 07/11/2024
See full content
Unlocking Engagement with Employee Feedback
by Pamela Greenberg on 06/11/2024
See full content
A potential risk in the experimental-programmatic-access-ccft which can be used to privilege escalation.
on 06/11/2024
AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2808412 [...]
See full content
LIVE: Ransomware Memory Forensics | Cybersecurity | Blue Team
on 06/11/2024
See full content
How an Improper Access Control Vulnerability Led to Account Theft in One Click
by Sandeep Singh on 06/11/2024
Improper access control is the #3 most common security vulnerability. Learn what improper access control is, its impacts, and how to prevent it. [...]
See full content
How not to get stuck when learning web security? Louis Nyffenegger from PentesterLab
on 06/11/2024
See full content