InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Broad scope made simple #bugbounty #hacker #hack #hacking 101 on 18/09/2025
Timing Attack Vulnerability in curl Digest Authentication via Non-Constant-Time String Comparison on 18/09/2025
curl disclosed a bug submitted by frizo_05: https://hackerone.com/reports/3346118 [...]
Bitcoin Core vs Knots and why you should run a node on 18/09/2025
How to join the desync endgame: Practical tips from pentester Tom Stacey on 18/09/2025
Note: This is a guest post by pentester and researcher, Tom Stacey (@t0xodile). You'd think that after almost 21 years since its initial public discovery, HTTP Request Smuggling would be barely exploi [...]
Time-of-Check Time-of-Use Attacks Against LLMs on 18/09/2025
This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.: Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and dat [...]
Scaling API Security Without the Complexity: Lessons from Early Adopters by Tim Erlin on 18/09/2025
APIs are a blessing and a curse. They’re the backbone of the modern internet. They also expose complex behaviors that are often poorly documented, stitched together across legacy and cloud systems, and updated faster than security teams can review. Three key groups typically shoulder the burden of protecting them: DevOps teams are already racing to keep uptime high and deployme [...]
Use mutation testing to find the bugs your tests don't catch on 18/09/2025
Mutation testing reveals blind spots in test suites by systematically introducing bugs and checking if tests catch them. Blockchain developers should use mutation testing to measure the effectiveness of their test suites and find bugs that traditional testing can miss. [...]
Security Analysis Report: CURL Integer Overflow Vulnerability on 18/09/2025
curl disclosed a bug submitted by jfhgdsjkf: https://hackerone.com/reports/3344663 [...]
int overflow in krb5_read_data() leads to (possible) massive `recv()` write on 18/09/2025
curl disclosed a bug submitted by smiliesandco: https://hackerone.com/reports/3341476 [...]
Why can’t I find a #bugbounty I know how to #hack on 17/09/2025
Critical Information Disclosure via /talos/api/v1/files/upload on 17/09/2025
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3228011 [...]
LIVE: SOC 201 Release | Incident Response | Threat Hunting | Cybersecurity on 17/09/2025
URL Scheme Validation Bypass in Shopify Mobile App Allows Javascript Execution on 17/09/2025
Shopify disclosed a bug submitted by fr4via: https://hackerone.com/reports/1737358 [...]
GraphQL Introspection Enabled on Shopify API Endpoint (Intended Behavior) on 17/09/2025
Shopify disclosed a bug submitted by ahmednasr1: https://hackerone.com/reports/2886723 [...]
4 Recon Sources That Always Get Me Results on 17/09/2025
MongoDB Query Logs & Schema Leak via Unauthenticated Endpoint on 17/09/2025
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3249406 [...]
Hacking Electronic Safes on 17/09/2025
Vulnerabilities in electronic safes that use Securam Prologic locks: While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull u [...]
#powershellscripting for hackers on 17/09/2025
Learn powershell with me! on 17/09/2025
How to do Knowledge retention with a full time job #hacker #hack #hacking 101 g on 16/09/2025
How to get started in bug bounties on 16/09/2025
Subdomain brute forcing #bugbounty #hacker #hack #hacking 101 on 16/09/2025
How to succeed in bug bounties on 16/09/2025
How do I pick a target on 16/09/2025
Enum before exploit on 16/09/2025
Hacking is not easy on 16/09/2025
Hacking a Vape Pen on 16/09/2025
Bugcrowd is the smarter choice on 16/09/2025
IAmJakoby - Built The Best Hacker Learning Tool Ever! on 16/09/2025
Self-Replicating Worm Hits 180+ Software Packages by BrianKrebs on 16/09/2025
At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is insta [...]
Microsoft Still Uses RC4 on 16/09/2025
Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system. [...]
Fickling’s new AI/ML pickle file scanner on 16/09/2025
We’ve added a pickle file scanner to Fickling that uses an allowlist approach to protect AI/ML environments from malicious pickle files that could compromise models or infrastructure. [...]
Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE on 16/09/2025
curl disclosed a bug submitted by batuhanilgarr: https://hackerone.com/reports/3340109 [...]
Supporting Rowhammer research to protect the DRAM ecosystem on 15/09/2025
Posted by Daniel MoghimiRowhammer is a complex class of vulnerabilities across the industry. It is a hardware vulnerability in DRAM where repeatedly accessing a row of memory can cause bit flips in adjacent rows, leading to data corruption. This can be exploited by attackers to gain unauthorized access to data, escalate privileges, or cause denial of service. Hardware vendors have deployed various [...]
SQL Injection when using FilteredRelation on 15/09/2025
Django disclosed a bug submitted by eyalsec: https://hackerone.com/reports/3292573 [...]
Guess who makes us the best? YOU DO 🧡 on 15/09/2025
Lawsuit About WhatsApp Security on 15/09/2025
Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,00 [...]
Attack plans for targets on 15/09/2025
When do #bugbounty payouts happens 🤓#bugbounty on 14/09/2025
I like to compare #bugbounty to casinos 🎰 on 14/09/2025
Upcoming Speaking Engagements on 14/09/2025
This is a current list of where and when I am scheduled to speak: I’m speaking and signing books at the Cambridge Public Library on October 22, 2025 at 6 PM ET. The event is sponsored by Harvard Bookstore. I’m giving a virtual talk about my book Rewiring Democracy at 1 PM ET on October 23, 2025. The event is hosted by Data & Society. More details to come. I’m speaking at the World Forum for D [...]
Multiple Unsafe strcpy() Function Calls Leading to Potential Buffer Overflow Vulnerabilities in cURL 8.16.1-DEV on 14/09/2025
curl disclosed a bug submitted by anony_gaku: https://hackerone.com/reports/3337561 [...]
DOM XSS on www.omnipod.com/freedom/birthdate-confirmation and www.omnipod.com/pif/thanks-freedom on 13/09/2025
Insulet Corporation disclosed a bug submitted by mechatech84: https://hackerone.com/reports/1073725 [...]
Pivilege escalation of any new user to Keymaster caused by CSRF on 13/09/2025
WordPress disclosed a bug submitted by maxbr3n404: https://hackerone.com/reports/2999394 [...]
Assessing the Quality of Dried Squid on 12/09/2025
Research: Nondestructive detection of multiple dried squid qualities by hyperspectral imaging combined with 1D-KAN-CNN Abstract: Given that dried squid is a highly regarded marine product in Oriental countries, the global food industry requires a swift and noninvasive quality assessment of this product. The current study therefore uses visiblenear-infrared (VIS-NIR) hyperspectral imaging and deep [...]
A Cyberattack Victim Notification Framework on 12/09/2025
Interesting analysis: When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. When making notifications, companies often do not know the true identity of victims and may only have a single email address through which to provide the notification. [...]
Bjorn Scrap Battery Hack on 12/09/2025
LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | AMA on 12/09/2025
How this seasoned bug bounty hunter combines Burp Suite and HackerOne to uncover high-impact vulnerabilities on 12/09/2025
Arman S., a full-time independent security researcher and bug bounty hunter, talked us through how he uses Burp Suite Professional and HackerOne in tandem to find and report high-value security vulner [...]
SQL injection in JSONField KeyTransform on 12/09/2025
Django disclosed a bug submitted by eyalsec: https://hackerone.com/reports/2588426 [...]
Tips for Finding Your First CVE! on 11/09/2025
Bulletproof Host Stark Industries Evades EU Sanctions by BrianKrebs on 11/09/2025
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring [...]
TOCTOU Race Condition in HTTP/2 Connection Reuse Leads to Certificate Validation Bypass on 11/09/2025
curl disclosed a bug submitted by 0xrey: https://hackerone.com/reports/3335085 [...]
6.pdf on 11/09/2025
Inside Wallarm Security Edge: Instant Protection at the API Edge by Tim Erlin on 11/09/2025
APIs are now the beating heart of digital infrastructure. But as they have risen in importance, they’ve also become prime targets for attackers. Complex, often poorly understood API behaviors present rich opportunities for exploitation, and too often, security teams are left scrambling to protect critical infrastructure with outdated tools or cumbersome deployments. Wallarm’s Security Edge is [...]
Chained Broken Access Control in TikTok Live Backstage Enables Full Control of Public Leaderboard Activities on 11/09/2025
TikTok disclosed a bug submitted by eneri: https://hackerone.com/reports/3012526 [...]
Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers). on 11/09/2025
TikTok disclosed a bug submitted by ahmed_xyz: https://hackerone.com/reports/3037447 [...]
test livestream lololol on 10/09/2025
How Pixel and Android are bringing a new level of trust to your images with C2PA Content Credentials on 10/09/2025
Posted by Eric Lynch, Senior Product Manager, Android Security, and Sherif Hanna, Group Product Manager, Google C2PA Core At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos. This announcement represents a series of steps towards greater digital media transparency: The Pixel 10 lineup is the first t [...]
337k users and 1 employee leaked credentials on 10/09/2025
Khan Academy disclosed a bug submitted by meowsint: https://hackerone.com/reports/3250691 [...]
Every Hacker Needs These Linux Commands // Bug Bounty Edition on 10/09/2025
How Sui Move rethinks flash loan security on 10/09/2025
Sui’s Move language significantly improves flash loan security by replacing Solidity’s reliance on callbacks and runtime checks with a “hot potato” model that enforces repayment at the language level. This shift makes flash loan security a language guarantee rather than a developer responsibility. [...]
CVE-2025-9086: Out of bounds read for cookie path on 10/09/2025
curl disclosed a bug submitted by bigsleep: https://hackerone.com/reports/3294999 [...]
CVE-2025-10148: predictable WebSocket mask on 10/09/2025
curl disclosed a bug submitted by cruocco: https://hackerone.com/reports/3330839 [...]
How should I scope third-party assets in my bug bounty program? by Eleanor Barlow on 10/09/2025
You asked, and we answered. At Intigriti, we’ve been paying close attention to the questions most frequently asked by those with a bug bounty program in place. That’s why we’ve launched this blog series dedicated to answering the most frequently asked questions, diving into hot topics, and sharing practical and expert-backed strategies to help you maximize your bug bounty success. So far in this s [...]
Microsoft Patch Tuesday, September 2025 Edition by BrianKrebs on 09/09/2025
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Goo [...]
Can AI Pass Security Exams? on 09/09/2025
Confirmed Security Misconfigurations on curl.se (BREACH, Missing Security Headers, ETag Info Disclosure) on 09/09/2025
curl disclosed a bug submitted by mohmed_shoukry: https://hackerone.com/reports/3331764 [...]
New Cryptanalysis of the Fiat-Shamir Protocol on 09/09/2025
A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don’t see it leading to any practical real-world cryptanalysis. The fact that there are some weird circumstances that result in Fiat-Shamir insecurities isn [...]
18 Popular Code Packages Hacked, Rigged to Steal Crypto by BrianKrebs on 08/09/2025
At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly mo [...]
LARGEST SUPPLY CHAIN HACK IN HISTORY ZOMG!!!!111 on 08/09/2025
Signed Copies of Rewiring Democracy on 08/09/2025
When I announced my latest book last week, I forgot to mention that you can pre-order a signed copy here. I will ship the books the week of 10/20, when it is published. [...]
AI in Government on 08/09/2025
Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must not lose sight of the fact that a different administration could wield the same [...]
The API Security Dilemma: Why Traditional Approaches Are Failing in the AI Era by Tim Erlin on 08/09/2025
Throughout the past few years, APIs have become the backbone of digital infrastructure. They enable software-to-software communication, improve integration and interoperability, support modular architecture, and more. But as API use has exploded, so has API traffic volume and complexity, making them increasingly difficult to secure. And the rise of AI agents and automation have complicat [...]
GOP Cries Censorship Over Spam Filters That Work by BrianKrebs on 06/09/2025
The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google’s CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from the GOP fundraising platform WinRed and sending them to the spa [...]
Using Stacking to Find Malware on 05/09/2025
Just Hacking Training - Windows Malware Development on 05/09/2025
Safer cold storage on Ethereum on 05/09/2025
By using smart contract programmability, exchanges can build custody solutions that remain secure even when multisig keys are compromised. [...]
Session Persistence Designed to Keep Users Logged In Across Multiple Devices (Intended Behaviour) on 04/09/2025
Shopify disclosed a bug submitted by naveenventure: https://hackerone.com/reports/3161827 [...]
Dangers of Using AI Tools for Red Teaming on 04/09/2025
Watch the webinar: Scale secure coverage without scaling headcount on 04/09/2025
Application security teams are under pressure. With expanding application estates, growing API usage, and faster release cycles, many teams struggle to keep up. Backlogs grow, releases are delayed, an [...]
Top 5 Ways You Get Hacked on 04/09/2025
libcurl: Host-Only Cookies Leak to Alternate IPv4 Forms on 04/09/2025
curl disclosed a bug submitted by g3nj1z: https://hackerone.com/reports/3324901 [...]
Reflecting on Wallarm’s Journey: Growth, Resilience, and What Comes Next by Ivan Novikov on 04/09/2025
By Ivan Novikov and Stepan Ilyin When we started Wallarm, we focused on the APIs that power modern apps. We built an API-first platform, used AI from day one, and secured early patents in behavior-based detection and automated policy creation. The result: real-time, inline blocking with automatic API discovery that protects production, not just dashboards. Today’s investment isn’t only fuel [...]
Heap-buffer-overflow (Out-of-Bounds Read) in DoH hostname encoding on 04/09/2025
curl disclosed a bug submitted by reporascal_1: https://hackerone.com/reports/3324190 [...]
FREE Course Release! LIVE | AI Fundamentals | Q&A on 04/09/2025
Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more on 04/09/2025
A vulnerability in Electron applications allows attackers to bypass code integrity checks by tampering with V8 heap snapshot files, enabling local backdoors in applications like Signal, 1Password, and Slack. [...]
it's just too easy on 03/09/2025
Why You Suck at Bug Bounty Hunting (And How To Fix It) on 03/09/2025
How to attract security researchers to test on my bug bounty program? by Eleanor Barlow on 03/09/2025
You asked, and we answered. At Intigriti, we’ve been paying close attention to the questions most frequently asked by those with a bug bounty program in place. That’s why we’ve launched this blog series dedicated to answering the most asked questions, diving into hot topics, and sharing practical and expert-backed strategies to help you maximize your bug bounty success. So far in this series, we h [...]
Business Logic Error Bypass of OTP Verification During Signup on hover.com on 02/09/2025
Tucows (VDP) disclosed a bug submitted by c0rvuz: https://hackerone.com/reports/3255473 [...]
Unauthenticated Sensitive Information Disclosure on CVE-2021-38314 on 02/09/2025
Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1452774 [...]
Bug Report #23JAN136 (subdomain takeover via shopify ) on 02/09/2025
Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1851895 [...]
Bug Report #23JAN135 (subdomain takeover via shopify ) on 02/09/2025
Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/1851886 [...]
RXSS on stores on */visitorRegistration.pml via destination parameter on 02/09/2025
Mars disclosed a bug submitted by kuriyama: https://hackerone.com/reports/2189797 [...]
Order More Than Maximum Allowed Quantity on 02/09/2025
Mars disclosed a bug submitted by blackbird_azar: https://hackerone.com/reports/3185001 [...]
Account Takeover in Password Reset Function on 02/09/2025
Mars disclosed a bug submitted by egsec: https://hackerone.com/reports/3228888 [...]
Unauthorized Blogs Creation on 02/09/2025
Lichess disclosed a bug submitted by albetisi: https://hackerone.com/reports/2130385 [...]
Hacking plugin ecosystems: A complete guide by blackbird-eu on 02/09/2025
Add-on (or plugin) ecosystems unlock an entire new world of integration possibilities while also complementing the platform's extensibility to developers. However, in practice, finding the right balance between adding extensibility and maintaining security often proves to be difficult. The root cause stems from a lack of following security best practices. Proper isolation is, for instance, never f [...]