InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

How Each Pillar of the 1st Amendment is Under Attack

by BrianKrebs on 31/03/2025

“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” -U.S. Constitution, First Amendment. Image: Shutterstock, zimmytws. In an address to Congress this month, Preside [...]

See full content

Friday Squid Blogging: Squid Werewolf Hacking Group

on 28/03/2025

In another rare squid/cybersecurity intersection, APT37 is also known as “Squid Werewolf.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]

See full content

The Most Common Mistakes New SOC Analysts Make

on 28/03/2025

See full content

we're hosting a conference

on 28/03/2025

See full content

No rate limiting on form[register]

on 28/03/2025

Informatica disclosed a bug submitted by growler09: https://hackerone.com/reports/2583500 [...]

See full content

AIs as Trusted Third Parties

on 28/03/2025

This is a truly fascinating paper: “Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography.” The basic idea is that AIs can act as trusted third parties: Abstract: We often interact with untrusted parties. Prioritization of privacy can limit the effectiveness of these interactions, as achieving certain goals necessitates sharing pr [...]

See full content

Understanding CVE-2025-29927: The Next.js Middleware Authorization Bypass Vulnerability

on 28/03/2025

Learn how the Next.js middleware authorization bypass vulnerability works, and how to detect and remediate it. [...]

See full content

Get Faster on the Linux Terminal with zoxide!

on 27/03/2025

See full content

New security requirements adopted by HTTPS certificate industry

on 27/03/2025

Posted by Chrome Root Program, Chrome Security Team The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances [...]

See full content

Cloudflare WAF Bypass - Origin IP Exposure

on 27/03/2025

Hemi VDP disclosed a bug submitted by aaravhex: https://hackerone.com/reports/2991326 [...]

See full content

When Getting Phished Puts You in Mortal Danger

by BrianKrebs on 27/03/2025

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life. The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-tran [...]

See full content

HTTP Response Header Injection in shopify/pitchfork + Rack 3

on 27/03/2025

Shopify disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2279572 - Bounty: $800 [...]

See full content

A Taxonomy of Adversarial Machine Learning Attacks and Mitigations

on 27/03/2025

NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures. [...]

See full content

LIVE: WordPress Intrusion | Cybersecurity | Blue Team | AMA

on 27/03/2025

See full content

Titan Security Keys now available in more countries

on 26/03/2025

Posted by Christiaan Brand, Group Product ManagerWe’re excited to announce that starting today, Titan Security Keys are available for purchase in more than 10 new countries:IrelandPortugalThe NetherlandsDenmarkNorwaySwedenFinlandAustraliaNew ZealandSingaporePuerto RicoThis expansion means Titan Security Keys are now available in 22 markets, including previously announced countries like Austria, Be [...]

See full content

this MP3 file is malware

on 26/03/2025

See full content

AI Agents and API Security: The Hidden Risks Lurking in Your Business Logic

by Sergei Lega on 26/03/2025

Modern organizations are becoming increasingly reliant on agentic AI, and for good reason: AI agents can dramatically improve efficiency and automate mission-critical functions like customer support, sales, operations, and even security. However, this deep integration into business processes introduces risks that, without proper API security, can compromise sensitive data and decision-making.  [...]

See full content

AI Data Poisoning

on 26/03/2025

Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare’s new system lures them into a “maze” of realistic-looking but irrelevant pages, wasting the crawler’s computing resources. The approach is a notable shift from the standard block-and-defend st [...]

See full content

Null Pointer Dereference by Crafted Response from AI Model

on 26/03/2025

Brave Software disclosed a bug submitted by canalun: https://hackerone.com/reports/2958097 - Bounty: $100 [...]

See full content

Detecting NTFS Timestomping

on 25/03/2025

See full content

Report on Paragon Spyware

on 25/03/2025

Citizen Lab has a new report on Paragon’s spyware: Key Findings: Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for. Infrastructure Analysis of Paragon Spyware. Based on a tip [...]

See full content

Intigriti insights into latest beg bounty scam

by Eleanor Barlow on 25/03/2025

The Intigriti team have recently observed an abuse scenario, trending across the industry, where malicious actors are posing as legitimate white-hat hackers, deceiving targeted companies into believing their actions are carried out in good faith. Bad actors will always try to exploit the system, in any industry, for personal gain. At Intigriti, we help customers navigate this l… [...]

See full content

8 Tips for writing effective bug bounty reports

by blackbird-eu on 25/03/2025

So, you've found a valid security vulnerability in one of your bug bounty programs, now it's time to write the report. Finding the vulnerability was half the story. Writing effective reports is also an essential phase in bug bounty. Clear, well-written, and to-the-point bug bounty reports often get triaged faster and have more chance of getting well received by companies. In th… [...]

See full content

Creating immutable users through a bug in Entra ID restricted administrative units

on 25/03/2025

Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) that could have allowed just this scenario to occur. [...]

See full content

The 'IngressNightmare' vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation

on 25/03/2025

Learn how the Kubernetes Ingress NGINX Controller vulnerabilities work, how to detect and remediate them. [...]

See full content

CNWPP How To Fail An Exam Part 4:4

on 24/03/2025

See full content

Non-Production API Endpoints for the Forecast Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

on 24/03/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3022516 [...]

See full content

Twitter broken link hijacking in thewild.com

on 24/03/2025

Autodesk disclosed a bug submitted by yunxohang: https://hackerone.com/reports/3035275 [...]

See full content

This Simple URL Encoding Made me $50,000 in Bounties

on 24/03/2025

See full content

the CRITICAL 9.1 severity Next.js vulnerability

on 24/03/2025

See full content

More Countries are Demanding Backdoors to Encrypted Apps

on 24/03/2025

Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are—of course—are terrible idea. Also: “A Feminist Argument Against Weakening Encryption.” [...]

See full content

Cache Poisoning Allows Zero Interaction Store XSS

on 22/03/2025

Trendyol disclosed a bug submitted by samark19: https://hackerone.com/reports/2917062 [...]

See full content

CNWPP How To Fail An Exam Part 3:4

on 21/03/2025

See full content

Friday Squid Blogging: A New Explanation of Squid Camouflage

on 21/03/2025

New research: An associate professor of chemistry and chemical biology at Northeastern University, Deravi’s recently published paper in the Journal of Materials Chemistry C sheds new light on how squid use organs that essentially function as organic solar cells to help power their camouflage abilities. As usual, you can also use this squid post to talk about the security stories in the news that I [...]

See full content

Arrests in Tap-to-Pay Scheme Powered by Phishing

by BrianKrebs on 21/03/2025

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay tr [...]

See full content

Learn API Hacking!

on 21/03/2025

See full content

My Writings Are in the LibGen AI Training Corpus

on 21/03/2025

The Atlantic has a search tool that allows you to search for specific works in the “LibGen” database of copyrighted works that Meta used to train its AI models. (The rest of the article is behind a paywall, but not the search tool.) It’s impossible to know exactly which parts of LibGen Meta used to train its AI, and which parts it might have decided to exclude; this snapshot was taken [...]

See full content

The REAL Truth About AI in Cybersecurity

on 21/03/2025

See full content

NCSC Releases Post-Quantum Cryptography Timeline

on 21/03/2025

The UK’s National Computer Security Center (part of GCHQ) released a timeline—also see their blog post—for migration to quantum-computer-resistant cryptography. It even made The Guardian. [...]

See full content

3 Interview Questions You MUST Ask!

on 20/03/2025

See full content

Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com

on 20/03/2025

Shopify disclosed a bug submitted by samux: https://hackerone.com/reports/1457471 [...]

See full content

Critical GitHub Attack

on 20/03/2025

This is serious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report. [...]

See full content

DOGE to Fired CISA Staff: Email Us Your Personal Data

by BrianKrebs on 20/03/2025

A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administration’s continued disregard for basic cybersecurity protections. The message instructed recently-fired CISA employees to get in touch so they can be rehired and then immediately placed on leave, asking employees to send their Social Secu [...]

See full content

LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA

on 19/03/2025

See full content

Turn Your Cybersecurity to Cyberstrength with HackerOne

on 19/03/2025

See full content

Data Leaks and AI Agents: Why Your APIs Could Be Exposing Sensitive Information

by Sergei Lega on 19/03/2025

Most organizations are using AI in some way today, whether they know it or not. Some are merely beginning to experiment with it, using tools like chatbots. Others, however, have integrated agentic AI directly into their business procedures and APIs. While both types of organizations are undoubtedly realizing remarkable productivity and efficiency benefits, they may not know they are putting thems [...]

See full content

Uncle Rat Presents: 002-B: Uncle Rat's Ultimate Bug Bounty Guide - P 2 - Broad Scope And API Hacking

on 18/03/2025

See full content

Notepad Saves Your Notes - Even If You Don't!

on 18/03/2025

See full content

SSRF in Autodesk Rendering leading to account takeover

on 18/03/2025

Autodesk disclosed a bug submitted by metereorpreter: https://hackerone.com/reports/3024673 [...]

See full content

Django Debug Mode Enabled - Information Disclosure on api.wwm-dev.autodesk.com

on 18/03/2025

Autodesk disclosed a bug submitted by khoof: https://hackerone.com/reports/2965143 [...]

See full content

How To Get Hacked Downloading Torrents - Malware Analysis

on 18/03/2025

See full content

Quantifying the Financial Impact of Cybersecurity with Return on Mitigation (RoM)

on 18/03/2025

See full content

ms teams is now a C2 (command-and-control)

on 18/03/2025

See full content

How to Find Your First Help Desk Role!

on 17/03/2025

See full content

Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source

on 17/03/2025

Posted by Rex Pan and Xueqin Cui, Google Open Source Security TeamIn December 2022, we released the open source OSV-Scanner tool, and earlier this year, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, together with OSV.dev are components of an open platform for managing vulnerability metadata and enabling simple and accurate matching and remediation of known vulnerabilities. Our goal is [...]

See full content

This is How a Simple IDOR Earned Me a Max Bug Bounty Payout

on 17/03/2025

See full content

I took the TryHackMe Security Analyst Level 1 Certification (SAL1)

on 17/03/2025

See full content

CNWPP How To Fail An Exam Part 2:4

on 16/03/2025

See full content

Sensitive Information Disclosure via Back Button Post Logout on https://apps.nextcloud.com/account/

on 16/03/2025

Nextcloud disclosed a bug submitted by vulnerability_is_here: https://hackerone.com/reports/2946927 [...]

See full content

ClickFix: How to Infect Your PC in Three Easy Steps

by BrianKrebs on 14/03/2025

A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. ClickFix attacks mimic the “Verify You are [...]

See full content

My Recap Of BSides Limburg 2025

on 14/03/2025

See full content

The German Hacking Championship

on 14/03/2025

See full content

IoT Hacking Tools You MUST Know: An In-Depth Review

on 14/03/2025

See full content

2FA Bypass leads to impersonation of legimate users

on 14/03/2025

Drugs.com disclosed a bug submitted by dedoxd2: https://hackerone.com/reports/2885636 [...]

See full content

Stored Cross-Site Scripting found in custom integration app on https://admin.b360.autodesk.com.

on 14/03/2025

Autodesk disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2971572 [...]

See full content

One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild

by Ivan Novikov on 14/03/2025

A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857. Exploit Breakdown: How a Simple PUT Request Leads to Full RCE This att [...]

See full content

Intigriti Bug Bytes #222 - March 2025 🚀

by Intigriti on 14/03/2025

Hey hackers, Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community events—all to help you find more bugs! Product updates New Feature: Gain Deeper Insights into Researcher Activity We're excited to introduce a new way for researchers to gain valuable insights into their time allocation across different domai… [...]

See full content

Hack Smart Devices For Only $2!

on 13/03/2025

See full content

Stored Cross-Site Scripting in mercadopago.com.ar

on 13/03/2025

MercadoLibre disclosed a bug submitted by elmago: https://hackerone.com/reports/1955485 [...]

See full content

Domain highlighting on External link warning is not working on Chrome & Microsoft Edge browsers on Mobile

on 13/03/2025

HackerOne disclosed a bug submitted by sarthakbhingare015: https://hackerone.com/reports/2553026 [...]

See full content

cgi scripts wordlist entry for windmail.exe has payload that sends arbitrary file read result to third-party

on 13/03/2025

PortSwigger Web Security disclosed a bug submitted by floyd: https://hackerone.com/reports/2733994 - Bounty: $200 [...]

See full content

they tried to hack me so i confronted them

on 13/03/2025

See full content

Burp Everywhere, All Around the World: Bringing AppSec Enthusiasts Together in 2025

on 13/03/2025

Security is a team sport. Whether you're a pentester, bug bounty hunter, student, or just love breaking (and fixing) things, our field thrives on shared knowledge, collaboration, and support. We want [...]

See full content

Access control vulnerability in the retail industry. Cross-Site Scripting (XSS) use case

by Eleanor Barlow on 13/03/2025

Why is the retail industry being targeted? Large-scale operations and the extensive attack surface of the retail industry render it particularly susceptible to cybercrime, on a global scale. Websites, mobile apps, and company programs create numerous entry points for malicious actors. The high volume of payment transactions and financial incentives of successful attacks present… [...]

See full content

CNWPP How To Fail An Exam Part 1:4

on 12/03/2025

See full content

Uncle Rat's 4 Hour API Hacking MasterClass - Zero To Hero - OWASP top 10 - Tools - Demo's

on 12/03/2025

See full content

LIVE: USB and Log Analysis | Cybersecurity | Blue Team | AMA

on 12/03/2025

See full content

Hunting for privilege escalations by modifying the JS feat. renniepak #bugbounty #bugbountytips #bug

on 12/03/2025

See full content

The mysterious bug bounty methodology

on 12/03/2025

See full content

$50k XSS in a web3 website feat. renniepak #bugbounty #bugbountytips #bugbountyhunter

on 12/03/2025

See full content

Using javascript bookmarks to speed up bug hunting feat. renniepak #bugbounty #bugbountytips #bugbou

on 12/03/2025

See full content

An XSS payload tattooed on the forearm feat. renniepak #bugbounty #bugbountytips #bugbountyhunter

on 12/03/2025

See full content

The CSPBypass website feat. renniepak #bugbounty #bugbountytips #bugbountyhunter

on 12/03/2025

See full content

How to become an XSS expert with renniepak

on 12/03/2025

See full content

Behind the Scenes of Burp AI: How we built it, and what's next

on 12/03/2025

Why now? Artificial intelligence is rapidly transforming industries, and security testing is no exception. At PortSwigger, we’ve always been driven by innovation, but we don’t chase trends for the sak [...]

See full content

LEAKED Russian Hackers Internal Chats

on 12/03/2025

See full content

Best practices to avoid Bugcrowd platform violations with Anon Hunter (Sharik Khan)

on 12/03/2025

See full content

Microsoft: 6 Zero-Days in March 2025 Patch Tuesday

by BrianKrebs on 11/03/2025

Microsoft today issued more than 50 security updates for its various Windows operating systems, including fixes for a whopping six zero-day vulnerabilities that are already seeing active exploitation. Two of the zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in NTFS, the default file system for Windows and Windows Server. Both require the attacker to trick a target [...]

See full content

Non-Production API Endpoints for the DocumentDB Elastic Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

on 11/03/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3009411 [...]

See full content

CSRF to Reflected XSS at echo.urbandictionary.biz via spoofing content type

on 11/03/2025

Urban Dictionary disclosed a bug submitted by osama-hamad: https://hackerone.com/reports/1237321 [...]

See full content

Account Takeover Vulnerability in Shopify Collabs Platform Due to Missing Email Verification

on 11/03/2025

Shopify disclosed a bug submitted by kun_19: https://hackerone.com/reports/1679734 - Bounty: $800 [...]

See full content

Alleged Co-Founder of Garantex Arrested in India

by BrianKrebs on 11/03/2025

Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing [...]

See full content

4 platforms to practice hacking as a beginner 👆

on 11/03/2025

See full content

Get Hired In Cybersecurity Without Previous Experience

on 11/03/2025

See full content

XXE: A complete guide to exploiting advanced XXE vulnerabilities

by blackbird-eu on 11/03/2025

XML External Entity (XXE) vulnerabilities are one of the most overlooked yet impactful vulnerabilities in modern web applications. Although they've become seemingly harder to detect and exploit, their impact remains severe, often allowing attackers to read internal files, reach internal-only networks, and in severe cases even execute remote code execution! In this article, we w… [...]

See full content

RCE through collaboration with tess

on 10/03/2025

See full content

How Ethical Hackers ACTUALLY Use ChatGPT With Real Examples

on 10/03/2025

See full content

My Top 7 Burp Suite Extensions - Community Edition - 2025

on 10/03/2025

See full content

MSPGEEKCON is back for 2025

on 09/03/2025

See full content

TECH SUPPORT GONE WRONG

on 08/03/2025

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. Brett Buerhaus
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Ezequiel Pereira
  16. HackerOne
  17. surajdisoja.me
  18. InsiderPhD
  19. Intigriti
  20. John Hammond
  21. LiveOverflow
  22. NahamSec
  23. PortSwigger Blog
  24. Rana Khalil
  25. Richard’s Infosec blog
  26. Ron Chan
  27. ropnop blog
  28. STÖK
  29. Sun Knudsen
  30. The Cyber Mentor
  31. The unofficial HackerOne disclosure timeline
  32. HackerRats (XSS Rat)
  33. TomNomNom
  34. Wallarm