InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
AI Security: Leaking Sensitive Data & Account Takeover Explained on 25/02/2026
Poisoning AI Training Data on 25/02/2026
All it takes to poison AI training data is to create a website: I spent 20 minutes writing an article on my personal website titled “The best tech journalists at eating hot dogs.” Every word is a lie. I claimed (without evidence) that competitive hot-dog-eating is a popular hobby among tech reporters and based my ranking on the 2026 South Dakota International Hot Dog Championship (whic [...]
mquire: Linux memory forensics without external dependencies on 25/02/2026
If you’ve ever done Linux memory forensics, you know the frustration: without debug symbols that match the exact kernel version, you’re stuck. These symbols aren’t typically installed on production systems and must be sourced from external repositories, which quickly become outdated when systems receive updates. If you’ve ever tried to analyze a memory dump only to discover that no one has publish [...]
Publicly accessible `` endpoint exposing internal user identifiers and email addresses on 24/02/2026
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3360293 [...]
CVE--35813 in on 24/02/2026
Mars disclosed a bug submitted by 0xr2r: https://hackerone.com/reports/2200329 [...]
Sensitive information exposed at [] via /export_panelists_to_xlsx endpoint on 24/02/2026
Mars disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/3376598 [...]
- Publicly Accessible public_html Directory Exposing WordPress Configuration on 24/02/2026
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3066548 [...]
SQLi At `` via `theme_name` on 24/02/2026
Mars disclosed a bug submitted by 4ksh3ye: https://hackerone.com/reports/3293803 [...]
SQLi at parameter on 24/02/2026
Mars disclosed a bug submitted by scriptsavvy: https://hackerone.com/reports/3277276 [...]
No Rate Limiting on Password Attempts After Insecure Registration Flow cause ATO on 24/02/2026
Mars disclosed a bug submitted by azar_man: https://hackerone.com/reports/3174778 [...]
Is It Too Late for Me to Get Into Cybersecurity?! on 24/02/2026
Is AI Good for Democracy? on 24/02/2026
Politicians fixate on the global race for technological supremacy between US and China. They debate geopolitical implications of chip exports, latest model releases from each country, and military applications of AI. Someday, they believe, we might see advancements in AI tip the scales in a superpower conflict. But the most important arms race of the 21st century is already happening elsewhere and [...]
“AI red teaming” is getting thrown around a lot right now on 23/02/2026
Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion on 23/02/2026
Node.js disclosed a bug submitted by illia-v: https://hackerone.com/reports/3456148 [...]
I Hacked My First AI Chatbot on 23/02/2026
On the Security of Password Managers on 23/02/2026
Good article on password managers that secretly have a backdoor. New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the serve [...]
The World's Hardest Hacking Competition - Pwn2Own Documentary (Part 1) on 22/02/2026
Initial Bug Bounty Exploits - CSRF + SSRF [CyberCrusade 6] on 22/02/2026
Friday Squid Blogging: Squid Cartoon on 20/02/2026
I like this one. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA by BrianKrebs on 20/02/2026
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between t [...]
Learn PowerShell! on 20/02/2026
Besides Spotify on 20/02/2026
Chaining Five Business Logic Flaws to Steal $999,999 on 20/02/2026
Using threat modeling and prompt injection to audit Comet on 20/02/2026
Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when [...]
The Payload Podcast #002 with Connor McGarr on 20/02/2026
Ring Cancels Its Partnership with Flock on 20/02/2026
It’s a demonstration of how toxic the surveillance-tech company Flock has become when Amazon’s Ring cancels the partnership between the two companies. As Hamilton Nolan advises, remove your Ring doorbell. [...]
Intigriti Bug Bytes #233 - February 2026 🚀 by Ayoub on 20/02/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vulnerabilities with AI Analyzing static code false-positive free And so much more! Le [...]
Keeping Google Play & Android app ecosystems safe in 2025 on 19/02/2026
Posted by Vijaya Kaza, VP and GM, App & Ecosystem Trust The Android ecosystem is a thriving global community built on trust, giving billions of users the confidence to download the latest apps. In order to maintain that trust, we’re focused on ensuring that apps do not cause real-world harm, such as malware, financial fraud, hidden subscriptions, and privacy invasions. As bad actors leverage [...]
Russia is hacking zero-days again on 19/02/2026
Malicious AI on 19/02/2026
Interesting: Summary: An AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into accepting its changes into a mainstream python library. This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI [...]
IoT Hacking Stream on 19/02/2026
Splatoon 3 Anticheat Seed Randomization Weakness on 19/02/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3042475 [...]
ASLR leak in Mario Kart World through LAN mode on 19/02/2026
Nintendo disclosed a bug submitted by kinnay: https://hackerone.com/reports/3463719 [...]
Kubernetes project issues warning on Ingress NGINX retirement on 19/02/2026
The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency. [...]
Inside H1-65: Inside OKX’s Live Hacking Event in Singapore on 18/02/2026
XSS Vulnerability on Pressable/Atomic Hosting Platform via unescaped admin notices leads to code execution on 18/02/2026
Automattic disclosed a bug submitted by georgestephanis: https://hackerone.com/reports/3447021 [...]
ContinuumCon is back for 2026! on 18/02/2026
AI Found Twelve New Vulnerabilities in OpenSSL on 18/02/2026
The title of the post is”What AI Security Research Looks Like When It Works,” and I agree: In the latest OpenSSL security release> on January 27, 2026, twelve new zero-day vulnerabilities (meaning unknown to the maintainers at time of disclosure) were announced. Our AI system is responsible for the original discovery of all twelve, each found and responsibly disclosed to the OpenSSL te [...]
From Shadow APIs to Shadow AI: How the API Threat Model Is Expanding Faster Than Most Defenses by Tim Erlin on 18/02/2026
The shadow technology problem is getting worse. Over the past few years, organizations have scaled microservices, cloud-native apps, and partner integrations faster than corporate governance models could keep up, resulting in undocumented or shadow APIs. We’re now seeing this pattern all over again with AI systems. And, even worse, AI introduces non-deterministic behavior, autonomous [...]
Carelessness versus craftsmanship in cryptography on 18/02/2026
Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we shared one of these bugs with an affected vendor, strongSwan, the maintainer provided a model response for security vendors. The aes-js/pyaes maintainer, on the other hand, has tak [...]
AI Web App Testing: The Future of Security on 17/02/2026
The Core Principle in Forensic Science on 17/02/2026
How's your security posture? on 17/02/2026
Improper State Validation on Sony WH-CH520 via BLE Command Service leads to unauthorized Bluetooth pairing and audio hijacking on 17/02/2026
Sony disclosed a bug submitted by vortekx: https://hackerone.com/reports/3514490 [...]
Inside Modern API Attacks: What We Learn from the 2026 API ThreatStats Report by Tim Erlin on 17/02/2026
API security has been a growing concern for years. However, while it was always seen as important, it often came second to application security or hardening infrastructure. In 2025, the picture changed. Wallarm’s 2026 API ThreatStats Report revealed that APIs are now the primary attack surface for digital business, and not because bad actors discovered new zero-days, but because of compo [...]
An Interview with Eva Benn! on 17/02/2026
Side-Channel Attacks Against LLMs on 17/02/2026
Here are three papers describing different side-channel attacks against LLMs. “Remote Timing Attacks on Efficient Language Model Inference“: Abstract: Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive body of work (e.g., speculative sampling or parallel decoding) that improves the (average ca [...]
How to use AI for improved vulnerability report writing by Ayoub on 17/02/2026
Report writing is an integral part of bug bounty or any type of vulnerability assessment. In fact, sometimes, it can become the most important phase. Submitting a confusing report can often lead to misalignment and faulty interpretation of your reported vulnerability. On the contrary, a well-written submission that includes all the necessary details can help shorten the time to triage, lead to inc [...]
TiKTok needs to fix this vulnerability on 16/02/2026
Can I Replace AI With My Recon Methodology? on 16/02/2026
The Promptware Kill Chain on 16/02/2026
Attacks against modern generative artificial intelligence (AI) large language models (LLMs) pose a real threat. Yet discussions around these attacks and their potential defenses are dangerously myopic. The dominant narrative focuses on “prompt injection,” a set of techniques to embed instructions into inputs to LLM intended to perform malicious activity. This term suggests a simple, s [...]
Chaining in action: techniques, terminology, and real-world impact on business by Eleanor Barlow on 16/02/2026
What you will learn in this blog What chaining is and how combining lower-severity issues can create a high-impact security risk. Key chaining techniques and terminology, such as pivoting, lateral movement, and privilege escalation. How chaining is identified and prioritized in practice, including the role of PTaaS and how researchers can use chaining to uncover critical attack paths and guide n [...]
AI wrote a hit piece on 15/02/2026
Bad Bash! FREE FULL 1 Hour Bash Course For Ethical Hackers on 14/02/2026
Upcoming Speaking Engagements on 14/02/2026
This is a current list of where and when I am scheduled to speak: I’m speaking at Ontario Tech University in Oshawa, Ontario, Canada, at 2 PM ET on Thursday, February 26, 2026. I’m speaking at the Personal AI Summit in Los Angeles, California, USA, on Thursday, March 5, 2026. I’m speaking at Tech Live: Cybersecurity in New York City, USA, on Wednesday, March 11, 2026. I’m giving the Ross An [...]
this is really funny on 14/02/2026
A Practical Intro to Digital Forensics on 13/02/2026
Moltbook is still weird (and AI skills suck) on 13/02/2026
In love with hacking on 12/02/2026
TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak on 12/02/2026
Node.js disclosed a bug submitted by 0xmaxhax: https://hackerone.com/reports/3473882 [...]
Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) on 12/02/2026
Node.js disclosed a bug submitted by winfunc: https://hackerone.com/reports/3465156 [...]
Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers on 12/02/2026
Node.js disclosed a bug submitted by aaron_vercel: https://hackerone.com/reports/3456295 [...]
Memory leak that enables remote Denial of Service against applications processing TLS client certificates on 12/02/2026
Node.js disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3357723 [...]
Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled on 12/02/2026
Node.js disclosed a bug submitted by chalker: https://hackerone.com/reports/3405778 [...]
FS Permissions Bypass on 12/02/2026
Node.js disclosed a bug submitted by natann: https://hackerone.com/reports/3417819 [...]
Mail stored HTML injection in subject text on 12/02/2026
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3357036 - Bounty: $350 [...]
Cache Pollution via Unkeyed GET Parameters on www.omise.co on 11/02/2026
Omise disclosed a bug submitted by alitoni224: https://hackerone.com/reports/3183046 [...]
AI Red Teaming: Beyond Safety to Security on 11/02/2026
Kimwolf Botnet Swamps Anonymity Network I2P by BrianKrebs on 11/02/2026
For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attem [...]
Quick tip! on 11/02/2026
CISO Spotlight: Craig Riddell on Curiosity, Translation, and Why API Security is the New Business Imperative by Tim Erlin on 11/02/2026
It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm’s Global Field CISO. It’s a position that suits him down to the ground, blending technical depth, empathy, business acumen, and, what Craig believes, the most underrated skill in cybersecurity: curiosity. Like so many of us, Craig got into cybersecurity by accident. He first learned Un [...]
Patch Tuesday, February 2026 Edition by BrianKrebs on 10/02/2026
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild. Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quiet [...]
Your environment doesn’t sit still on 10/02/2026
Choosing Red Team or Blue Team in 2026 on 10/02/2026
Tech impersonators: ClickFix and MacOS infostealers on 10/02/2026
Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. [...]
Where are hackers located? on 09/02/2026
Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on on 09/02/2026
AWS VDP disclosed a bug submitted by aneeeketh: https://hackerone.com/reports/3426839 [...]
How AI Gets Tested in the Real World | Salesforce Live Hacking Event on 09/02/2026
ASGIRequest header concatenation quadratic CPU DoS on Django via repeated headers leads to worker exhaustion on 09/02/2026
Django disclosed a bug submitted by sy2n0: https://hackerone.com/reports/3426417 [...]
10+ Daily Essentials As An Ethical Hacker on 09/02/2026
The Myth of “Known APIs”: Why Inventory-First Security Models Are Already Obsolete by Tim Erlin on 09/02/2026
You probably think the security mantra “you can’t protect what you don’t know about” is an inarguable truth. But you would be wrong. It doesn’t hold water in today’s threat landscape. Of course, it sounds reasonable. Before you secure APIs, you must first discover, inventory, and document them exhaustively. The problem is that this way of thinking has hardened into dogma and ignores how attack [...]
Bundle Up With Our Biggest Discounts Ever! on 07/02/2026
JHT Course Launch: Dark Web 2 - CTI Researcher on 06/02/2026
We take security seriously at Bugcrowd on 06/02/2026
WebAuthn app was updated based on public key on 06/02/2026
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3360354 - Bounty: $750 [...]
The Payload Podcast #001 with Jonny Johnson & Max Harley on 06/02/2026
LIVE: 🕵️ Forensicating | HackTheBox | Cybersecurity on 05/02/2026
MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length on 05/02/2026
curl disclosed a bug submitted by pajarori: https://hackerone.com/reports/3531216 [...]
From niche to necessity: global bug bounty adoption accelerates, led by the U.S. by Eleanor Barlow on 05/02/2026
Bug bounty growth insights across the US Bug bounty programs have evolved from a niche security tactic into a core component of modern defense strategies worldwide. In this blog, we focus on the US: one of the most invested and fastest-adopting markets, where organizations, driven by higher security maturity, are increasingly using bug bounty to uncover complex vulnerabilities that traditional t [...]
Bugcrowd’s new Security Inbox on 04/02/2026
How To Approach ANY Bug Bounty Target In 2026 on 04/02/2026
User enumeration via timing attack in Django mod_wsgi authentication backend leads to account discovery on 04/02/2026
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3424977 [...]
Information Disclosure via Logback Configuration Injection in GoCD Agent on 04/02/2026
GoCD disclosed a bug submitted by aigirl: https://hackerone.com/reports/3509632 [...]
Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious on 04/02/2026
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. [...]
Security folks on 03/02/2026
The Most Common IoT Security Flaws on 03/02/2026
Previous commentor on post can still comment even after comment permission is changed to disabled on 03/02/2026
LinkedIn disclosed a bug submitted by allenjo: https://hackerone.com/reports/3151001 [...]
Improper Access Control - Access to "Active Hiring" (Premium feature) filter results on 03/02/2026
LinkedIn disclosed a bug submitted by minex627: https://hackerone.com/reports/3235855 [...]
Please Don’t Feed the Scattered Lapsus ShinyHunters by BrianKrebs on 02/02/2026
A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims reportedly are paying — perhaps as much to contain the stolen data [...]