InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
HackerOne on AI-Driven Security: Community, Risk, and Innovation on 26/11/2025
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ by BrianKrebs on 26/11/2025
A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his r [...]
Username Validation Bypass on 26/11/2025
Revive Adserver disclosed a bug submitted by kassem_s94: https://hackerone.com/reports/3434156 [...]
The State of Cybercrime in 2025 Part 2 (with Nick Ascoli!) on 26/11/2025
Huawei and Chinese Surveillance on 26/11/2025
This quote is from House of Huawei: The Secret History of China’s Most Powerful Company. “Long before anyone had heard of Ren Zhengfei or Huawei, Wan Runnan had been China’s star entrepreneur in the 1980s, with his company, the Stone Group, touted as “China’s IBM.” Wan had believed that economic change could lead to political change. He had thrown his support be [...]
When your AI Assistant Becomes the Attacker’s Command-and-Control by Tim Erlin on 26/11/2025
Earlier this month, Microsoft uncovered SesameOp, a new backdoor malware that abuses the OpenAI Assistants API as a covert command-and-control (C2) channel. The discovery has drawn significant attention within the cybersecurity community. Security teams can no longer focus solely on endpoint malware. Attackers are weaponizing public and legitimate AI assistant APIs and defenders must adjust. W [...]
Infinite loop issue in the state machine of the curl project on 26/11/2025
curl disclosed a bug submitted by kak1: https://hackerone.com/reports/3442060 [...]
runs javascript on powershell when it shouldnt on 26/11/2025
curl disclosed a bug submitted by lim_e: https://hackerone.com/reports/3442024 [...]
November CTF Challenge: Exploiting JWT vulnerabilities to achieve RCE by Ayoub on 26/11/2025
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security research community. This month, we've decided to take on a challenge ourselves as a way to give back to the community. In response to one of our recent articles, we decided to focus on JSON Web Token (JWT) vulnerabilities. This article provides a step-by-step walkthrough for solving Novem [...]
Why is RAG Dangerous? on 25/11/2025
Trusted Installer Shell on 25/11/2025
Keylogger Malware Analysis on 25/11/2025
Four Ways AI Is Being Used to Strengthen Democracies Worldwide on 25/11/2025
Democracy is colliding with the technologies of artificial intelligence. Judging from the audience reaction at the recent World Forum on Democracy in Strasbourg, the general expectation is that democracy will be the worse for it. We have another narrative. Yes, there are risks to democracy from AI, but there are also opportunities. We have just published the book Rewiring Democracy: How AI will Tr [...]
Understanding signal-to-noise for vulnerability management success by Eleanor Barlow on 25/11/2025
A common worry for IT and security teams is that, when operating an effective vulnerability management model, they will be flooded with potential vulnerability reports they likely don’t have the capacity to work through. But the real issue here is not volume; it’s noise. Invalid or low-quality submissions can drain resources, cover up, or deprioritize critical signals that have real business imp [...]
The Shai-Hulud 2.0 npm worm: analysis, and what you need to know on 25/11/2025
Learn more about the Shai-Hulud 2.0 npm worm. [...]
High resource consumption by insufficient sanitization of forum threads pagination on 24/11/2025
Flickr disclosed a bug submitted by maskopatol: https://hackerone.com/reports/1916400 - Bounty: $479 [...]
[SFTP] TOCTOU Race Condition in Upload Resume Logic Leads to Arbitrary File Append on 24/11/2025
curl disclosed a bug submitted by cainvsilf: https://hackerone.com/reports/3432833 [...]
Is Your Android TV Streaming Box Part of a Botnet? by BrianKrebs on 24/11/2025
On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet tra [...]
2025 Black Friday Deals on 24/11/2025
Start 'em young on 24/11/2025
HTML Injection in Emails on login.mtb.com via givenName parameter leads to phishing attacks on 24/11/2025
M&T Bank Vulnerability Disclosure disclosed a bug submitted by ozgun32: https://hackerone.com/reports/3426761 [...]
Wazuh gives visibility to EVERYTHING on 24/11/2025
Free Post Recon Course and Methodology For Bug Bounty Hunters on 24/11/2025
IACR Nullifies Election Because of Lost Decryption Key on 24/11/2025
The International Association of Cryptologic Research—the academic cryptography association that’s been putting conferences like Crypto (back when “crypto” meant “cryptography”) and Eurocrypt since the 1980s—had to nullify an online election when trustee Moti Yung lost his decryption key. For this election and in accordance with the bylaws of the IACR, the [...]
I Make The BEST FREE Labs In CyberSecurity Education - Come Check Them Out! on 23/11/2025
Arbitrary free in curl's config file parsing. on 23/11/2025
curl disclosed a bug submitted by letshack9707: https://hackerone.com/reports/3434543 [...]
hacking twitch chat on 23/11/2025
Mostly Stupid Hacks on 22/11/2025
AI Jailbreaks That Made Me Go WTF on 22/11/2025
RAW videos from REAL hackers on 22/11/2025
Career Questions with Rob Fuller @mubix! on 22/11/2025
Friday Squid Blogging: New “Squid” Sneaker on 21/11/2025
I did not know Adidas sold a sneaker called “Squid.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Improper bot-authentication allows to impersonate any user when sending messages in a room on 21/11/2025
Basecamp disclosed a bug submitted by stackered: https://hackerone.com/reports/3329310 - Bounty: $2000 [...]
More on Rewiring Democracy on 21/11/2025
It’s been a month since Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship was published. From what we know, sales are good. Some of the book’s forty-three chapters are available online: chapters 2, 12, 28, 34, 38, and 41. We need more reviews—six on Amazon is not enough, and no one has yet posted a viral TikTok review. One review was published i [...]
Path traversal via archive.extract - CVE 2021-3281 incomplete patch on 21/11/2025
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3328367 [...]
Top 5 WTF Prompt Injections on 21/11/2025
hacker final boss on 21/11/2025
AI as Cyberattacker on 21/11/2025
From Anthropic: In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree—using AI not just as an advisor, but to execute the cyberattacks themselves. The threat actor—whom we assess with high confidence was a Chinese state-sponso [...]
APIs Are the Retail Engine: How to Secure Them This Black Friday by Tim Erlin on 21/11/2025
Can you ever imagine the impact on your business if it went offline on Black Friday or Cyber Monday due to a cyberattack? Black Friday is the biggest day in the retail calendar. It’s also the riskiest. As you gear up for huge surges in online traffic, ask yourself: have you protected the APIs on which the business runs? The Black Friday API Boom When you think about Black Fri [...]
Intigriti Bug Bytes #230 - November 2025 🚀 by Ayoub on 21/11/2025
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Finding an RCE using AI in GitHub CORS exploitation cheat sheet Scanning codebases with AI Bypassing paywalls SSTIs in AI models And so much more! Let’s dive in! Company News Intigriti wins 2025 UK IT Industry Awards We are thrilled to announce that Intigriti has won Security Innovation [...]
Mozilla Says It’s Finally Done With Two-Faced Onerep by BrianKrebs on 20/11/2025
In March 2024, Mozilla said it was winding down its collaboration with Onerep — an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites — after KrebsOnSecurity revealed Onerep’s founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later [...]
Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharing on 20/11/2025
Posted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. Being able to communicate and connect with friends and family should be easy regardless of the phone they use. That’s why Android has been building experiences that help you stay connected across platforms. As part of our efforts to continue to make cross-pla [...]
Scam USPS and E-Z Pass Texts and Websites on 20/11/2025
Google has filed a complaint in court that details the scam: In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people into “disclosing sensitive information like passwords, credit car [...]
Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. Weve got a real memory-safety bug ins on 20/11/2025
curl disclosed a bug submitted by gaurav_7777: https://hackerone.com/reports/3434510 [...]
AI Hacking CTF | Win Prizes!!! | AMA on 20/11/2025
Lack of minimum value bid wheel verification on customer_bid in Rental Trips on 20/11/2025
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3328343 [...]
Customer can cancel a individual booking in a batch, causing locking of partner. on 20/11/2025
Bykea disclosed a bug submitted by sameer_ali: https://hackerone.com/reports/3295503 [...]
Why Datadog is a 2025 Cloud Security Leader on 20/11/2025
A recap of Datadog's awards from the 2025 Latio Cloud Security Market Report [...]
Existence of completed pods allows for bypass of Kubernetes NetworkPolicy on 19/11/2025
AWS VDP disclosed a bug submitted by savannabungee: https://hackerone.com/reports/3328291 [...]
The Cloudflare Outage May Be a Security Roadmap by BrianKrebs on 19/11/2025
An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites. But security experts say doing so may have also triggered an impromptu network penetration test for organizations that have come to rely on [...]
Unrestricted setPerPage allows huge result sets / resource exhaustion / mass log retrieval on 19/11/2025
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3413890 [...]
Username normalization missing allows visually indistinguishable accounts (Whitespace-Based Impersonation) on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3413764 [...]
Stored-XSS in campaign name displayed in Banners modal on 19/11/2025
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3411750 [...]
Legal Restrictions on Vulnerability Disclosure on 19/11/2025
Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk. Thirty years ago, a debate raged over whether vul [...]
Stored-XSS in Banner Name field on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3404968 [...]
Reflected XSS in /admin/banner-zone.php (v6.0.0+) on 19/11/2025
Revive Adserver disclosed a bug submitted by vidang04: https://hackerone.com/reports/3403727 [...]
Information Disclosure via Verbose Error Messages on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3403450 [...]
IDOR Vulnerability in Banner Deletion on 19/11/2025
Revive Adserver disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3401612 [...]
Information Disclosure via Add user lookup in Account Management (User Access) on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3401464 [...]
Stored XSS in Conversion Statistics via Tracker Name on 19/11/2025
Revive Adserver disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3400506 [...]
Stored XSS on inventory-retrieve.php on 19/11/2025
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399809 [...]
Improper sanitisation of input in the settings could cause DoS on 19/11/2025
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399218 [...]
Reflected XSS in account-preferences-plugin.php on 19/11/2025
Revive Adserver disclosed a bug submitted by lu3ky-13: https://hackerone.com/reports/3399191 [...]
Authorization bypass allows changing email address of other users on 19/11/2025
Revive Adserver disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3398283 [...]
Black Friday and Cyber Monday price distortion identification by Eleanor Barlow on 19/11/2025
Brick-and-click sales leaving no dollar behind The evolution of the internet and, with it, international levels of e-commerce, meant that Black Friday soon became the unofficial start of winter purchases ahead of holiday festivities across the globe. In the early 2000s, Cyber Monday, held on the Monday after Thanksgiving, materialized to encourage people to shop online following the black-Friday [...]
Double free in tool_ssls_load() on 18/11/2025
curl disclosed a bug submitted by xkernel: https://hackerone.com/reports/3431180 [...]
Hack This Bot & Win Prizes! on 18/11/2025
Credentials in URL on 18/11/2025
Science drives progress and creativity fuels discovery on 18/11/2025
Microsoft Entra ID INSECURE DEFAULTS on 18/11/2025
AI and Voter Engagement on 18/11/2025
Social media has been a familiar, even mundane, part of life for nearly two decades. It can be easy to forget it was not always that way. In 2008, social media was just emerging into the mainstream. Facebook reached 100 million users that summer. And a singular candidate was integrating social media into his political campaign: Barack Obama. His campaign’s use of social media was so bracingl [...]
We found cryptography bugs in the elliptic library using Wycheproof on 18/11/2025
Trail of Bits is publicly disclosing two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography that is downloaded over 10 million times weekly and is used by close to 3,000 projects. These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified [...]
Bypass of Cloudflare's Cache Keys and WAF via header overflow on 18/11/2025
Cloudflare Public Bug Bounty disclosed a bug submitted by david96: https://hackerone.com/reports/3027461 [...]
Intigriti wins ‘Security Innovation of the Year’ at the 2025 UK IT Industry Awards by Eleanor Barlow on 18/11/2025
We are thrilled to announce that Intigriti has won Security Innovation of the Year at the UK IT Industry Awards 2025. A powerful recognition for innovation The UK IT Industry Awards are designed to celebrate organizations, teams, projects, technologies, and individuals who continue to help shape the future of IT. This accolade is a testament to the ingenuity, dedication, and forward-thinking appro [...]
Raid weekend update 21 reports done on 17/11/2025
it's not that complicated on 17/11/2025
Hacking with Nuclei: Uncovering .git Secrets on 17/11/2025
How to Use Nuclei And Automate Cross-Site Scripting Vulnerabilities on 17/11/2025
Authentication Bypass in Subscription Management Endpoint on 17/11/2025
lemlist disclosed a bug submitted by 0hmz: https://hackerone.com/reports/3417162 [...]
More Prompt||GTFO on 17/11/2025
The next three in this series on online events highlighting interesting uses of AI in cybersecurity are online: #4, #5, and #6. Well worth watching. [...]
Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash on 16/11/2025
curl disclosed a bug submitted by xkernel: https://hackerone.com/reports/3427670 [...]
Microsoft Patch Tuesday, November 2025 Edition by BrianKrebs on 16/11/2025
Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weakness [...]
Bug Bounty Tips From The Trenches With @ZACK0X01 on 16/11/2025
a new kind of Capture The Flag hacking on 16/11/2025
Incorrect sizeof() in Rustls Backend Memory Allocation on 15/11/2025
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3427460 [...]
Off-by-One Buffer Overflow in SMB Path Handler on 15/11/2025
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3427343 [...]
Malicious server forces .curlrc creation via curl -OJ leading to local file exfiltration on 15/11/2025
curl disclosed a bug submitted by djogho: https://hackerone.com/reports/3427194 [...]
Basic Network Segmentation on 15/11/2025
The State of Cybercrime in 2025 (with Nick Ascoli!) on 15/11/2025
Level up your Solidity LLM tooling with Slither-MCP on 15/11/2025
We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine. Slither-MCP benefits virtually every use case for LLMs by exposing Slither’s static analysis API via tools, allowing LLMs to find critical code faster, navigate codebases more efficiently, and ultimately improve smart contract authoring and auditing performance. How Slither-MCP works Slither [...]
"One Parameter to Rule Them All - How a User Flaw Unlocked an Admin Fortress" - Shinobi.security on 15/11/2025
Responsible disclosure - public S3 bucket exposing JSON/config files on 14/11/2025
AWS VDP disclosed a bug submitted by xtawb: https://hackerone.com/reports/3382796 [...]
Practical Help Desk - Learn IT Fundamentals in 9 Hours on 14/11/2025
Authentication Token Theft via Open Redirect in Callback URL Parameter on 14/11/2025
lemlist disclosed a bug submitted by sle3pyhead: https://hackerone.com/reports/3419636 [...]
Hacking with Burp AI in the Chesspocalypse: API expert Corey Ball showcases how Burp AI can support pentesters. on 14/11/2025
AI isn’t just reshaping cybersecurity - it’s challenging testers to rethink their entire playbook. In his latest article, “Hacking with Burp AI in the Chesspocalypse”, API expert Corey Ball draws less [...]
I Had Claude MCP Hack Me on 14/11/2025
How we avoided side-channels in our new post-quantum Go cryptography libraries on 14/11/2025
The Trail of Bits cryptography team is releasing our open-source pure Go implementations of ML-DSA (FIPS-204) and SLH-DSA (FIPS-205), two NIST-standardized post-quantum signature algorithms. These implementations have been engineered and reviewed by several of our cryptographers, so if you or your organization is looking to transition to post-quantum support for digital signatures, try them out! T [...]
How to make money in ethical hacking on 13/11/2025
Rust in Android: move fast and fix things on 13/11/2025
Posted by Jeff Vander Stoep, Android Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in new code quickly yields durable and compounding gains. This year we look at how this approach isn’t just fixing things, but helping us move faster. The 2025 data continues to validate the approach, with memory safety vulnerabilities falling below 20% of total [...]