InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Data race in Curl_dnscache_add_negative() corrupts shared DNS cache heap corruption and double-free when using CURLOPT_SHARE with CURL_LOCK_DATA_DNS on 04/04/2026
curl disclosed a bug submitted by intrax: https://hackerone.com/reports/3645361 [...]
AI Cyber Defense Ops Course Launch! on 04/04/2026
Internal application wrapper or script using curl on 03/04/2026
curl disclosed a bug submitted by rougerseven7: https://hackerone.com/reports/3648199 [...]
Friday Squid Blogging: Jurassic Fish Chokes on Squid on 03/04/2026
Here’s a fossil of a 150-million year old fish that choked to death on a belemnite rostrum: the hard, internal shell of an extinct, squid-like animal. Original paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Getting Started With The Windows Registry on 03/04/2026
Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning on 03/04/2026
curl disclosed a bug submitted by intrax71: https://hackerone.com/reports/3640932 [...]
Cookie attribute TAB injection regression in Set-Cookie parsing on 03/04/2026
curl disclosed a bug submitted by calaba_zas: https://hackerone.com/reports/3641893 [...]
Extremely Easy Identity Management (with Fletcher Heisler!) on 03/04/2026
Company that Secretly Records and Publishes Zoom Meetings on 03/04/2026
WebinarTV searches the internet for public Zoom invites, joins the meetings, secretly records them, and publishes (alternate link) the recordings. It doesn’t use the Zoom record feature, so Zoom can’t do anything about it. [...]
Simplifying MBA obfuscation with CoBRA on 03/04/2026
Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification technique covers both domains simultaneously; algebraic simplifiers don’t understand bitwise logic, and Boolean minimizers can’t handle arithmetic. We’re releasing CoBRA, an [...]
The Payload Podcast #005 - AI with Shane Caldwell on 03/04/2026
US Bans All Foreign-Made Consumer Routers on 02/04/2026
This is for new routers; you don’t have to throw away your existing ones: The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U [...]
Google Workspace’s continuous approach to mitigating indirect prompt injections on 02/04/2026
Posted by Adam Gavish, Google GenAI Security TeamIndirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini. This technique enables the attacker to influence the behavior of an LLM by injecting malicious instructions into the data or tools used by the LLM as it completes the user’s query. This ma [...]
OWASP Salem XSS talk on 02/04/2026
Possible US Government iPhone Hacking Tool Leaked on 02/04/2026
Wired writes (alternate source): Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In t [...]
Is “Hackback” Official US Cybersecurity Strategy? on 01/04/2026
The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone. But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This sounds like a call for hackback: giv [...]
Mutation testing for the agentic era on 01/04/2026
Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered a high-severity Arkis protocol vulnerabi [...]
A Taxonomy of Cognitive Security on 01/04/2026
Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but—even better—Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and I hesitate to excerpt. Here’s a taste: The NeuroCompiler is where raw sensory data get [...]
BugQuest 2026: 31 Days of Broken Access Control by Ayoub on 01/04/2026
In March 2026, we ran BugQuest, a 31-day campaign covering everything you need to know about finding and exploiting broken access control vulnerabilities. From understanding the basics of authentication and authorization to spotting subtle authorization bypasses in real code, we broke down one of the most critical vulnerability classes in modern web applications. Broken access controls have consis [...]
Bypassing Strict SSH Server Verification via Connection Pool Reuse in libcurl on 31/03/2026
curl disclosed a bug submitted by whitehat411: https://hackerone.com/reports/3639277 [...]
Use-After-Free race condition in url_move_hostname() via shared connection pool on 31/03/2026
curl disclosed a bug submitted by h3xb1tx: https://hackerone.com/reports/3638715 [...]
VRP 2025 Year in Review on 31/03/2026
Posted by Dirk Göhmann, Tony Mendez, and the Vulnerability Rewards Program Team2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉! Originally started in 2010, our vulnerability reward program (VRP) has seen constant additions and expansions over the past decade and a half, clearly indicating the value the programs under [...]
Subscraper - the tool you have been missing on 31/03/2026
Endless bundle sales on 31/03/2026
Fomo is a real thing 😝 on 31/03/2026
DLL side-loading vulnerability in Sony Music Center for PC Ver. 2.7.2 (Latest version) on 31/03/2026
Sony disclosed a bug submitted by resurrect20: https://hackerone.com/reports/3355766 [...]
How Digital Forensics Caught the BTK Killer on 31/03/2026
Unauthenticated SSRF via Public Reference API -Sharing Token Bypass on 31/03/2026
Nextcloud disclosed a bug submitted by eclipse07077: https://hackerone.com/reports/3479692 [...]
Inventors of Quantum Cryptography Win Turing Award on 31/03/2026
Charles Bennett and Gilles Brassard have won the 2026 Turing Award for inventing quantum cryptography. I am incredibly pleased to see them get this recognition. I have always thought the technology to be fantastic, even though I think it’s largely unnecessary. I wrote up my thoughts back in 2008, in an essay titled “Quantum Cryptography: As Awesome As It Is Pointless.” Back then, [...]
How we made Trail of Bits AI-native (so far) on 31/03/2026
This post is adapted from a talk I gave at [un]prompted, the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides. Most companies hand out ChatGPT licenses and wait for the productivity numbers to move. We built a system instead. A year ago, about 5% of Trail of Bits was on board with our AI initiat [...]
HUGE npm axios supply chain attack on 31/03/2026
HackerOne Vulnerability Report: libcurl SSL/TLS Identity Leakage via Insecure Connection Reuse on 31/03/2026
curl disclosed a bug submitted by ankitsingh131225: https://hackerone.com/reports/3636244 [...]
HTTP/2 PUSH_PROMISE header loss on OOM bypasses scheme validation (regression of 2e8c922a89) on 31/03/2026
curl disclosed a bug submitted by m42kl33: https://hackerone.com/reports/3636044 [...]
Unbounded GZIP Decompression Leading to Event-Loop Starvation on 31/03/2026
curl disclosed a bug submitted by ok3y: https://hackerone.com/reports/3632427 [...]
🚨 NPM axios Supply Chain Attack 🚨 on 31/03/2026
SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48) on 31/03/2026
arkadiyt-projects disclosed a bug submitted by tipsen: https://hackerone.com/reports/3634400 [...]
Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes on 31/03/2026
arkadiyt-projects disclosed a bug submitted by tipsen: https://hackerone.com/reports/3634571 [...]
Compromised axios npm package delivers cross-platform RAT on 31/03/2026
An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT. [...]
HashDoS in V8 on 30/03/2026
Node.js disclosed a bug submitted by sharp_edged: https://hackerone.com/reports/3511792 [...]
Permission Model Bypass in realpathSync.native Allows File Existence Disclosure on 30/03/2026
Node.js disclosed a bug submitted by stif: https://hackerone.com/reports/3480841 [...]
Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery on 30/03/2026
Node.js disclosed a bug submitted by x_probe: https://hackerone.com/reports/3533945 [...]
Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net` on 30/03/2026
Node.js disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3559715 [...]
Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process) on 30/03/2026
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3560402 [...]
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown on 30/03/2026
Node.js disclosed a bug submitted by wooseokdotkim: https://hackerone.com/reports/3449392 [...]
Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion on 30/03/2026
Node.js disclosed a bug submitted by galbarnahum: https://hackerone.com/reports/3531737 [...]
I Earned $2M Hacking. Here's Everything I Know on 30/03/2026
CISO Spotlight: Dimitris Georgiou on Building Security that Serves People First by Tim Erlin on 30/03/2026
Dimitris Georgiou has been a self-professed computer geek since the early 80s. At university, he studied the convergence of educational technology with computer science as part of his psychology MA – finding, to his disbelief, that systems were perilously insecure. Since then, he’s always worked in and around cybersecurity. He’s had roles as a computer science teacher, a technology manager, a [...]
Apple’s Camera Indicator Lights on 30/03/2026
A thoughtful review of Apple’s system to alert users that the camera is on. It’s really well-designed, and important in a world where malware could surreptitiously start recording. The reason it’s tempting to think that a dedicated camera indicator light is more secure than an on-display indicator is the fact that hardware is generally more secure than software, because it’ [...]
CRLF Injection in HAProxy PROXY Protocol via CURLOPT_HAPROXY_CLIENT_IP allows IP spoofing and protocol injection on 30/03/2026
curl disclosed a bug submitted by sakthi02_sk: https://hackerone.com/reports/3633534 [...]
HTTP/2 server push accepts a non-authoritative :scheme=https over cleartext h2c, enabling HTTPS cache-key poisoning on 29/03/2026
curl disclosed a bug submitted by xkiluar: https://hackerone.com/reports/3630310 [...]
Friday Squid Blogging: Bioluminescent Bacteria in Squid on 27/03/2026
The Hawaiian bobtail squid has bioluminescent bacteria. [...]
Password Strength Policy Bypass via Server-Side Validation Flaw on 27/03/2026
Tucows (VDP) disclosed a bug submitted by 2026: https://hackerone.com/reports/3523703 [...]
WE 🧡 THE HIVE on 27/03/2026
Potential DoS due to PasswordPoliciesNotMet in errors.go on 27/03/2026
passhash disclosed a bug submitted by sinic: https://hackerone.com/reports/2441029 [...]
Missing policies for password in password_policies.go on 27/03/2026
passhash disclosed a bug submitted by sinic: https://hackerone.com/reports/2439734 [...]
Intigriti Bug Bytes #234 - March 2026 🚀 by Ayoub on 27/03/2026
Hello hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Earning $180K via SSRFs Free Burp Suite Pro licenses for top hackers Bypassing tricky file upload restrictions Injecting malicious code into AI coding assistants And so much more! Let’s dive in! New: PortSwigger collaboration with Intigriti We've teamed up with PortSwigger to reward high-p [...]
Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8561 on 27/03/2026
A look at how Kubernetes CVE-2020-8561 works [...]
Assertion error in node_url.cc via malformed URL format leads to Node.js crash on 26/03/2026
Node.js disclosed a bug submitted by rafaelgss: https://hackerone.com/reports/3546390 [...]
Proudly sponsoring - kaalchakra CTF 26 on 26/03/2026
As the US Midterms Approach, AI Is Going to Emerge as a Key Issue Concerning Voters on 26/03/2026
In December, the Trump administration signed an executive order that neutered states’ ability to regulate AI by ordering his administration to both sue and withhold funds from states that try to do so. This action pointedly supported industry lobbyists keen to avoid any constraints and consequences on their deployment of AI, while undermining the efforts of consumers, advocates, and industry [...]
Server-side ReDoS via user-controlled regex in OIDC Access Policy on 26/03/2026
RubyGems disclosed a bug submitted by 6b_jjj: https://hackerone.com/reports/3542546 [...]
Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix on 26/03/2026
curl disclosed a bug submitted by wizard021: https://hackerone.com/reports/3611825 [...]
Security Vulnerability Report: Protocol Injection via Programmatic Options on 26/03/2026
curl disclosed a bug submitted by ankitsingh_76: https://hackerone.com/reports/3627638 [...]
Welcoming Megan to TCM! | Cybersecurity | AMA on 26/03/2026
HTTP/1.1 Response Desynchronization via conflicting CL/TE headers in Proxy CONNECT on 25/03/2026
curl disclosed a bug submitted by 3lcarry: https://hackerone.com/reports/3623064 [...]
Security for the Quantum Era: Implementing Post-Quantum Cryptography in Android on 25/03/2026
Posted by Eric Lynch, Product Manager, Android and Dom Elliott, Group Product Manager, Google Play Modern digital security is at a turning point. We are on the threshold of using quantum computers to solve "impossible" problems in drug discovery, materials science, and energy—tasks that even the most powerful classical supercomputers cannot handle. However, the same unique ability to consider di [...]
Try our new dimensional analysis Claude plugin on 25/03/2026
We’re releasing a new Claude plugin for developing and auditing code that implements dimensional analysis, a technique we explored in our most recent blog post. Most LLM-based security skills ask the model to find bugs. Our new dimensional-analysis plugin for Claude Code takes a different approach: it uses the LLM to annotate your codebase with dimensional types, then flags mismatches mechanically [...]
Function `do_pubkey()` can have out-of-bound read issue on 25/03/2026
curl disclosed a bug submitted by tynus: https://hackerone.com/reports/3617719 [...]
Intigriti 0326 CTF Challenge: Chaining DOM clobbering and CSP bypasses for XSS by Ayoub on 25/03/2026
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. This month's challenge, brought forward by Kulindu, presented us with a Secure Search Portal that, on the surface, appeared to be well protected. A strict Content Security Policy and DOMPurify sanitization gave the impression that this month's task of executing an XS [...]
Potential Subdomain Takeover on IBM.com domain. on 24/03/2026
IBM disclosed a bug submitted by bugmithalchemist: https://hackerone.com/reports/3592387 [...]
3 Reasons IoT Security Will Explode in 2026 on 24/03/2026
Spotting issues in DeFi with dimensional analysis on 24/03/2026
Using dimensional analysis, you can categorically rule out a whole category of logic and arithmetic bugs that plague DeFi formulas. No code changes required, just better reasoning! One of the first lessons in physics is learning to think in terms of dimensions. Physicists can often spot a flawed formula in seconds just by checking whether the dimensions make sense. I once had a teacher who even ke [...]
Access to Deactivated LinkedIn Company Pages via Competitor Analytics API on 24/03/2026
LinkedIn disclosed a bug submitted by riadalrashed: https://hackerone.com/reports/3604288 [...]
Vulnerability disclosure for AI safeguards. How open should programs be and what incentives are necessary? by Ed Parsons on 24/03/2026
What you will learn How vulnerability disclosure applies specifically to AI safeguards and systems. The pros and cons of making AI disclosure programs more open/restricted. The kinds of incentives that motivate researchers. Which disclosure program structures can help organizations improve their AI security. In a recent NCSC blog post on adapting vulnerability disclosure for AI safeguards, [...]
LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP supply chain campaign on 24/03/2026
On March 24 and 27, 2026, malicious PyPI releases of LiteLLM and Telnyx were published as part of the TeamPCP supply chain campaign. We trace the full campaign from Trivy through npm, Checkmarx, and into PyPI. [...]
‘CanisterWorm’ Springs Wiper Attack Targeting Iran by BrianKrebs on 23/03/2026
A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language. Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime [...]
Inside H1-468: Live Hacking Event with Epic Games in Stockholm on 23/03/2026
I’m speaking at r19.io conference on 23/03/2026
How To Get Into Bug Bounty In 2026 on 22/03/2026
Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass on 20/03/2026
Python Cryptographic Authority disclosed a bug submitted by uv3doble: https://hackerone.com/reports/3558277 [...]
Blue Team CTF Walkthrough: DFIR on 20/03/2026
ChatGPT For The Dark Web on 20/03/2026
[Privilege Escalation] User can Pin|Unpin Any Comment on Any Project or Locale on 20/03/2026
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3025797 [...]
Exposed .git/config File Leading to Potential Sensitive Information Disclosure on 20/03/2026
curl disclosed a bug submitted by zoroo2: https://hackerone.com/reports/3612891 [...]
State of the Cybersecurity Workforce, JHT / WiCyS RSAC Preview on 20/03/2026
Feds Disrupt IoT Botnets Behind Huge DDoS Attacks by BrianKrebs on 20/03/2026
The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing [...]
Exploiting broken access control vulnerabilities by Ayoub on 20/03/2026
Broken access control vulnerabilities have consistently remained at the top of the OWASP Top 10, and for a good reason. As web applications continue to grow in complexity, with the introduction of role-based access controls, multi-tenant support, and granular permission models, the likelihood of access control flaws increases significantly. Unlike other vulnerability classes that often rely on ins [...]
Add labels to arbitrary issues/prs & compromise github actions label checks on 19/03/2026
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3527771 [...]
PATs without the required scope can leak issues on 19/03/2026
GitHub disclosed a bug submitted by s3rdz0: https://hackerone.com/reports/3522254 [...]
Bloodhound OpenGraph on 18/03/2026
BIG DAY TODAY on 18/03/2026
BIG DAY TODAY on 18/03/2026
Lack of Validation in Reward Redemption Allows Unlimited Burp Suite License Abuse on 18/03/2026
HackerOne disclosed a bug submitted by theokeen: https://hackerone.com/reports/3378540 [...]
HSTS accepted from HTTP origin behind HTTPS proxy on 17/03/2026
curl disclosed a bug submitted by lg_oled77c5pua: https://hackerone.com/reports/3609505 [...]
The Importance of Forensic Soundness on 17/03/2026
can AI eat its own tail? 🤖 on 17/03/2026
Unescaped username in SASL DIGEST-MD5 response allows injection on 17/03/2026
curl disclosed a bug submitted by am-perip: https://hackerone.com/reports/3608522 [...]
Session Cookie Leakage via Static Header Field in WebViewerFragment on 17/03/2026
LinkedIn disclosed a bug submitted by dphoeniixx: https://hackerone.com/reports/3475626 [...]