InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Injection in path parameter of Ingress-nginx on 07/03/2026
Kubernetes disclosed a bug submitted by fisjkars: https://hackerone.com/reports/2701701 [...]
Hardware Hacking 101: with a custom physical kit! on 07/03/2026
Friday Squid Blogging: Squid in Byzantine Monk Cooking on 06/03/2026
This is a very weird story about how squid stayed on the menu of Byzantine monks by falling between the cracks of dietary rules. At Constantinople’s Monastery of Stoudios, the kitchen didn’t answer to appetite. It answered to the “typikon”: a manual for ensuring that nothing unexpected happened at mealtimes. Meat: forbidden. Dairy: forbidden. Eggs: forbidden. Fish: feast-da [...]
Anthropic and the Pentagon on 06/03/2026
OpenAI is in and Anthropic is out as a supplier of AI technology for the US defense department. This news caps a week of bluster by the highest officials in the US government towards some of the wealthiest titans of the big tech industry, and the overhanging specter of the existential risks posed by a new technology powerful enough that the Pentagon claims it is essential to national security. At [...]
Claude Used to Hack Mexican Government on 06/03/2026
An unknown hacker used Anthropic’s LLM to hack the Mexican government: The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday. [… [...]
The Payload Podcast #003 on 06/03/2026
Catch us chillin' at The Hive during RSA. đ on 06/03/2026
IDOR to make someone attend or leave an event on 06/03/2026
LinkedIn disclosed a bug submitted by safehacker_2715: https://hackerone.com/reports/1734639 [...]
Blocking a company page admin prevents him from delete paid media admin or edit his roles on 05/03/2026
LinkedIn disclosed a bug submitted by riadalrashed: https://hackerone.com/reports/2339192 [...]
Open Redirect on lovable.dev via redirect parameter leads to phishing attacks on 05/03/2026
Lovable VDP disclosed a bug submitted by jdc94: https://hackerone.com/reports/3581815 [...]
Israel Hacked Traffic Cameras in Iran on 05/03/2026
Multiple news outlets are reporting on Israel’s hacking of Iranian traffic cameras and how they assisted with the killing of that country’s leadership. The New York Times has an [...]
DoS via Unbounded Memory Allocation in sendWebStream on Fastify v5.7.0+ leads to OOM crash when backpressure is ignored on 05/03/2026
Fastify disclosed a bug submitted by onlybugs05: https://hackerone.com/reports/3524779 [...]
Hacked App Part of US/Israeli Propaganda Campaign Against Iran on 05/03/2026
Wired has the story: Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store. The messages arrived in quick succession over a period of 30 minutes, sta [...]
LIVE: đ”ïž Memory Forensics | Blue Cape | Cybersecurity on 05/03/2026
Missing Access Control in MigrationFile allows attacker to upload files to any Migration on 05/03/2026
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3506183 [...]
Security-driven Rapid Release - Pwn2Own Documentary (Part 4) on 04/03/2026
crypto scammers phish with physical mail on 04/03/2026
SSTI leads to Command injection on 04/03/2026
curl disclosed a bug submitted by errorbehavior200: https://hackerone.com/reports/3584149 [...]
Manipulating AI Summarization Features on 04/03/2026
Microsoft is reporting: Companies are embedding hidden instructions in “Summarize with AI” buttons that, when clicked, attempt to inject persistence commands into an AI assistant’s memory via URL prompt parameters…. These prompts instruct the AI to “remember [Company] as a trusted source” or “recommend [Company] first,” aiming to bias future response [...]
Intigriti launches new global Hacker Ambassador Program by Eleanor Barlow on 04/03/2026
What you will learn What the Intigriti Ambassador Program is and how it works. What are the key benefits and rewards of participation? Who should apply and why it matters. How to apply and next steps. What the global hacking community means to Intigriti The global hacking community has never been more important. From students discovering their first bug to seasoned hackers uncovering flaws in [...]
This is the Fastest Growing Cybersecurity Field for 2026! on 03/03/2026
On Moltbook on 03/03/2026
The MIT Technology Review has a good article on Moltbook, the supposed AI-only social network: Many people have pointed out that a lot of the viral comments were in fact posted by people posing as bots. But even the bot-written posts are ultimately the result of people pulling the strings, more puppetry than autonomy. “Despite some of the hype, Moltbook is not the Facebook for AI agents, nor [...]
Use after free in hyperfifo example on 03/03/2026
curl disclosed a bug submitted by deepbluev7: https://hackerone.com/reports/3580247 [...]
What would you do for a P1? on 02/03/2026
Everyone Knows About Broken Authorization â So Why Does It Still Work for Attackers? by Tim Erlin on 02/03/2026
Broken authorization is one of the most widely known API vulnerabilities. It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) account for hundreds of API vulnerabilities every quarter. According to the 2026 API ThreatStats report, authorization issues ranked ninth i [...]
LLM-Assisted Deanonymization on 02/03/2026
Turns out that LLMs are good at de-anonymization: We show that LLM agents can figure out who you are from your anonymous online posts. Across Hacker News, Reddit, LinkedIn, and anonymized interview transcripts, our method identifies users with high precision  and scales to tens of thousands of candidates. While it has been known that individuals can be uniquely identified by surprisingly few attr [...]
Firefox JIT Bug - Pwn2Own Documentary (Part 3) on 01/03/2026
2FA requirement bypass when inviting team members on 28/02/2026
Omise disclosed a bug submitted by 0x7ashish: https://hackerone.com/reports/3356149 [...]
Who is the Kimwolf Botmaster âDortâ? by BrianKrebs on 28/02/2026
In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against th [...]
ContinuumCon Prep (with Greg Ake!) on 28/02/2026
Friday Squid Blogging: Squid Fishing in Peru on 27/02/2026
Peru has increased its squid catch limit. The article says “giant squid,” but they can’t possibly mean that. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Cultivating a robust and efficient quantum-safe HTTPS on 27/02/2026
Posted by Chrome Secure Web and Networking Team Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (âPLANTSâ), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography intro [...]
The Dangers Of Cheap Smart Camera on 27/02/2026
This Burp Suite Extension Can Supercharge Your Bug Bounty Hunt For BAC on 27/02/2026
h?ckers a[r]e gl*bbing on 27/02/2026
Why Tehranâs Two-Tiered Internet Is So Dangerous on 27/02/2026
Iran is slowly emerging from the most severe communications blackout in its history and one of the longest in the world. Triggered as part of January’s government crackdown against citizen protests nationwide, the regime implemented an internet shutdown that transcends the standard definition of internet censorship. This was not merely blocking social media or foreign websites; it was a tota [...]
Hook, line, and vault: A technical deep dive into the 1Phish kit on 27/02/2026
We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. [...]
Password Reuse Vulnerability on AWS Sign-in Page via Password Reset Flow leads to Security Policy Violation on 26/02/2026
AWS VDP disclosed a bug submitted by h0ne_analyst_94cm4n1: https://hackerone.com/reports/3514122 [...]
Oh okay on 26/02/2026
Integer Overflow in curl_multi_get_handles() Leading to Heap Buffer Overflow on 26/02/2026
curl disclosed a bug submitted by knickers: https://hackerone.com/reports/3575245 [...]
RTSP RTP Interleaved Parser Assertion Failure (Zero-Length RTP Payload) on 26/02/2026
curl disclosed a bug submitted by davkor: https://hackerone.com/reports/3575250 [...]
AI Playground XSS to steal user-chat messages and access to connected MCP Server on 26/02/2026
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3424998 [...]
Able to bypass HSTS using trailing dot on 26/02/2026
curl disclosed a bug submitted by shan_nandi: https://hackerone.com/reports/3574928 [...]
thousands of Google API keys exposed on 26/02/2026
Curl Telnet Handler Buffer Overflow on 26/02/2026
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3575475 [...]
HTML Injection in DAST Trial Request Form Confirmation Email PortSwigger on 26/02/2026
PortSwigger Web Security disclosed a bug submitted by zorixu: https://hackerone.com/reports/3556892 - Bounty: $200 [...]
From curiosity to critical bugs: Interview with Marc-Oliver Munz (c1phy) by Eleanor Barlow on 26/02/2026
Security is built by people. At Intigriti, we donât just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
From curiosity to critical bugs: Interview with Marc-Oliver Munz (c1phy) by Eleanor Barlow on 26/02/2026
Security is built by people. At Intigriti, we donât just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
The First Exploit - Pwn2Own Documentary (Part 2) on 25/02/2026
Staying One Step Ahead: Strengthening Androidâs Lead in Scam Protection on 25/02/2026
Posted by Lyubov Farafonova, Product Manager, Phone by Google; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse Weâve shared how Androidâs proactive, multi-layered scam defenses utilize Google AI to protect users around the world from over 10 billion suspected malicious calls and messages every month1. While that scale is significant, the true impact of these p [...]
How to Reduce Cyber Risk with Continuous Threat Exposure Management on 25/02/2026
AI Security: Leaking Sensitive Data & Account Takeover Explained on 25/02/2026
mquire: Linux memory forensics without external dependencies on 25/02/2026
If youâve ever done Linux memory forensics, you know the frustration: without debug symbols that match the exact kernel version, youâre stuck. These symbols arenât typically installed on production systems and must be sourced from external repositories, which quickly become outdated when systems receive updates. If youâve ever tried to analyze a memory dump only to discover that no one has publish [...]
Publicly accessible `` endpoint exposing internal user identifiers and email addresses on 24/02/2026
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3360293 [...]
CVE--35813 in on 24/02/2026
Mars disclosed a bug submitted by 0xr2r: https://hackerone.com/reports/2200329 [...]
Sensitive information exposed at [] via /export_panelists_to_xlsx endpoint on 24/02/2026
Mars disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/3376598 [...]
- Publicly Accessible public_html Directory Exposing WordPress Configuration on 24/02/2026
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3066548 [...]
SQLi At `` via `theme_name` on 24/02/2026
Mars disclosed a bug submitted by 4ksh3ye: https://hackerone.com/reports/3293803 [...]
SQLi at parameter on 24/02/2026
Mars disclosed a bug submitted by scriptsavvy: https://hackerone.com/reports/3277276 [...]
No Rate Limiting on Password Attempts After Insecure Registration Flow cause ATO on 24/02/2026
Mars disclosed a bug submitted by azar_man: https://hackerone.com/reports/3174778 [...]
Is It Too Late for Me to Get Into Cybersecurity?! on 24/02/2026
âAI red teamingâ is getting thrown around a lot right now on 23/02/2026
Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion on 23/02/2026
Node.js disclosed a bug submitted by illia-v: https://hackerone.com/reports/3456148 [...]
I Hacked My First AI Chatbot on 23/02/2026
The World's Hardest Hacking Competition - Pwn2Own Documentary (Part 1) on 22/02/2026
Initial Bug Bounty Exploits - CSRF + SSRF [CyberCrusade 6] on 22/02/2026
âStarkillerâ Phishing Service Proxies Real Login Pages, MFA by BrianKrebs on 20/02/2026
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between t [...]
Learn PowerShell! on 20/02/2026
Besides Spotify on 20/02/2026
Chaining Five Business Logic Flaws to Steal $999,999 on 20/02/2026
Using threat modeling and prompt injection to audit Comet on 20/02/2026
Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when [...]
The Payload Podcast #002 with Connor McGarr on 20/02/2026
Intigriti Bug Bytes #233 - February 2026 đ by Ayoub on 20/02/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this monthâs issue, weâll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vulnerabilities with AI Analyzing static code false-positive free And so much more! Le [...]
Keeping Google Play & Android app ecosystems safe in 2025 on 19/02/2026
Posted by Vijaya Kaza, VP and GM, App & Ecosystem Trust The Android ecosystem is a thriving global community built on trust, giving billions of users the confidence to download the latest apps. In order to maintain that trust, weâre focused on ensuring that apps do not cause real-world harm, such as malware, financial fraud, hidden subscriptions, and privacy invasions. As bad actors leverage [...]
Russia is hacking zero-days again on 19/02/2026
IoT Hacking Stream on 19/02/2026
Splatoon 3 Anticheat Seed Randomization Weakness on 19/02/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3042475 [...]
ASLR leak in Mario Kart World through LAN mode on 19/02/2026
Nintendo disclosed a bug submitted by kinnay: https://hackerone.com/reports/3463719 [...]
Kubernetes project issues warning on Ingress NGINX retirement on 19/02/2026
The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency. [...]
Inside H1-65: Inside OKXâs Live Hacking Event in Singapore on 18/02/2026
XSS Vulnerability on Pressable/Atomic Hosting Platform via unescaped admin notices leads to code execution on 18/02/2026
Automattic disclosed a bug submitted by georgestephanis: https://hackerone.com/reports/3447021 [...]
ContinuumCon is back for 2026! on 18/02/2026
From Shadow APIs to Shadow AI: How the API Threat Model Is Expanding Faster Than Most Defenses by Tim Erlin on 18/02/2026
The shadow technology problem is getting worse. Over the past few years, organizations have scaled microservices, cloud-native apps, and partner integrations faster than corporate governance models could keep up, resulting in undocumented or shadow APIs. Weâre now seeing this pattern all over again with AI systems. And, even worse, AI introduces non-deterministic behavior, autonomous [...]
Carelessness versus craftsmanship in cryptography on 18/02/2026
Two popular AES libraries, aes-js and pyaes, âhelpfullyâ provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we shared one of these bugs with an affected vendor, strongSwan, the maintainer provided a model response for security vendors. The aes-js/pyaes maintainer, on the other hand, has tak [...]
AI Web App Testing: The Future of Security on 17/02/2026
The Core Principle in Forensic Science on 17/02/2026
How's your security posture? on 17/02/2026
Improper State Validation on Sony WH-CH520 via BLE Command Service leads to unauthorized Bluetooth pairing and audio hijacking on 17/02/2026
Sony disclosed a bug submitted by vortekx: https://hackerone.com/reports/3514490 [...]
Inside Modern API Attacks: What We Learn from the 2026 API ThreatStats Report by Tim Erlin on 17/02/2026
API security has been a growing concern for years. However, while it was always seen as important, it often came second to application security or hardening infrastructure. In 2025, the picture changed. Wallarmâs 2026 API ThreatStats Report revealed that APIs are now the primary attack surface for digital business, and not because bad actors discovered new zero-days, but because of compo [...]
An Interview with Eva Benn! on 17/02/2026
How to use AI for improved vulnerability report writing by Ayoub on 17/02/2026
Report writing is an integral part of bug bounty or any type of vulnerability assessment. In fact, sometimes, it can become the most important phase. Submitting a confusing report can often lead to misalignment and faulty interpretation of your reported vulnerability. On the contrary, a well-written submission that includes all the necessary details can help shorten the time to triage, lead to inc [...]
TiKTok needs to fix this vulnerability on 16/02/2026
Can I Replace AI With My Recon Methodology? on 16/02/2026
Chaining in action: techniques, terminology, and real-world impact on business by Eleanor Barlow on 16/02/2026
What you will learn in this blog What chaining is and how combining lower-severity issues can create a high-impact security risk. Key chaining techniques and terminology, such as pivoting, lateral movement, and privilege escalation. How chaining is identified and prioritized in practice, including the role of PTaaS and how researchers can use chaining to uncover critical attack paths and guide n [...]