InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Bug Bounty Stream Q and A - Launch Bug Bounty Guide 2025 on 20/01/2025
Hunting Scam Popups on 20/01/2025
Stop Submitting Duplicate Bug Reports in 2025 (Bug Bounty) šÆ on 20/01/2025
Biden Signs New Cybersecurity Order on 20/01/2025
President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidentsĀ—namely, the security failures of federal cont [...]
The State Of Bug Bounties - A YesWeHack Report Reading on 20/01/2025
Considerations for Selecting the Best API Authentication Option by Ivan Novikov on 20/01/2025
Implementing API authentication is one of the most critical stages of API design and development. Properly implemented authentication protects data, user privacy, and other resources while streamlining compliance, preventing fraud, and establishing accountability. In fact, broken authentication is one of the leading causes of API-related breaches. Ultimately, by applying robust authentic [...]
Object Level access control leads to reading user's full requests, sessions, and error messages on 18/01/2025
Yelp disclosed a bug submitted by mester_x: https://hackerone.com/reports/2891449 [...]
CVE-2022-40604: Apache Airflow: Format String Vulnerability on 18/01/2025
Internet Bug Bounty disclosed a bug submitted by leixiao: https://hackerone.com/reports/1707287 - Bounty: $8000 [...]
Friday Squid Blogging: Opioid Alternatives from Squid Research on 17/01/2025
Is there nothing that squid research can’t solve? “If you’re working with an organism like squid that can edit genetic information way better than any other organism, then it makes sense that that might be useful for a therapeutic application like deadening pain,” he said. […] Researchers hope to mimic how squid and octopus use RNA editing in nerve channels that inter [...]
I Hacked Myself & Analyzed It with Sysmon on 17/01/2025
Binary Ninja Scripting with Python! on 17/01/2025
Social Engineering to Disable iMessage Protections on 17/01/2025
I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some personal information into a website. But because they came from unknown phone numbers, the links did not [...]
DORA is here - are you ready? by Intigriti on 17/01/2025
Today, January 17, 2025, marks a pivotal moment for the EU financial sector as the Digital Operational Resilience Act (DORA) officially comes into effect. Designed to combat the growing threat of cyberattacks, DORA sets a new standard for cybersecurity resilience across financial institutions and their critical ICT service providers.Ā With cyberattacks costing the financial secā¦ [...]
Broken Security Promises: How Human-AI Collaboration Rebuilds Developer Trust on 16/01/2025
Incorrect security UI of files' download source on brave MacOS on 16/01/2025
Brave Software disclosed a bug submitted by syarif07: https://hackerone.com/reports/2888770 [...]
RFID Fun - Arduino RFID Project - Learning Arduino on 16/01/2025
Bugcrowd Security Flash: Salt Typhoon on 16/01/2025
Chinese Innovations Spawn Wave of Toll Phishing Via SMS by BrianKrebs on 16/01/2025
Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road op [...]
Decoding Shellcode into Assembly Code - Made Easy! on 16/01/2025
OSV-SCALIBR: A library for Software Composition Analysis on 16/01/2025
Posted by Erik Varga, Vulnerability Management, and Rex Pan, Open Source Security TeamIn December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, weāve continued to build this tool, adding remediation features, as well as expanding ecosystem support to 11 programming languages [...]
Detection Engineering with Wazuh on 16/01/2025
FBI Deletes PlugX Malware from Thousands of Computers on 16/01/2025
According to a DOJ press release, the FBI was able to delete the Chinese-used PlugX malware from “approximately 4,258 U.S.-based computers and networks.” Details: To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the hacking group. According to the FBI, at least 45,000 IP addresses in the US h [...]
Lack of Rate Limiting on Account Creation Endpoint on 16/01/2025
XVIDEOS disclosed a bug submitted by nagu123: https://hackerone.com/reports/2915502 - Bounty: $200 [...]
Open URL redirects: A complete guide to exploiting open URL redirect vulnerabilities by blackbird-eu on 16/01/2025
Open URL redirect vulnerabilities are easy to find as they are quite common in applications. This vulnerability type is also often considered a low-hanging fruit. However, as modern applications get more complex, so do the vulnerabilities. And that also makes it possible to escalate these lower-hanging fruits to higher-severity security issues. Just as we've seen how it is possā¦ [...]
Attacker can use any non-enabled capability on 15/01/2025
Cosmos disclosed a bug submitted by julianor: https://hackerone.com/reports/2930811 - Bounty: $2000 [...]
LIVE: Blue Team Hangout | PCAP Investigation | AMA on 15/01/2025
The State of Cybercrime [2024] on 15/01/2025
netrc and redirect credential leak on 15/01/2025
Internet Bug Bounty disclosed a bug submitted by nyymi: https://hackerone.com/reports/2894283 - Bounty: $505 [...]
Phishing False Alarm on 15/01/2025
A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards. [...]
Innovation in action: Investing in the future of bug bountyĀ by Intigriti on 15/01/2025
In an industry where security needs evolve as rapidly as the threats themselves, standing still isn't an option. At Intigriti, our commitment to innovation goes beyond mere product development ā it's about making strategic investments in solutions that truly matter to our customers and the broader security community.Ā The voice of our customers: Shaping tomorrow's security soluā¦ [...]
Microsoft: Happy 2025. Hereās 161 Security Updates by BrianKrebs on 14/01/2025
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017. Rapid7‘s Adam Barnett says January marks the fourth consecutive month wh [...]
Information Disclosure: .dockerignore file is publicly accessible on 14/01/2025
Flickr disclosed a bug submitted by himu_xjjj: https://hackerone.com/reports/2888001 [...]
Upcoming Speaking Engagements on 14/01/2025
This is a current list of where and when I am scheduled to speak: Iām speaking on āAI: Trust & Powerā at Capricon 45 in Chicago, Illinois, USA, at 11:30 AM on February 7, 2025. Iām also signing books there on Saturday, February 8, starting at 1:45 PM. Iām speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. Iām speaking at the Rossfest Symposium in Cambr [...]
Critical Data Breach - Big Data for all domains on 14/01/2025
Basecamp disclosed a bug submitted by shezxi: https://hackerone.com/reports/2686225 [...]
BLOB Based Phishing Scams on 14/01/2025
The First Password on the Internet on 14/01/2025
It was created in 1973 by Peter Kirstein: So from the beginning I put password protection on my gateway. This had been done in such a way that even if UK users telephoned directly into the communications computer provided by Darpa in UCL, they would require a password. In fact this was the first password on Arpanet. It proved invaluable in satisfying authorities on both sides of the Atlantic for t [...]
Blind SSRF Vulnerability in Appstore Release Upload Form on 14/01/2025
Nextcloud disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2925666 [...]
WAF bypass and java script incomplete handling of Unicode characters might leads to dom-xss on 13/01/2025
Doppler disclosed a bug submitted by clubbable: https://hackerone.com/reports/2921905 [...]
Microsoft Takes Legal Action Against AI āHacking as a Serviceā Scheme on 13/01/2025
Not sure this will matter in the end, but it’s a positive move: Microsoft is accusing three individuals of running a “hacking-as-a-service” scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content. The foreign-based defendants developed tools specifically designed to bypass safety guardrails Microsof [...]
7 Overlooked recon techniques to find more vulnerabilities by blackbird-eu on 13/01/2025
Reconnaissance is an important phase in bug bounty and in pentesting in general. As every target is unique and as we often do not have access to the code base, we'd need to come up with unique methods to gather useful and accurate data about our target to help us find vulnerabilities. In this article, we will be covering 7 overlooked reconnaissance techniques that you can applyā¦ [...]
Unauthenticated Path Traversal and Command Injection in Trellix Enterprise Security Manager 11.6.10 on 12/01/2025
Trellix disclosed a bug submitted by r4v: https://hackerone.com/reports/2817658 [...]
How 3 Hackers Combined Their Skills for Big Bounties! (And how you can do it too) on 11/01/2025
What The IDOR!? - IDORs Explained 101 on 11/01/2025
Top hackers on collaboration, crits and collecting bounty on 11/01/2025
Friday Squid Blogging: Cotton-and-Squid-Bone Sponge on 10/01/2025
News: A sponge made of cotton and squid bone that has absorbed about 99.9% of microplastics in water samples in China could provide an elusive answer to ubiquitous microplastic pollution in water across the globe, a new report suggests. […] The study tested the material in an irrigation ditch, a lake, seawater and a pond, where it removed up to 99.9% of plastic. It addressed 95%-98% of plast [...]
Learn Active Directory! on 10/01/2025
A Partial Victory for AI Researchers by Ilona Cohen on 10/01/2025
What is the Digital Millennium Copyright Act and what are the implications of its recent ruling for AI researchers? [...]
The Best FREE Tool to Secure Open Source Software on 10/01/2025
Apps That Are Spying on Your Location on 10/01/2025
404 Media and Wired are reporting on all the apps that are spying on your location, based on a hack of the location data company Gravy Analytics: The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS. Because mu [...]
Make Burp Suite your own: high-powered extensibility to customize and enhance your testing. š ļø on 10/01/2025
Extensibility in Burp Suite is about giving you and your team the power to customize, enhance, and extend Burp Suite to match your testing needs and objectives. This comprises a powerful suite of tool [...]
āØāć ¤ā© on 10/01/2025
AI in your terminal feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter on 10/01/2025
Intigriti Bug Bytes #220 - January 2025 š by blackbird-eu on 10/01/2025
Welcome to the first Bug Bytes of 2025! Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community eventsāall to help you find more bugs! Latest Platform Updates Altera, an Intel company, has officially opened its public bug bounty program on our platform! Ā Ā Ready to put your skills to the test and get rewardedā¦ [...]
HackerOne Live Hacking Event Recap: Edinburgh w/ Amazon and AWS on 09/01/2025
Godot Game Used As Malware on 09/01/2025
Web cache deception [Spanish - English subtitles] on 09/01/2025
Areas of impact in #bugbounty #hack #hacker #hacks on 09/01/2025
The extension that integrates Burp with the terminal feat. doomerhunter #bugbounty #bugbountytips #b on 09/01/2025
New Course Q&A | Assembly | Andrew Bellini (DigitalAndrew) on 09/01/2025
Supercharge your vulnerability triage: Our investment in your efficiency by Intigriti on 09/01/2025
As we step into 2025, many of us are setting resolutions to improve, grow, and achieve more. At Intigriti, weāre doing the sameābut with a twist. Our commitment isnāt just about us - itās about you. When you invest in us, we invest in you.Ā This year, weāre kicking off a blog series to showcase how weāre doubling down on the areas that matter most to our customers. First up: Trā¦ [...]
HTTP Parameter Pollution - Bug Bounties Overlooked Opportunities on 08/01/2025
GitLabās First Critical SSRF since 2020 on 08/01/2025
Effective API Throttling for Enhanced API Security by Raymond Kirk on 08/01/2025
APIs are the backbone of modern digital ecosystems, but their misuse can expose systems to cyber threats. Effective API throttling not only optimizes performance but also acts as a critical defense mechanism against abuse, such as denial-of-service attacks. Discover how this powerful strategy enhances API security and safeguards your organizationās data in an interconnected world. What i [...]
Yet Another OTP code Leaked in the API Response on 08/01/2025
MTN Group disclosed a bug submitted by tinopreter: https://hackerone.com/reports/2635315 [...]
SQL injection in URL path leads to Database Access on 08/01/2025
MTN Group disclosed a bug submitted by tinopreter: https://hackerone.com/reports/2633959 [...]
OTP code Leaked in API Response on 08/01/2025
MTN Group disclosed a bug submitted by tinopreter: https://hackerone.com/reports/2633888 [...]
Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org on 08/01/2025
Mozilla disclosed a bug submitted by jabiyev: https://hackerone.com/reports/2860983 [...]
A Day in the Life of a Prolific Voice Phishing Crew by BrianKrebs on 07/01/2025
Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emai [...]
How to win competing with hundereds of hunters? feat. doomerhunter #bugbounty #bugbountytips #bugbou on 07/01/2025
What The Cheese Is Mutation XSS? mXSS - One Of The Newest Techniques In XSS on 07/01/2025
ROI Isnāt Cutting It: 6 Questions to Help CISOs Better Quantify Security Investments by Naz Bozdemir on 07/01/2025
Why ROI is not the most effective method to quantify cybersecurity investments ā and how ROM can help. [...]
Bypass Email Verification on Add Email Monitoring on 07/01/2025
Mozilla disclosed a bug submitted by dotxml: https://hackerone.com/reports/2387297 [...]
Microagents to help you bug hunting feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter on 07/01/2025
HackerOne Customer Testimonial: Amazon and AWS on 06/01/2025
I was just awarded $100,000 for hacking into Facebook! #bugbounty #hacking #pentest on 06/01/2025
How to uncover hidden attack surface feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter on 06/01/2025
Can you get bounties for DoS bugs? feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter on 04/01/2025
Hunting for blind XSS vulnerabilities: A complete guide by blackbird-eu on 04/01/2025
Cross-site scripting (XSS) vulnerabilities are quite common and fun to find. They also carry great impact when chained with other vulnerabilities. But there's another variant of this vulnerability type that's not as easy or common to find as the other XSS types. Especially with the delayed execution and the hidden injection point, it makes it difficult for most hunters to searcā¦ [...]
Achieving Your Goals in 2025 on 03/01/2025
You should spend more time fuzzing feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter on 03/01/2025
A pizza baā¦.RAT?!?? on 01/01/2025
Mastering File Layers: Unlocking Payload Secrets on 01/01/2025
Spying on Scammers on 31/12/2024
Creating a Secure Password Archive: Step-by-Step Guide on 31/12/2024
Revolutionary Tool to Combat Session Hijacking Risks on 31/12/2024
U.S. Army Soldier Arrested in AT&T, Verizon Extortions by BrianKrebs on 31/12/2024
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. One of several se [...]
Apache Airflow: Sensitive Information Exposure in DAG Run Logs on 30/12/2024
Internet Bug Bounty disclosed a bug submitted by saurabhb: https://hackerone.com/reports/2828271 [...]
Secrets not masked in UI when sensitive variables are set via Airflow cli on 30/12/2024
Internet Bug Bounty disclosed a bug submitted by saurabhb: https://hackerone.com/reports/2828263 [...]
Uncovering GNU vs. BusyBox TAR: The Hidden Tricks on 30/12/2024
Unlocking Your Browser: Secure Your Saved Passwords Today on 30/12/2024
Happy 15th Anniversary, KrebsOnSecurity! by BrianKrebs on 29/12/2024
Image: Shutterstock, Dreamansions. KrebsOnSecurity.com turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year [...]
Understanding Docker Changes: OCI Format Explained on 29/12/2024
Lack of URL Validation in avatarUrl at /v4/profile on 28/12/2024
Truecaller disclosed a bug submitted by marcotuliocnd: https://hackerone.com/reports/2493860 - Bounty: $500 [...]
[oem.acronis.com] Reflected Cross Site Scripting on 28/12/2024
Acronis disclosed a bug submitted by darkdream: https://hackerone.com/reports/2038943 - Bounty: $100 [...]
Cookie Jar Overflows Explained on 27/12/2024
A potential risk in the aws-lambda-ecs-run-task which can be used to privilege escalation. on 27/12/2024
AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2894222 [...]
This one-of-a-kind Kanguru flash drive has a hardware read-only switch on 27/12/2024
Hackers Attack Curl Vulnerability Accessing Sensitive Information on 27/12/2024
curl disclosed a bug submitted by scottarterbury: https://hackerone.com/reports/2912277 [...]
DOM Based Reflected Cross Site Scripting on 25/12/2024
MTN Group disclosed a bug submitted by nhx1: https://hackerone.com/reports/2321874 [...]