InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Friday Squid Blogging: The Giant Squid Nebula

on 18/07/2025

Beautiful photo. Difficult to capture, this mysterious, squid-shaped interstellar cloud spans nearly three full moons in planet Earth’s sky. Discovered in 2011 by French astro-imager Nicolas Outters, the Squid Nebula’s bipolar shape is distinguished here by the telltale blue emission from doubly ionized oxygen atoms. Though apparently surrounded by the reddish hydrogen emission region [...]

See full content

API Key Exposed in JavaScript File on 1Password Developer Site

on 18/07/2025

1Password - Enterprise Password Manager disclosed a bug submitted by sudosu001: https://hackerone.com/reports/2923061 [...]

See full content

Side Projects for Cybersecurity Roles

on 18/07/2025

See full content

My New Hacking Labs - A (R)Evolution In Education

on 18/07/2025

See full content

how hackers hide (Intro to Beacon Object Files - with Empire C2!)

on 18/07/2025

See full content

New Mobile Phone Forensics Tool

on 18/07/2025

The Chinese have a new tool called Massistant. Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico. The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS messages, images, audio, contacts and phone se [...]

See full content

Building secure messaging is hard: A nuanced take on the Bitchat security debate

on 18/07/2025

The release of Bitchat last week was met with a mixture of glowing praise and sharp criticism. Both extremes bear some truth, but they also miss the mark and reveal gaps in how we discuss security in emerging products. [...]

See full content

Poor Passwords Tattle on AI Hiring Bot Maker Paradox.ai

by BrianKrebs on 18/07/2025

Security researchers recently revealed that the personal information of millions of people who applied for jobs at McDonald’s was exposed after they guessed the password (“123456”) for the fast food chain’s account at Paradox.ai, a company that makes artificial intelligence based hiring chatbots used by many Fortune 500 firms. Paradox.ai said the security oversight was an i [...]

See full content

Red Team vs. Blue Team: Which is Better?

on 17/07/2025

See full content

Account takeover of existing HackerOne accounts through SCIM provisioning

on 17/07/2025

HackerOne disclosed a bug submitted by boy_child_: https://hackerone.com/reports/3178999 [...]

See full content

BBGMA - Full Bug Bounty Guide - P2 - Starting to exploit

on 17/07/2025

See full content

Security Vulnerabilities in ICEBlock

on 17/07/2025

The ICEBlock tool has vulnerabilities: The developer of ICEBlock, an iOS app for anonymously reporting sightings of US Immigration and Customs Enforcement (ICE) officials, promises that it “ensures user privacy by storing no personal data.” But that claim has come under scrutiny. ICEBlock creator Joshua Aaron has been accused of making false promises regarding user anonymity and privac [...]

See full content

Fail-Open Architecture for Secure Inline Protection on Azure

by Tim Erlin on 17/07/2025

Every inline deployment introduces a tradeoff: enhanced inspection versus increased risk of downtime. Inline protection is important, especially for APIs, which are now the most targeted attack surface, but so is consistent uptime and performance. This is where a fail-open architecture comes in.  This Wallarm How-To blog outlines how to deploy Wallarm’s Security Edge platform on Azure usi [...]

See full content

Reflected XSS in "Cost Tracker" Notes Field

on 17/07/2025

MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3185205 - Bounty: $50 [...]

See full content

Reflected XSS in "Manage Tags" Notes Field

on 17/07/2025

MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3181803 - Bounty: $50 [...]

See full content

Reflected XSS in "Create Category" Functionality of Post Creation Module

on 17/07/2025

MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3179138 - Bounty: $50 [...]

See full content

Stored Cross-Site Scripting (XSS) in "Add Contact" Name Field MainWP Plugin

on 17/07/2025

MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3176981 - Bounty: $50 [...]

See full content

Live: APT Intrusion Hunting | Cybersecurity | TryHackMe

on 16/07/2025

See full content

Hacking Trains

on 16/07/2025

Seems like an old system system that predates any care about security: The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED), also known as an End-of-Train (EOT) device, is attached to the back of a train and sends data via radio signals to a corresponding device in the locomotive called the Head-of-Train (HOT). C [...]

See full content

exposure of personal IP address via email.

on 16/07/2025

Weblate disclosed a bug submitted by micael1: https://hackerone.com/reports/3179850 [...]

See full content

I SPy: Escalating to Entra ID's Global Admin with a first-party app

on 16/07/2025

Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation from Application Administrator to any hybrid tenant user, [...]

See full content

HashDoS in V8

on 15/07/2025

Node.js disclosed a bug submitted by sharp_edged: https://hackerone.com/reports/3131758 [...]

See full content

Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

on 15/07/2025

Node.js disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3160912 [...]

See full content

mkfifo Reverse Shell Explained

on 15/07/2025

See full content

DOGE Denizen Marko Elez Leaked API Key for xAI

by BrianKrebs on 15/07/2025

Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a [...]

See full content

How security leaders are scaling testing with bug bounty programs

by Eleanor Barlow on 15/07/2025

For security leaders protecting fast-growing organizations, the pressure is on to identify vulnerabilities before threat actors do. Continuously testing environments, cost-effectively and at scale, is a significant challenge.   This is where bug bounty programs are reshaping the security landscape for CISOs, IT directors, and product security leads. If you are ready to move bey… [...]

See full content

Banned user still has access to their deleted account via HackerOne's API using their API key

on 14/07/2025

HackerOne disclosed a bug submitted by mrmax4o4: https://hackerone.com/reports/1577940 [...]

See full content

Report from the Cambridge Cybercrime Conference

on 14/07/2025

The Cambridge Cybercrime Conference was held on 23 June. Summaries of the presentations are here. [...]

See full content

Is Pentest Tools com worth it in 2025

on 14/07/2025

See full content

This Tiny JWT Mistake = Massive Bug Bounty

on 14/07/2025

See full content

Watch the on-demand webinar: Shift left without the strain

on 14/07/2025

Shifting security left promises faster, safer software delivery - but for many teams, that promise is undercut by painful scan performance, false positives, and pipeline friction. In our recent webina [...]

See full content

Disk Space Exhaustion leading to a Denial of Service (DoS)

on 14/07/2025

curl disclosed a bug submitted by tryhackplanet: https://hackerone.com/reports/3250490 [...]

See full content

Not a Vuln: Race Condition Allows Creation of Multiple Organizations with the Same Name

on 14/07/2025

WakaTime disclosed a bug submitted by ctrl_cipher: https://hackerone.com/reports/3248712 [...]

See full content

Intigriti teams with NVIDIA to launch bug bounty and vulnerability disclosure program (VDP)

by Eleanor Barlow on 14/07/2025

Innovating cyber defense by tapping global expertise With an expanding threat landscape, a surge in AI-driven products, and a commitment to innovation, NVIDIA is enhancing cybersecurity with a proactive approach by tapping into the global security researcher community. The Intigriti community includes over 125,000 ethical hackers, equipped to test mission-critical AI infrastruc… [...]

See full content

Kubernetes security fundamentals: PKI

on 14/07/2025

A look at how PKI configuration in Kubernetes clusters works [...]

See full content

Uncontrolled File Write/Arbitrary File Creation

on 13/07/2025

curl disclosed a bug submitted by tryhackplanet: https://hackerone.com/reports/3250117 [...]

See full content

Reflected XSS in "Client Notes" Field

on 13/07/2025

MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3181802 - Bounty: $50 [...]

See full content

Unwinding 😍

on 13/07/2025

See full content

HTTP Request Smuggling Vulnerability Analysis - cURL Security Report

on 13/07/2025

curl disclosed a bug submitted by youssef111: https://hackerone.com/reports/3249936 [...]

See full content

GitHub dorking for beginners: How to find more vulnerabilities using GitHub search

by blackbird-eu on 13/07/2025

Bug bounty hunters who spend time in content discovery and reconnaissance are always rewarded well for their efforts, as they often come across untested and hidden assets or endpoints. GitHub dorking is another way to leverage public search engines to discover hidden assets, endpoints and even secrets to increase your chances of finding vulnerabilities. This article is a guide … [...]

See full content

Leaked reused password for a few Khan Academy users

on 12/07/2025

Khan Academy disclosed a bug submitted by a0xtrojan: https://hackerone.com/reports/3099978 [...]

See full content

Squid Dominated the Oceans in the Late Cretaceous

on 11/07/2025

New research: One reason the early years of squids has been such a mystery is because squids’ lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks—hard mouthparts with high fossilization potential that could help the team figure out how squids evolved. With that in mind, the team developed an advanced fossil discove [...]

See full content

Tradecraft in the Information Age

on 11/07/2025

Long article on the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance. [...]

See full content

How to Study for Cybersecurity (Even When You're Busy!)

on 11/07/2025

See full content

how hackers avoid getting caught

on 11/07/2025

See full content

Default Minimum TLS Version Set to TLS v1.0 (Cryptographic Weakness)

on 10/07/2025

curl disclosed a bug submitted by monkey_dee: https://hackerone.com/reports/3246519 [...]

See full content

BBGMA - Full Bug Bounty Guide - P1 - Explorations and enum

on 10/07/2025

See full content

Build a Bjorn in 3 Minutes!

on 10/07/2025

See full content

UK Arrests Four in ‘Scattered Spider’ Ransom Group

by BrianKrebs on 10/07/2025

Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multip [...]

See full content

Using Signal Groups for Activism

on 10/07/2025

Good tutorial by Micah Lee. It includes some nonobvious use cases. [...]

See full content

Understanding the NCSC’s New API Security Guidance

by Tim Erlin on 10/07/2025

Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that guidance and explore how Wallarm’s platform can help you align with each one.  Inside the NC [...]

See full content

Preventing the growing costs of repeat and duplicate bug bounty submissions

by Eleanor Barlow on 10/07/2025

What are duplicate submissions? Within the bug bounty industry, duplicate submissions refer to when two or more researchers report the same issue or vulnerability. When a researcher, who works with a bug bounty platform, identifies a vulnerability, they submit a report to the platform, such as Intigriti, where it is reviewed. If the issue has already been reported, then it is m… [...]

See full content

CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems

on 10/07/2025

Learn more about the emerging vulnerability affecting Git. [...]

See full content

LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA

on 09/07/2025

See full content

Use-After-Free in OpenSSL Keylog Callback via SSL_get_ex_data() in libcurl

on 09/07/2025

curl disclosed a bug submitted by brobagazzzx: https://hackerone.com/reports/3242005 [...]

See full content

Yet Another Strava Privacy Leak

on 09/07/2025

This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.) This is ridiculous. Why do people continue to make their data public? [...]

See full content

Arbitrary File Read via file:// Protocol in cURL

on 09/07/2025

curl disclosed a bug submitted by mr_tufan: https://hackerone.com/reports/3242087 [...]

See full content

Microsoft Patch Tuesday, July 2025 Edition

by BrianKrebs on 09/07/2025

Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help [...]

See full content

Chain Vulnerability lead to Full Control Group Live Accounts & Undeletable Creator

on 08/07/2025

TikTok disclosed a bug submitted by eneri: https://hackerone.com/reports/3027478 [...]

See full content

ReDoS in IPAddr

on 08/07/2025

Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1485717 [...]

See full content

ReDoS in Psych

on 08/07/2025

Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1487889 [...]

See full content

Learn Google Dorking!

on 08/07/2025

See full content

access notes without permission

on 08/07/2025

curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241304 [...]

See full content

Disclosure of email addresses

on 08/07/2025

curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241308 [...]

See full content

Clear Authentication Deficiencies & Potential for Man-in-the-Middle Attacks

on 08/07/2025

Sony disclosed a bug submitted by trapedev: https://hackerone.com/reports/2642615 [...]

See full content

Advancing Protection in Chrome on Android

on 08/07/2025

Posted by David Adrian, Javier Castro & Peter Kotwicz, Chrome Security Team Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced Protection gives you the ability to activate Google’s strongest sec [...]

See full content

Information disclosure identified on IBM endpoint.

on 08/07/2025

IBM disclosed a bug submitted by devire: https://hackerone.com/reports/2402842 [...]

See full content

CSRF at Network feature

on 08/07/2025

Lichess disclosed a bug submitted by psfauzi: https://hackerone.com/reports/3230359 [...]

See full content

Are CTFs Actually Good for Learning Cybersecurity Skills?

on 08/07/2025

See full content

Inside the AI Threat Landscape: From Jailbreaks to Prompt Injections and Agentic AI Risks

by Tim Erlin on 08/07/2025

AI has officially moved out of the novelty phase. What began with people messing around with LLM-powered GenAI tools for content creation has rapidly evolved into a complex web of agentic AI systems that form a critical part of the modern corporate landscape. However, this transformation has given new life to old threats, transforming the API security landscape all over again.  I recently sat [...]

See full content

Investigate your dependencies with Deptective

on 08/07/2025

Deptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime. [...]

See full content

PortSwigger at Black Hat & DEF CON 33

on 08/07/2025

Las Vegas. August. Protocols are getting torn apart. This summer, PortSwigger returns to Black Hat USA and DEF CON 33 with a host of new talks, events and ways to meet PortSwigger and the the teams be [...]

See full content

Hiding Prompt Injections in Academic Papers

on 07/07/2025

Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University of Singapore, as well as the University of Washington and Columbia University in the U.S. Most of the pap [...]

See full content

curl --continue-at confusion

on 07/07/2025

curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2859735 [...]

See full content

Information Disclosure at : https://curl.se/.mailmap

on 07/07/2025

curl disclosed a bug submitted by haithamzakaria: https://hackerone.com/reports/2853023 [...]

See full content

information disclosure

on 07/07/2025

curl disclosed a bug submitted by rono_07: https://hackerone.com/reports/2841436 [...]

See full content

netrc crlf injection

on 07/07/2025

curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2831558 [...]

See full content

curl mishandles `%0c%0b` sequences in HTTP responses leading to CRLF confusions, Headers and Cookies Injection

on 07/07/2025

curl disclosed a bug submitted by mdakh404: https://hackerone.com/reports/2861797 [...]

See full content

Arbitrary File Deletion Vulnerability in curl Source Code via os.unlink()

on 07/07/2025

curl disclosed a bug submitted by aadityaathehacker: https://hackerone.com/reports/2864414 [...]

See full content

-H with space prefix leads to previous header injection when used with --proxy

on 07/07/2025

curl disclosed a bug submitted by spongebhav: https://hackerone.com/reports/2864859 [...]

See full content

OS Command Injection (subprocess Module Usage)

on 07/07/2025

curl disclosed a bug submitted by bulter: https://hackerone.com/reports/2904921 [...]

See full content

Git repository found

on 07/07/2025

curl disclosed a bug submitted by tefa_: https://hackerone.com/reports/2915426 [...]

See full content

Integer Overflow Risk in HTTP/2 Proxy Window Size Calculations

on 07/07/2025

curl disclosed a bug submitted by extramayoextracheeseextrafries: https://hackerone.com/reports/3238249 [...]

See full content

[MK8DX] Improper ranking/replay file parsing

on 06/07/2025

Nintendo disclosed a bug submitted by crazy_man123: https://hackerone.com/reports/1813453 [...]

See full content

TLS Cipher Misconfiguration in HTTP/3/QUIC Support

on 06/07/2025

curl disclosed a bug submitted by zzq1015: https://hackerone.com/reports/2981303 [...]

See full content

Reverse Engineering Anti-Debugging Techniques (with Nathan Baggs!)

on 05/07/2025

See full content

Build a Structured Threat Hunting Methodology

on 04/07/2025

See full content

CRLF injection in libcurl's SMTP client via --mail-from and --mail-rcpt allows SMTP command smuggling

on 03/07/2025

curl disclosed a bug submitted by skrcprst: https://hackerone.com/reports/3235428 [...]

See full content

HackerOne Leading AI Agent ... Should We Be Worried?

on 03/07/2025

See full content

Inside Axis’s Approach to Cybersecurity with Bugcrowd

on 03/07/2025

See full content

Big Tech’s Mixed Response to U.S. Treasury Sanctions

by BrianKrebs on 03/07/2025

In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies — including Facebook, Github, PayPal and Twitter/X. On May 29, the U.S. Department of the Treasur [...]

See full content

MozillaVPN: Elevation of Privilege via a Logic Vulnerability

on 03/07/2025

Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2686750 [...]

See full content

MozillaVPN: Elevation of Privilege via a Race Condition Vulnerability

on 03/07/2025

Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2261577 [...]

See full content

Subdomain takeover on live.firefox.com

on 03/07/2025

Mozilla disclosed a bug submitted by martinvw: https://hackerone.com/reports/2899858 - Bounty: $500 [...]

See full content

What CISA’s BOD 25-01 Means for API Security and How Wallarm Can Help

by Tim Erlin on 03/07/2025

The US government has taken another significant step towards strengthening cloud security with the release of CISA’s Binding Operational Directive (BOD) 25-01. Aimed at improving the security posture of federal cloud environments, BOD 25-01 mandates robust configuration, visibility, and control across cloud-based services. While the directive doesn’t explicitly name API security, securing mo [...]

See full content

curl doesn't hide credentials in /proc/XXX/cmdline provided via CLI arguments

on 03/07/2025

curl disclosed a bug submitted by stogusho: https://hackerone.com/reports/3000639 [...]

See full content

Elevation of Privileges (EoP) vulnerabilities related to the some easy_options on Windows

on 03/07/2025

curl disclosed a bug submitted by justlikebono_official: https://hackerone.com/reports/2941920 [...]

See full content

Authorization Header Leak via --location-trusted in Curl

on 03/07/2025

curl disclosed a bug submitted by voggerloops: https://hackerone.com/reports/2946924 [...]

See full content

LIVE: Memory Forensics | Cybersecurity | Blue Team

on 03/07/2025

See full content

this malware hides in a WALLPAPER

on 02/07/2025

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. ziot
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Ezequiel Pereira
  16. HackerOne
  17. surajdisoja.me
  18. InsiderPhD
  19. Intigriti
  20. John Hammond
  21. LiveOverflow
  22. NahamSec
  23. PortSwigger Blog
  24. Rana Khalil
  25. Richard’s Infosec blog
  26. Ron Chan
  27. ropnop blog
  28. STÖK
  29. Sun Knudsen
  30. The Cyber Mentor
  31. The unofficial HackerOne disclosure timeline
  32. HackerRats (XSS Rat)
  33. TomNomNom
  34. Wallarm