Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644) on 09/07/2026
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3630605 [...]
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3630605 [...]
Because of the way they are trained, large language models capture only a slice of human language. They’re trained on the written word, from textbooks to social media posts, and our speech as captured in movies and on television. These models have minimal access to the unscripted conversations we have face to face or voice to voice. This is the vast majority of speech, and a vital component [...]
First hand of the week: Find us at BSides Workshop: Burp But Yours, with Hannah and Tib3rius Center stage: Visit us at Black Hat USA - Booth 5342 Lightning talks at the booth Catch our researchers' br [...]
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 [...]
Last week, national security agencies from the Five Eyes—that’s the rich, English-language-speaking countries club—jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more measured than some of the breathless headlines about it, and the advice they gave is p [...]
In April we released Mewt, our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many [...]
Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories. [...]
Not sure this will have any effect, but I support the effort: According to Google’s legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their own. In its Telegram channels, Outsider Enterprise reportedly provided instructions on how to use [...]
AWS VDP disclosed a bug submitted by kaporia: https://hackerone.com/reports/3637898 [...]
France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems. Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the age [...]
This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant. [...]
Basecamp disclosed a bug submitted by zerodaysec_xyz: https://hackerone.com/reports/3764217 - Bounty: $287 [...]
Shopify disclosed a bug submitted by abahack: https://hackerone.com/reports/3628961 [...]
This is from a 2024 company presentation: Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags. Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the c [...]
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]
8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]
8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]
Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]
Interesting paper: “Cybersecurity Mission Creep.” Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what t [...]
We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]
Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]
Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]
Papa Johns is spying on people’s buying activities to predict when they are low on food: The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge w [...]
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]
curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]
The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia. I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions abo [...]
curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography. On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]
curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]
curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]
curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]
Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]
Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]
Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]
Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, [...]
We’ve taken one small step towards robot police officers: a drone capable of disarming a suspect: In a June 22 video posted on the Sacramento County Sheriff’s Office’s Instagram page, an officer wearing goggles can be seen operating a drone to retrieve a knife from an armed suspect hiding inside a cluttered house. “After not responding to negotiators, a drone was deployed inside the re [...]
Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]
curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]
curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]
Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely. In this article, we'll explore what cookies are, how they work and [...]
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at scale And so much more! Let's dive in! Using AI the smart way: interview with Cristian [...]
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]
Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]
Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]
Revive Adserver disclosed a bug submitted by riodrwn: https://hackerone.com/reports/3780854 [...]
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781311 [...]
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781691 [...]
Revive Adserver disclosed a bug submitted by hakuopi: https://hackerone.com/reports/3780709 [...]
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3793243 [...]
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3582376 [...]
Node.js disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3618831 [...]
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3688064 [...]
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656869 [...]
Node.js disclosed a bug submitted by 3d7omb: https://hackerone.com/reports/3649802 [...]
Node.js disclosed a bug submitted by muhammaddaffa: https://hackerone.com/reports/3625987 [...]
Node.js disclosed a bug submitted by nssys: https://hackerone.com/reports/3720313 [...]
Node.js disclosed a bug submitted by kingsd: https://hackerone.com/reports/3676863 [...]
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656716 [...]
Node.js disclosed a bug submitted by erichen: https://hackerone.com/reports/3760016 [...]
curl disclosed a bug submitted by zhenyan: https://hackerone.com/reports/3735180 [...]
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3788984 [...]
curl disclosed a bug submitted by alienowo: https://hackerone.com/reports/3797526 [...]
curl disclosed a bug submitted by evergarden1123: https://hackerone.com/reports/3788931 [...]
curl disclosed a bug submitted by vectorqueue: https://hackerone.com/reports/3783438 [...]