This is a very weird story about how squid stayed on the menu of Byzantine monks by falling between the cracks of dietary rules. At Constantinople’s Monastery of Stoudios, the kitchen didn’t answer to appetite. It answered to the “typikon”: a manual for ensuring that nothing unexpected happened at mealtimes. Meat: forbidden. Dairy: forbidden. Eggs: forbidden. Fish: feast-da [...]
OpenAI is in and Anthropic is out as a supplier of AI technology for the US defense department. This news caps a week of bluster by the highest officials in the US government towards some of the wealthiest titans of the big tech industry, and the overhanging specter of the existential risks posed by a new technology powerful enough that the Pentagon claims it is essential to national security. At [...]
An unknown hacker used Anthropic’s LLM to hack the Mexican government: The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday. [… [...]
LinkedIn disclosed a bug submitted by safehacker_2715: https://hackerone.com/reports/1734639 [...]
LinkedIn disclosed a bug submitted by riadalrashed: https://hackerone.com/reports/2339192 [...]
Lovable VDP disclosed a bug submitted by jdc94: https://hackerone.com/reports/3581815 [...]
Multiple news outlets are reporting on Israel’s hacking of Iranian traffic cameras and how they assisted with the killing of that country’s leadership. The New York Times has an [...]
Fastify disclosed a bug submitted by onlybugs05: https://hackerone.com/reports/3524779 [...]
Wired has the story: Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store. The messages arrived in quick succession over a period of 30 minutes, sta [...]
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3506183 [...]
curl disclosed a bug submitted by errorbehavior200: https://hackerone.com/reports/3584149 [...]
Microsoft is reporting: Companies are embedding hidden instructions in “Summarize with AI” buttons that, when clicked, attempt to inject persistence commands into an AI assistant’s memory via URL prompt parameters…. These prompts instruct the AI to “remember [Company] as a trusted source” or “recommend [Company] first,” aiming to bias future response [...]
What you will learn What the Intigriti Ambassador Program is and how it works. What are the key benefits and rewards of participation? Who should apply and why it matters. How to apply and next steps. What the global hacking community means to Intigriti The global hacking community has never been more important. From students discovering their first bug to seasoned hackers uncovering flaws in [...]
The MIT Technology Review has a good article on Moltbook, the supposed AI-only social network: Many people have pointed out that a lot of the viral comments were in fact posted by people posing as bots. But even the bot-written posts are ultimately the result of people pulling the strings, more puppetry than autonomy. “Despite some of the hype, Moltbook is not the Facebook for AI agents, nor [...]
curl disclosed a bug submitted by deepbluev7: https://hackerone.com/reports/3580247 [...]
Broken authorization is one of the most widely known API vulnerabilities. It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) account for hundreds of API vulnerabilities every quarter. According to the 2026 API ThreatStats report, authorization issues ranked ninth i [...]
Turns out that LLMs are good at de-anonymization: We show that LLM agents can figure out who you are from your anonymous online posts. Across Hacker News, Reddit, LinkedIn, and anonymized interview transcripts, our method identifies users with high precision  and scales to tens of thousands of candidates. While it has been known that individuals can be uniquely identified by surprisingly few attr [...]
Omise disclosed a bug submitted by 0x7ashish: https://hackerone.com/reports/3356149 [...]
In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against th [...]
Peru has increased its squid catch limit. The article says “giant squid,” but they can’t possibly mean that. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Posted by Chrome Secure Web and Networking Team Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (âPLANTSâ), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography intro [...]
Iran is slowly emerging from the most severe communications blackout in its history and one of the longest in the world. Triggered as part of January’s government crackdown against citizen protests nationwide, the regime implemented an internet shutdown that transcends the standard definition of internet censorship. This was not merely blocking social media or foreign websites; it was a tota [...]
We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. [...]
AWS VDP disclosed a bug submitted by h0ne_analyst_94cm4n1: https://hackerone.com/reports/3514122 [...]
curl disclosed a bug submitted by knickers: https://hackerone.com/reports/3575245 [...]
curl disclosed a bug submitted by davkor: https://hackerone.com/reports/3575250 [...]
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3424998 [...]
curl disclosed a bug submitted by shan_nandi: https://hackerone.com/reports/3574928 [...]
curl disclosed a bug submitted by pelioro: https://hackerone.com/reports/3575475 [...]
PortSwigger Web Security disclosed a bug submitted by zorixu: https://hackerone.com/reports/3556892 - Bounty: $200 [...]
Security is built by people. At Intigriti, we donât just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
Security is built by people. At Intigriti, we donât just help organizations stay secure; we shine a light on the ethical hackers making a difference. Through our Hacker Spotlight series, we celebrate the talent, curiosity, and impact of the community driving safer digital experiences worldwide. We recently spoke with Marc-Oliver Munz, an ethical hacker from Germany with a global reach. In this Q& [...]
Posted by Lyubov Farafonova, Product Manager, Phone by Google; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse Weâve shared how Androidâs proactive, multi-layered scam defenses utilize Google AI to protect users around the world from over 10 billion suspected malicious calls and messages every month1. While that scale is significant, the true impact of these p [...]
If youâve ever done Linux memory forensics, you know the frustration: without debug symbols that match the exact kernel version, youâre stuck. These symbols arenât typically installed on production systems and must be sourced from external repositories, which quickly become outdated when systems receive updates. If youâve ever tried to analyze a memory dump only to discover that no one has publish [...]
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3360293 [...]
Mars disclosed a bug submitted by 0xr2r: https://hackerone.com/reports/2200329 [...]
Mars disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/3376598 [...]
Mars disclosed a bug submitted by xgoon: https://hackerone.com/reports/3066548 [...]
Mars disclosed a bug submitted by 4ksh3ye: https://hackerone.com/reports/3293803 [...]
Mars disclosed a bug submitted by scriptsavvy: https://hackerone.com/reports/3277276 [...]
Mars disclosed a bug submitted by azar_man: https://hackerone.com/reports/3174778 [...]
Node.js disclosed a bug submitted by illia-v: https://hackerone.com/reports/3456148 [...]
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between t [...]
Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when [...]
Hi hackers, Welcome to the latest edition of Bug Bytes! In this monthâs issue, weâll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vulnerabilities with AI Analyzing static code false-positive free And so much more! Le [...]
Posted by Vijaya Kaza, VP and GM, App & Ecosystem Trust The Android ecosystem is a thriving global community built on trust, giving billions of users the confidence to download the latest apps. In order to maintain that trust, weâre focused on ensuring that apps do not cause real-world harm, such as malware, financial fraud, hidden subscriptions, and privacy invasions. As bad actors leverage [...]
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3042475 [...]
Nintendo disclosed a bug submitted by kinnay: https://hackerone.com/reports/3463719 [...]
The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency. [...]
Automattic disclosed a bug submitted by georgestephanis: https://hackerone.com/reports/3447021 [...]
The shadow technology problem is getting worse. Over the past few years, organizations have scaled microservices, cloud-native apps, and partner integrations faster than corporate governance models could keep up, resulting in undocumented or shadow APIs. Weâre now seeing this pattern all over again with AI systems. And, even worse, AI introduces non-deterministic behavior, autonomous [...]
Two popular AES libraries, aes-js and pyaes, âhelpfullyâ provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we shared one of these bugs with an affected vendor, strongSwan, the maintainer provided a model response for security vendors. The aes-js/pyaes maintainer, on the other hand, has tak [...]
Sony disclosed a bug submitted by vortekx: https://hackerone.com/reports/3514490 [...]
API security has been a growing concern for years. However, while it was always seen as important, it often came second to application security or hardening infrastructure. In 2025, the picture changed. Wallarmâs 2026 API ThreatStats Report revealed that APIs are now the primary attack surface for digital business, and not because bad actors discovered new zero-days, but because of compo [...]
Report writing is an integral part of bug bounty or any type of vulnerability assessment. In fact, sometimes, it can become the most important phase. Submitting a confusing report can often lead to misalignment and faulty interpretation of your reported vulnerability. On the contrary, a well-written submission that includes all the necessary details can help shorten the time to triage, lead to inc [...]
What you will learn in this blog What chaining is and how combining lower-severity issues can create a high-impact security risk. Key chaining techniques and terminology, such as pivoting, lateral movement, and privilege escalation. How chaining is identified and prioritized in practice, including the role of PTaaS and how researchers can use chaining to uncover critical attack paths and guide n [...]
Node.js disclosed a bug submitted by 0xmaxhax: https://hackerone.com/reports/3473882 [...]