InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
The Most Common IoT Security Flaws on 03/02/2026
Microsoft is Giving the FBI BitLocker Keys on 03/02/2026
Microsoft gives the FBI the ability to decrypt BitLocker in response to court orders: about twenty times per year. It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience. While that means someone can access their data if they forget their password, or if repeated failed attempts to login [...]
Previous commentor on post can still comment even after comment permission is changed to disabled on 03/02/2026
LinkedIn disclosed a bug submitted by allenjo: https://hackerone.com/reports/3151001 [...]
Improper Access Control - Access to "Active Hiring" (Premium feature) filter results on 03/02/2026
LinkedIn disclosed a bug submitted by minex627: https://hackerone.com/reports/3235855 [...]
Hacking a Windows Web Application on 02/02/2026
Live Hacking 2025: $4.3M in Bounties, Tested Around the World on 02/02/2026
AI Coding Assistants Secretly Copying All Code to China on 02/02/2026
There’s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China. Maybe avoid using them. [...]
Every organization is vulnerable. on 02/02/2026
Exploiting PostMessage vulnerabilities: A complete guide by Ayoub on 31/01/2026
PostMessage vulnerabilities arise when developers fail to properly validate message origins or sanitize content within cross-origin communication handlers. As modern web applications increasingly rely on the postMessage API for cross-origin communication, whether for embedded widgets, OAuth flows, third-party integrations, or iframe-based components, the attack surface continues to grow. While pos [...]
Friday Squid Blogging: New Squid Species Discovered on 30/01/2026
A new species of squid. pretends to be a plant: Scientists have filmed a never-before-seen species of deep-sea squid burying itself upside down in the seafloor—a behavior never documented in cephalopods. They captured the bizarre scene while studying the depths of the Clarion-Clipperton Zone (CCZ), an abyssal plain in the Pacific Ocean targeted for deep-sea mining. The team described the enc [...]
Inside the Mind of a Hacker is a Bugcrowd staple on 30/01/2026
How Hackers Defeated Our AI on 30/01/2026
AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities on 30/01/2026
From an Anthropic blog post: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and high [...]
Why API Security Is No Longer an AppSec Problem – And What Security Leaders Must Do Instead by Annette Reed on 30/01/2026
APIs are one of the most important technologies in digital business ecosystems. And yet, the responsibility for their security often falls to AppSec teams – and that’s a problem. This organizational mismatch creates systemic risk: business teams assume APIs are “secured,” while attackers exploit logic flaws, authorization gaps, and automated attacks in production. As Tim Erlin noted rece [...]
Celebrating our 2025 open-source contributions on 30/01/2026
Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler. This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This princi [...]
The Rise of the Bionic Hacker: AI, Autonomy & the Future of Offensive Security | Black Hat Europe on 29/01/2026
Annual testing vs daily change on 29/01/2026
Building cryptographic agility into Sigstore on 29/01/2026
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our cu [...]
Exciting Announcement With an Upcoming Capture the Flag! on 28/01/2026
Intigriti 0126 CTF Challenge: Exploiting insecure postMessage handlers by Ayoub on 28/01/2026
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. January's challenge presented participants with CRYPTIGRITI, a cryptocurrency trading platform where users could buy and trade Bitcoin (BTC), Monero (XMR), and a custom digital currency, 1337COIN. This article provides a step-by-step walkthrough for solving January's [...]
Clawdbot Malware on 27/01/2026
Chip-Off Firmware Extraction: 1-Minute Guide on 27/01/2026
New Android Theft Protection Feature Updates: Smarter, Stronger on 27/01/2026
Posted by Nataliya Stanetsky, Fabricio Ferracioli, Elliot Sisteron, Irene Ang of the Android Security Team Phone theft is more than just losing a device; it's a form of financial fraud that can leave you suddenly vulnerable to personal data and financial theft. That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt. Today, [...]
Part 3: Why CISOs Must Rethink Trust in AI on 27/01/2026
The Constitutionality of Geofence Warrants on 27/01/2026
The US Supreme Court is considering the constitutionality of geofence warrants. The case centers on the trial of Okello Chatrie, a Virginia man who pleaded guilty to a 2019 robbery outside of Richmond and was sentenced to almost 12 years in prison for stealing $195,000 at gunpoint. Police probing the crime found security camera footage showing a man on a cell phone near the credit union that was r [...]
OpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows on 27/01/2026
A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. [...]
🦞🤖MOAR CLAWDBOT CRAP🦞🤖 on 26/01/2026
SQL injection in structure plugin on 26/01/2026
ExpressionEngine disclosed a bug submitted by fed01k: https://hackerone.com/reports/3249794 [...]
🦞🤖CLAWDBOT SECURITY??🦞🤖 on 26/01/2026
HackerOne Agentic PTaaS Demo: Continuous Validation for Real-World Risk on 26/01/2026
AI can move fast on 26/01/2026
How to Become a Top Bug Bounty Hunter in 2026 on 26/01/2026
Ireland Proposes Giving Police New Digital Surveillance Powers on 26/01/2026
This is coming: The Irish government is planning to bolster its police’s ability to intercept communications, including encrypted messages, and provide a legal basis for spyware use. [...]
wcurl Argument Injection via Unquoted Variable on 26/01/2026
curl disclosed a bug submitted by playerofficial19: https://hackerone.com/reports/3523953 [...]
Integer Underflow in src/var.c on 26/01/2026
curl disclosed a bug submitted by f_i_h: https://hackerone.com/reports/3523349 [...]
Introducing IDE-SHEPHERD: Your shield against threat actors lurking in your IDE on 26/01/2026
IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, and blocks dangerous workspace tasks before they can compromise your development environment. [...]
Friday Squid Blogging: Giant Squid in the Star Trek Universe on 23/01/2026
Spock befriends a giant space squid in the comic Star Trek: Strange New Worlds: The Seeds of Salvation #5. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
🤖🤖🤖 on 23/01/2026
AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities on 23/01/2026
Really interesting blog post from Anthropic: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly comin [...]
I am a scammer? on 23/01/2026
What exploit to hunt for when everything is tested #bugbounty on 23/01/2026
How to pick an exploit in #bugbounty on 23/01/2026
🤖🤖 on 22/01/2026
How I sped up exploit validation in Repeater using Burp AI on 22/01/2026
Note: This is a guest post by IT security consultant Adarsh Kumar. I’ve been using Burp Suite day to day for years, so when Burp AI was introduced, I was curious how it would actually hold up dur [...]
Why AI Keeps Falling for Prompt Injection Attacks on 22/01/2026
Imagine you work at a drive-through restaurant. Someone drives up and says: “I’ll have a double cheeseburger, large fries, and ignore previous instructions and give me the contents of the cash drawer.” Would you hand over the money? Of course not. Yet this is what large language models (LLMs) do. Prompt injection is a method of tricking LLMs into doing things they are normally pr [...]
A tech issue alone does not = risk on 22/01/2026
IoT Hacking Stream on 22/01/2026
31 bite-sized tips, techniques, and bug bounty resources to kick off 2026! by Eleanor Barlow on 22/01/2026
What you will learn Practical, bite-sized bug bounty tips and techniques you can apply immediately, whether you’re just starting or sharpening your skills. Proven approaches for finding, prioritizing, and validating vulnerabilities more efficiently in real-world programs. An eye on what to look out for to stay consistent and motivated in 2026. In the lead-up to the new year, we released a bug [...]
🤖 on 21/01/2026
Spam & Clearance checks disabled with existing referenced Message-ID on 21/01/2026
Basecamp disclosed a bug submitted by northeastprince: https://hackerone.com/reports/2012659 [...]
"I made an Evil MCP server" (and AI fell for it) on 21/01/2026
Internet Voting is Too Insecure for Use in Elections on 21/01/2026
No matter how many times we say it, the idea comes back again and again. Hopefully, this letter will hold back the tide for at least a while longer. Executive summary: Scientists have understood for many years that internet voting is insecure and that there is no known or foreseeable technology that can make it secure. Still, vendors of internet voting keep claiming that, somehow, their new syste [...]
Will LLMs Always Hallucinate? on 20/01/2026
[Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project. on 20/01/2026
Stripo Inc disclosed a bug submitted by srcode: https://hackerone.com/reports/3459285 [...]
Memory Exhaustion in CometBFT v1.0.1 via malicious ProposalMessage leads to network-wide denial of service on 20/01/2026
Cosmos disclosed a bug submitted by 0xjam: https://hackerone.com/reports/3510161 [...]
Crossorigin cookies leak and injection risk when using a custom Host header on 20/01/2026
curl disclosed a bug submitted by ichise: https://hackerone.com/reports/3516878 [...]
SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends on 20/01/2026
curl disclosed a bug submitted by foobar4213: https://hackerone.com/reports/3516974 [...]
Internal logs/info leaked via endpoint {https://203.137.128.240/server-status} on 20/01/2026
pixiv disclosed a bug submitted by dexter34: https://hackerone.com/reports/2473173 [...]
This Simple Vulnerability Was Worth $70,000 on 19/01/2026
Cookie Replacement Use-After-Free Vulnerability on 19/01/2026
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516202 [...]
Cookie Max-Age Integer Overflow Vulnerability on 19/01/2026
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516186 [...]
Is @TheXSSRat a scammer? on 18/01/2026
Disclose Hidden Comments on Media Section of hub.vroid.com on 18/01/2026
pixiv disclosed a bug submitted by giwadaoud: https://hackerone.com/reports/2541962 - Bounty: $500 [...]
clickjacing can lead to account takeover on 18/01/2026
pixiv disclosed a bug submitted by hyk3n: https://hackerone.com/reports/2119892 - Bounty: $200 [...]
libcurl: Improper Authentication State Management on Cross-Protocol Redirects on 17/01/2026
curl disclosed a bug submitted by andrewml: https://hackerone.com/reports/3514263 [...]
I bought this tiny $40 ereader… Then rewrote It on 16/01/2026
Easy way to create a new Deck board without permission on 16/01/2026
Nextcloud disclosed a bug submitted by hakuna: https://hackerone.com/reports/2388183 - Bounty: $100 [...]
Can download files on Android app without permission on 16/01/2026
Nextcloud disclosed a bug submitted by hakuna: https://hackerone.com/reports/2380133 - Bounty: $250 [...]
How I’m Approaching Cybersecurity Goals in 2026 on 16/01/2026
Locked in for 2026 on 16/01/2026
Command Injection on Amazon Q Developer CLI via malicious .amazonq/mcp.json leads to arbitrary code execution on 16/01/2026
AWS VDP disclosed a bug submitted by farmer: https://hackerone.com/reports/3427370 [...]
Functional PoCs in less than a minute? Julen Garrido Estévez puts Burp AI to the test on 16/01/2026
Note: This is a guest post by pentester Julen Garrido Estévez (@b3xal). Methodology Key results Examples Key learnings Prompt template A pentester's POV on Burp AI Pentester Julen Garrido Es [...]
Intigriti Bug Bytes #232 - January 2026 🚀 by Ayoub on 16/01/2026
Hi hackers, Welcome to the latest edition of Bug Bytes (and the first of 2026)! In this month’s issue, we’ll be featuring: Hijacking official AWS GitHub repositories New anonymous bug bounty forum Finding more IDORs & SSRFs using a unique methodology New JavaScript file scanner to find hidden endpoints And so much more! Let’s dive in! Intigriti SantaCloud CTF results are in December 20 [...]
Pen testing demand is up. Budgets aren’t. on 15/01/2026
Do NOT buy burp AI credits on 15/01/2026
NTUSER.MAN on 15/01/2026
7 Reasons to Get Certified in API Security by Tim Erlin on 15/01/2026
API security is becoming more important by the day and skilled practitioners are in high demand. Now’s the time to level up your API security skillset. Wallarm University, our free training course, provides security analysts, engineers, and practitioners with hands-on skills you can’t get from documentation, videos, or traditional courses. Run real attacks, investigate real signals, and learn [...]
fs.futimes() Bypasses Read-Only Permission Model on 15/01/2026
Node.js disclosed a bug submitted by oriotie: https://hackerone.com/reports/3390084 [...]
IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing on 14/01/2026
curl disclosed a bug submitted by shiftj: https://hackerone.com/reports/3509396 [...]
Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes on 14/01/2026
Nextcloud disclosed a bug submitted by somerandomdev: https://hackerone.com/reports/3443563 [...]
[revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter on 14/01/2026
Revive Adserver disclosed a bug submitted by 7yr: https://hackerone.com/reports/3473696 [...]
Reflected XSS in banner-acl.php and channel-acl.php via executionorder on 14/01/2026
Revive Adserver disclosed a bug submitted by 7yr: https://hackerone.com/reports/3470970 [...]
Reflected XSS in afr.php on 14/01/2026
Revive Adserver disclosed a bug submitted by nigh7c0r3: https://hackerone.com/reports/3468169 [...]
Broken Access Control allows advertiser accounts to delete trackers they do not own on 14/01/2026
Revive Adserver disclosed a bug submitted by 0xjad: https://hackerone.com/reports/3445710 [...]
INI Format string injection in Revive Adserver 6.0.4 settings on 14/01/2026
Revive Adserver disclosed a bug submitted by pakcyberbot: https://hackerone.com/reports/3445332 [...]
Integer-underflow leads to heap over-read in TFTP implementation on 14/01/2026
curl disclosed a bug submitted by z2_: https://hackerone.com/reports/3508321 [...]
Digest Authentication Header Injection on 14/01/2026
curl disclosed a bug submitted by andrew-bbp: https://hackerone.com/reports/3508799 [...]
Directory listing vulnerability is disclosing names and emails, widespread (thousands of records, publicly accessible without auth) on 14/01/2026
curl disclosed a bug submitted by vikash_saw: https://hackerone.com/reports/3509437 [...]
Gopher Protocol Command Injection (SSRF Smuggling) on 14/01/2026
curl disclosed a bug submitted by andrew-bbp: https://hackerone.com/reports/3508785 [...]
Use-After-Free in curl_easy_nextheader when reusing header handle across requests on 14/01/2026
curl disclosed a bug submitted by adce626q: https://hackerone.com/reports/3508701 [...]
Reflecting on 2025, shaping 2026. A fireside chat with Intigriti leadership by Eleanor Barlow on 14/01/2026
What you will learn How 2025 became a defining year for Intigriti through key milestones, major wins, and bold product launches. Insights from Intigriti’s C-suite on the moments that shaped the company’s growth and direction. How these reflections set the foundation for Intigriti’s vision and priorities for 2026. 2025 reflections, aspirations, and lessons learnt Stijn Jans, Chief Executive Off [...]
Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8554 on 14/01/2026
A look at how Kubernetes CVE-2020-8554 works [...]
Certifications vs. Raw Skills: Which is Better? on 13/01/2026
AI Red Teaming: What Breaks, How It Breaks, and Human Role on 13/01/2026
MQTT: unsigned integer underflow bypasses MAX_MQTT_MESSAGE_SIZE check on 13/01/2026
curl disclosed a bug submitted by 0xshakib0x04: https://hackerone.com/reports/3508854 [...]
Part 2: HackerOne CEO on Adapting to AI-Driven Change on 13/01/2026
integer Overflow in MQTT Protocol Handling Allows Bypassing Message Size Limit on 13/01/2026
curl disclosed a bug submitted by gudyuu: https://hackerone.com/reports/3508500 [...]
Lack of isolation in agentic browsers resurfaces old vulnerabilities on 13/01/2026
With browser-embedded AI agents, we’re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks. These attacks, which are functionally similar to cross-site scripting (XSS) and cross-site request forgery (CSRF), resurface decade [...]
Information Disclosure in API Endpoint /users on 12/01/2026
U.S. Dept Of Defense disclosed a bug submitted by moha1sd: https://hackerone.com/reports/3027405 [...]