InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Initial Bug Bounty Exploits - CSRF + SSRF [CyberCrusade 6] on 22/02/2026
Friday Squid Blogging: Squid Cartoon on 20/02/2026
I like this one. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA by BrianKrebs on 20/02/2026
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between t [...]
Learn PowerShell! on 20/02/2026
Besides Spotify on 20/02/2026
Chaining Five Business Logic Flaws to Steal $999,999 on 20/02/2026
Using threat modeling and prompt injection to audit Comet on 20/02/2026
Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when [...]
The Payload Podcast #002 with Connor McGarr on 20/02/2026
Ring Cancels Its Partnership with Flock on 20/02/2026
It’s a demonstration of how toxic the surveillance-tech company Flock has become when Amazon’s Ring cancels the partnership between the two companies. As Hamilton Nolan advises, remove your Ring doorbell. [...]
Intigriti Bug Bytes #233 - February 2026 🚀 by Ayoub on 20/02/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vulnerabilities with AI Analyzing static code false-positive free And so much more! Le [...]
Keeping Google Play & Android app ecosystems safe in 2025 on 19/02/2026
Posted by Vijaya Kaza, VP and GM, App & Ecosystem Trust The Android ecosystem is a thriving global community built on trust, giving billions of users the confidence to download the latest apps. In order to maintain that trust, we’re focused on ensuring that apps do not cause real-world harm, such as malware, financial fraud, hidden subscriptions, and privacy invasions. As bad actors leverage [...]
Russia is hacking zero-days again on 19/02/2026
Malicious AI on 19/02/2026
Interesting: Summary: An AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into accepting its changes into a mainstream python library. This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI [...]
IoT Hacking Stream on 19/02/2026
Splatoon 3 Anticheat Seed Randomization Weakness on 19/02/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3042475 [...]
ASLR leak in Mario Kart World through LAN mode on 19/02/2026
Nintendo disclosed a bug submitted by kinnay: https://hackerone.com/reports/3463719 [...]
Kubernetes project issues warning on Ingress NGINX retirement on 19/02/2026
The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency. [...]
Inside H1-65: Inside OKX’s Live Hacking Event in Singapore on 18/02/2026
XSS Vulnerability on Pressable/Atomic Hosting Platform via unescaped admin notices leads to code execution on 18/02/2026
Automattic disclosed a bug submitted by georgestephanis: https://hackerone.com/reports/3447021 [...]
ContinuumCon is back for 2026! on 18/02/2026
AI Found Twelve New Vulnerabilities in OpenSSL on 18/02/2026
The title of the post is”What AI Security Research Looks Like When It Works,” and I agree: In the latest OpenSSL security release> on January 27, 2026, twelve new zero-day vulnerabilities (meaning unknown to the maintainers at time of disclosure) were announced. Our AI system is responsible for the original discovery of all twelve, each found and responsibly disclosed to the OpenSSL te [...]
From Shadow APIs to Shadow AI: How the API Threat Model Is Expanding Faster Than Most Defenses by Tim Erlin on 18/02/2026
The shadow technology problem is getting worse. Over the past few years, organizations have scaled microservices, cloud-native apps, and partner integrations faster than corporate governance models could keep up, resulting in undocumented or shadow APIs. We’re now seeing this pattern all over again with AI systems. And, even worse, AI introduces non-deterministic behavior, autonomous [...]
Carelessness versus craftsmanship in cryptography on 18/02/2026
Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we shared one of these bugs with an affected vendor, strongSwan, the maintainer provided a model response for security vendors. The aes-js/pyaes maintainer, on the other hand, has tak [...]
AI Web App Testing: The Future of Security on 17/02/2026
The Core Principle in Forensic Science on 17/02/2026
How's your security posture? on 17/02/2026
Improper State Validation on Sony WH-CH520 via BLE Command Service leads to unauthorized Bluetooth pairing and audio hijacking on 17/02/2026
Sony disclosed a bug submitted by vortekx: https://hackerone.com/reports/3514490 [...]
Inside Modern API Attacks: What We Learn from the 2026 API ThreatStats Report by Tim Erlin on 17/02/2026
API security has been a growing concern for years. However, while it was always seen as important, it often came second to application security or hardening infrastructure. In 2025, the picture changed. Wallarm’s 2026 API ThreatStats Report revealed that APIs are now the primary attack surface for digital business, and not because bad actors discovered new zero-days, but because of compo [...]
An Interview with Eva Benn! on 17/02/2026
Side-Channel Attacks Against LLMs on 17/02/2026
Here are three papers describing different side-channel attacks against LLMs. “Remote Timing Attacks on Efficient Language Model Inference“: Abstract: Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive body of work (e.g., speculative sampling or parallel decoding) that improves the (average ca [...]
How to use AI for improved vulnerability report writing by Ayoub on 17/02/2026
Report writing is an integral part of bug bounty or any type of vulnerability assessment. In fact, sometimes, it can become the most important phase. Submitting a confusing report can often lead to misalignment and faulty interpretation of your reported vulnerability. On the contrary, a well-written submission that includes all the necessary details can help shorten the time to triage, lead to inc [...]
TiKTok needs to fix this vulnerability on 16/02/2026
Can I Replace AI With My Recon Methodology? on 16/02/2026
The Promptware Kill Chain on 16/02/2026
Attacks against modern generative artificial intelligence (AI) large language models (LLMs) pose a real threat. Yet discussions around these attacks and their potential defenses are dangerously myopic. The dominant narrative focuses on “prompt injection,” a set of techniques to embed instructions into inputs to LLM intended to perform malicious activity. This term suggests a simple, s [...]
Chaining in action: techniques, terminology, and real-world impact on business by Eleanor Barlow on 16/02/2026
What you will learn in this blog What chaining is and how combining lower-severity issues can create a high-impact security risk. Key chaining techniques and terminology, such as pivoting, lateral movement, and privilege escalation. How chaining is identified and prioritized in practice, including the role of PTaaS and how researchers can use chaining to uncover critical attack paths and guide n [...]
AI wrote a hit piece on 15/02/2026
Bad Bash! FREE FULL 1 Hour Bash Course For Ethical Hackers on 14/02/2026
Upcoming Speaking Engagements on 14/02/2026
This is a current list of where and when I am scheduled to speak: I’m speaking at Ontario Tech University in Oshawa, Ontario, Canada, at 2 PM ET on Thursday, February 26, 2026. I’m speaking at the Personal AI Summit in Los Angeles, California, USA, on Thursday, March 5, 2026. I’m speaking at Tech Live: Cybersecurity in New York City, USA, on Wednesday, March 11, 2026. I’m giving the Ross An [...]
this is really funny on 14/02/2026
Friday Squid Blogging: Do Squid Dream? on 13/02/2026
An exploration of the interesting question. [...]
A Practical Intro to Digital Forensics on 13/02/2026
Moltbook is still weird (and AI skills suck) on 13/02/2026
In love with hacking on 12/02/2026
TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak on 12/02/2026
Node.js disclosed a bug submitted by 0xmaxhax: https://hackerone.com/reports/3473882 [...]
Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) on 12/02/2026
Node.js disclosed a bug submitted by winfunc: https://hackerone.com/reports/3465156 [...]
Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers on 12/02/2026
Node.js disclosed a bug submitted by aaron_vercel: https://hackerone.com/reports/3456295 [...]
Memory leak that enables remote Denial of Service against applications processing TLS client certificates on 12/02/2026
Node.js disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3357723 [...]
Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled on 12/02/2026
Node.js disclosed a bug submitted by chalker: https://hackerone.com/reports/3405778 [...]
FS Permissions Bypass on 12/02/2026
Node.js disclosed a bug submitted by natann: https://hackerone.com/reports/3417819 [...]
Mail stored HTML injection in subject text on 12/02/2026
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3357036 - Bounty: $350 [...]
3D Printer Surveillance on 12/02/2026
New York is contemplating a bill that adds surveillance to 3D printers: New York’s 20262027 executive budget bill (S.9005 / A.10005) includes language that should alarm every maker, educator, and small manufacturer in the state. Buried in Part C is a provision requiring all 3D printers sold or delivered in New York to include “blocking technology.” This is defined as software or firmw [...]
Cache Pollution via Unkeyed GET Parameters on www.omise.co on 11/02/2026
Omise disclosed a bug submitted by alitoni224: https://hackerone.com/reports/3183046 [...]
AI Red Teaming: Beyond Safety to Security on 11/02/2026
Kimwolf Botnet Swamps Anonymity Network I2P by BrianKrebs on 11/02/2026
For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attem [...]
Rewiring Democracy Ebook is on Sale on 11/02/2026
I just noticed that the ebook version of Rewiring Democracy is on sale for $5 on Amazon, Apple Books, Barnes & Noble, Books A Million, Google Play, Kobo, and presumably everywhere else in the US. I have no idea how long this will last. Also, Amazon has a coupon that brings the hardcover price down to $20. You’ll see the discount at checkout. [...]
Quick tip! on 11/02/2026
CISO Spotlight: Craig Riddell on Curiosity, Translation, and Why API Security is the New Business Imperative by Tim Erlin on 11/02/2026
It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm’s Global Field CISO. It’s a position that suits him down to the ground, blending technical depth, empathy, business acumen, and, what Craig believes, the most underrated skill in cybersecurity: curiosity. Like so many of us, Craig got into cybersecurity by accident. He first learned Un [...]
Patch Tuesday, February 2026 Edition by BrianKrebs on 10/02/2026
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild. Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quiet [...]
Your environment doesn’t sit still on 10/02/2026
Choosing Red Team or Blue Team in 2026 on 10/02/2026
Tech impersonators: ClickFix and MacOS infostealers on 10/02/2026
Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. [...]
Where are hackers located? on 09/02/2026
Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on on 09/02/2026
AWS VDP disclosed a bug submitted by aneeeketh: https://hackerone.com/reports/3426839 [...]
How AI Gets Tested in the Real World | Salesforce Live Hacking Event on 09/02/2026
ASGIRequest header concatenation quadratic CPU DoS on Django via repeated headers leads to worker exhaustion on 09/02/2026
Django disclosed a bug submitted by sy2n0: https://hackerone.com/reports/3426417 [...]
10+ Daily Essentials As An Ethical Hacker on 09/02/2026
The Myth of “Known APIs”: Why Inventory-First Security Models Are Already Obsolete by Tim Erlin on 09/02/2026
You probably think the security mantra “you can’t protect what you don’t know about” is an inarguable truth. But you would be wrong. It doesn’t hold water in today’s threat landscape. Of course, it sounds reasonable. Before you secure APIs, you must first discover, inventory, and document them exhaustively. The problem is that this way of thinking has hardened into dogma and ignores how attack [...]
Bundle Up With Our Biggest Discounts Ever! on 07/02/2026
JHT Course Launch: Dark Web 2 - CTI Researcher on 06/02/2026
We take security seriously at Bugcrowd on 06/02/2026
WebAuthn app was updated based on public key on 06/02/2026
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3360354 - Bounty: $750 [...]
The Payload Podcast #001 with Jonny Johnson & Max Harley on 06/02/2026
LIVE: 🕵️ Forensicating | HackTheBox | Cybersecurity on 05/02/2026
MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length on 05/02/2026
curl disclosed a bug submitted by pajarori: https://hackerone.com/reports/3531216 [...]
From niche to necessity: global bug bounty adoption accelerates, led by the U.S. by Eleanor Barlow on 05/02/2026
Bug bounty growth insights across the US Bug bounty programs have evolved from a niche security tactic into a core component of modern defense strategies worldwide. In this blog, we focus on the US: one of the most invested and fastest-adopting markets, where organizations, driven by higher security maturity, are increasingly using bug bounty to uncover complex vulnerabilities that traditional t [...]
Bugcrowd’s new Security Inbox on 04/02/2026
How To Approach ANY Bug Bounty Target In 2026 on 04/02/2026
User enumeration via timing attack in Django mod_wsgi authentication backend leads to account discovery on 04/02/2026
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3424977 [...]
Information Disclosure via Logback Configuration Injection in GoCD Agent on 04/02/2026
GoCD disclosed a bug submitted by aigirl: https://hackerone.com/reports/3509632 [...]
Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious on 04/02/2026
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. [...]
Security folks on 03/02/2026
The Most Common IoT Security Flaws on 03/02/2026
Previous commentor on post can still comment even after comment permission is changed to disabled on 03/02/2026
LinkedIn disclosed a bug submitted by allenjo: https://hackerone.com/reports/3151001 [...]
Improper Access Control - Access to "Active Hiring" (Premium feature) filter results on 03/02/2026
LinkedIn disclosed a bug submitted by minex627: https://hackerone.com/reports/3235855 [...]
Please Don’t Feed the Scattered Lapsus ShinyHunters by BrianKrebs on 02/02/2026
A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims reportedly are paying — perhaps as much to contain the stolen data [...]
Hacking a Windows Web Application on 02/02/2026
Live Hacking 2025: $4.3M in Bounties, Tested Around the World on 02/02/2026
Every organization is vulnerable. on 02/02/2026
Exploiting PostMessage vulnerabilities: A complete guide by Ayoub on 31/01/2026
PostMessage vulnerabilities arise when developers fail to properly validate message origins or sanitize content within cross-origin communication handlers. As modern web applications increasingly rely on the postMessage API for cross-origin communication, whether for embedded widgets, OAuth flows, third-party integrations, or iframe-based components, the attack surface continues to grow. While pos [...]
Inside the Mind of a Hacker is a Bugcrowd staple on 30/01/2026
How Hackers Defeated Our AI on 30/01/2026
Why API Security Is No Longer an AppSec Problem – And What Security Leaders Must Do Instead by Annette Reed on 30/01/2026
APIs are one of the most important technologies in digital business ecosystems. And yet, the responsibility for their security often falls to AppSec teams – and that’s a problem. This organizational mismatch creates systemic risk: business teams assume APIs are “secured,” while attackers exploit logic flaws, authorization gaps, and automated attacks in production. As Tim Erlin noted rece [...]
Celebrating our 2025 open-source contributions on 30/01/2026
Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler. This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This princi [...]
The Rise of the Bionic Hacker: AI, Autonomy & the Future of Offensive Security | Black Hat Europe on 29/01/2026
Annual testing vs daily change on 29/01/2026
Building cryptographic agility into Sigstore on 29/01/2026
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our cu [...]
Exciting Announcement With an Upcoming Capture the Flag! on 28/01/2026
Intigriti 0126 CTF Challenge: Exploiting insecure postMessage handlers by Ayoub on 28/01/2026
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. January's challenge presented participants with CRYPTIGRITI, a cryptocurrency trading platform where users could buy and trade Bitcoin (BTC), Monero (XMR), and a custom digital currency, 1337COIN. This article provides a step-by-step walkthrough for solving January's [...]