InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Atlas of Surveillance

on 17/02/2025

The EFF has released its Atlas of Surveillance, which documents police surveillance technology across the US. [...]

See full content

CNWPP - Day 2 - The Pentest plan - Part 1

on 17/02/2025

See full content

stop falling for this (disable Win+R run dialog)

on 17/02/2025

See full content

Give Me 13 Minutes and 2025 Will Be Your Best Bug Bounty Year

on 17/02/2025

See full content

Software industry: Top vulnerabilities in 2024 and what to watch for in 2025

by Intigriti on 17/02/2025

The software industry continues to evolve rapidly, driven by the adoption of cloud services, increasingly complex SaaS ecosystems, and the reliance on open-source components. But with innovation comes risk: vulnerabilities are being exploited at an alarming rate, threatening billions of dollars in operations, data, and trust.    In 2024, the software industry was rocked by cybe… [...]

See full content

Supply Chain Horror Stories

on 16/02/2025

See full content

Friday Squid Blogging: Squid the Care Dog

on 14/02/2025

The Vanderbilt University Medical Center has a pediatric care dog named “Squid.” Blog moderation policy. [...]

See full content

Upcoming Speaking Engagements

on 14/02/2025

This is a current list of where and when I am scheduled to speak: I’m speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. My talk is at 4:00 PM ET on the 15th. I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. The list is maintained on this page. [...]

See full content

Top 5 Security Practices to Combat OWASP's Most Critical Risks

on 14/02/2025

See full content

Why it's time for AppSec to embrace AI: How PortSwigger is leading the charge

on 14/02/2025

AI is rapidly gaining traction in virtually every industry. But in AppSec, it's often met with a healthy skepticism, viewed by some as a useless gimmick at best or, at the other end of the scale, a ma [...]

See full content

This EJPT NoteBook Will Help You Succeed!

on 14/02/2025

See full content

REPORT THIS ACCOUNT

on 14/02/2025

See full content

Overcoming Security Challenges in Real-Time APIs

by Tim Erlin on 14/02/2025

Speed is everything in the modern business world. Our attention spans are shorter than ever, consumers demand short and seamless interactions, and the slightest delay in service delivery can see organizations fall far behind their competitors. This is why real-time APIs are so important; they enable systems to communicate and exchange data with minimal delay, allowing for near-instantaneous updat [...]

See full content

AI and Civil Service Purges

on 14/02/2025

Donald Trump and Elon Musk’s chaotic approach to reform is upending government operations. Critical functions have been halted, tens of thousands of federal staffers are being encouraged to resign, and congressional mandates are being disregarded. The next phase: The Department of Government Efficiency reportedly wants to use AI to cut costs. According to The Washington Post, Musk’s gr [...]

See full content

$200k in two weeks of bug bounty feat. Victor Poucheret #bugbounty #bugbountytips #bugbountyhunter

on 14/02/2025

See full content

Use this tool to bypass rate limiting feat. defparam #bugbounty #bugbountytips #bugbountyhunter

on 14/02/2025

See full content

Zero click account takeover by bypassing SAML signature verification feat. ProjectDiscovery

on 14/02/2025

See full content

Find request smuggling and other bugs with http garden feat. Narf Industries #bugbounty #bugbountyti

on 14/02/2025

See full content

Accessing the camera and microphone as the XSS POC feat. H4R3L #bugbounty #bugbountytips

on 14/02/2025

See full content

The best bug bounty writeup of 2024 feat. Yanir Tsarimi #bugbounty #bugbountytips #bugbountyhunter

on 14/02/2025

See full content

The best bug bounty advice of 2024 feat. Douglas Day #bugbounty #bugbountytips #bugbountyhunter

on 14/02/2025

See full content

A hunter shares exact stats and earnings of his first 12 months of hunting feat. Shreyas Chavhan #bu

on 14/02/2025

See full content

Use this tool to bypass CSP feat. renniepak #bugbounty #bugbountytips #bugbountyhunter

on 14/02/2025

See full content

Intigriti Bug Bytes #221 - February 2025 🚀

by blackbird-eu on 14/02/2025

Hey hackers, Each month, we round-up insights, platform updates, new programs, upcoming community events and more to help you master your hacking skills.  Check out February’s edit below: BlueSky We’ve landed on BlueSky, follow us to access the latest programme updates, challenges, blogs, event news, hacking tips and more! Win an Intigriti Hoodie Can you spot where the develope… [...]

See full content

Unleashing Medusa: Fast and scalable smart contract fuzzing

on 14/02/2025

Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security. [...]

See full content

Security Flash: CFAA and Thought Crime

on 13/02/2025

See full content

Nearly a Year Later, Mozilla is Still Promoting OneRep

by BrianKrebs on 13/02/2025

In mid-March 2024, KrebsOnSecurity revealed that the founder of the personal data removal service Onerep also founded dozens of people-search companies. Shortly after that investigation was published, Mozilla said it would stop bundling Onerep with the Firefox browser and wind down its partnership with the company. But nearly a year later, Mozilla is still promoting it to Firefox users. Mozilla of [...]

See full content

How I Got Malware From Discord!

on 13/02/2025

See full content

Linkedin Broken Link Hijacking on https://hemi.xyz/about

on 13/02/2025

Hemi VDP disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/2990368 [...]

See full content

CNWPP - Live lesson - Day 1 - Deliverables - 2/2

on 13/02/2025

See full content

The best bug bounty reports, blogposts and tools of the year - 2024 BBRE Awards

on 13/02/2025

See full content

The future of security testing: harness AI-Powered Extensibility in Burp 🚀

on 13/02/2025

Our commitment to innovation At PortSwigger, we're always striving to push the boundaries of what's possible in application security, with a world-leading Research team dedicated to pioneering new hac [...]

See full content

DOGE as a National Cyberattack

on 13/02/2025

In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national security are profound. First, it was reported that people associated with the [...]

See full content

We’re partnering to strengthen TON’s DeFi ecosystem

on 13/02/2025

TVM Ventures has selected Trail of Bits as its preferred security partner to strengthen the TON developer ecosystem. Through this partnership, we’ll lead the development of DeFi protocol standards and provide comprehensive security services to contest-winning projects deploying on TON. TVM Ventures will host ongoing developer contests where teams can showcase innovative applications that advance [ [...]

See full content

5 Ways to hack WordPress targets

by blackbird-eu on 13/02/2025

Over half a billion websites are powered by WordPress as of today. Unfortunately, not every instance deserves the same security attention as the other. The chances of coming across a bug bounty target that has a vulnerable instance is quite probable. However, some bug bounty hunters get intimidated as WordPress targets are often used as a blogging or documentation platform. For… [...]

See full content

Applicant security exam Attachments/Documents accessible through an IDOR/BAC on the custom Apex controller on https://.mil

on 12/02/2025

U.S. Dept Of Defense disclosed a bug submitted by oxylis: https://hackerone.com/reports/2950536 [...]

See full content

Improper Authentication Allows Making Appeals as Other Users

on 12/02/2025

U.S. Dept Of Defense disclosed a bug submitted by turbul3nce: https://hackerone.com/reports/2666323 [...]

See full content

Publicly Editable U.S. Air Force Google Spreadsheet Exposing Student Leave Data

on 12/02/2025

U.S. Dept Of Defense disclosed a bug submitted by kolcyberdef: https://hackerone.com/reports/2682079 [...]

See full content

LIVE: Blue Team | MyDFIR | AMA | Cybersecurity

on 12/02/2025

See full content

Wordpress users Disclosure

on 12/02/2025

Autodesk disclosed a bug submitted by karimtantawy: https://hackerone.com/reports/2981756 [...]

See full content

backdooring local git repositories

on 12/02/2025

See full content

The XSS Rat - Channel Intro - Are You With Me? - No Bullshit Hacking Tutorials

on 12/02/2025

See full content

Delivering Malware Through Abandoned Amazon S3 Buckets

on 12/02/2025

Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc. The TL;DR is that this time, we ended up discover [...]

See full content

The call for invariant-driven development

on 12/02/2025

Writing smart contracts requires a higher level of security assurance than most other fields of software engineering. The industry has evolved from simple ERC20 tokens to complex, multi-component DeFi systems that leverage domain-specific algorithms and handle significant monetary value. This evolution has unlocked immense potential but has also introduced an escalating number […] [...]

See full content

Microsoft Patch Tuesday, February 2025 Edition

by BrianKrebs on 12/02/2025

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited. All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, [...]

See full content

whoAMI: A cloud image name confusion attack

on 12/02/2025

Detailing the discovery and impact of the whoAMI cloud image name confusion attack, which could allow attackers to execute code within AWS accounts due to a vulnerable pattern in AMI retrieval. [...]

See full content

Women@ Kicks Off the Year with a Vision Board Event

by Marina Briones on 11/02/2025

See full content

Trusted Execution Environments

on 11/02/2025

Really good—and detailed—survey of Trusted Execution Environments (TEEs.) [...]

See full content

Improper Cache Handling Allows Access to Post-Logout Pages

on 10/02/2025

Basecamp disclosed a bug submitted by victim_of_life: https://hackerone.com/reports/2932410 [...]

See full content

cloudflare.bat

on 10/02/2025

See full content

I Used AI To Hack This Site

on 10/02/2025

See full content

Clickjacking in main domain https://topechelon.com/

on 10/02/2025

Top Echelon Software disclosed a bug submitted by genz-1: https://hackerone.com/reports/2964441 [...]

See full content

Pairwise Authentication of Humans

on 10/02/2025

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations. To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons. This is how it works: Two people, Person A and Person B, sit in front of the same computer and open [...]

See full content

This New Feature On Intigriti Could Get You MORE Bounty For The Same Bug ...!

on 10/02/2025

See full content

Midnight snack - easy way to upgrade your noodles

on 09/02/2025

See full content

Unauthenticated API Access Exposing Premium Content and Financial Data

on 09/02/2025

XVIDEOS disclosed a bug submitted by mcblockchamp: https://hackerone.com/reports/2979176 [...]

See full content

API Data Leakage Vulnerability Report - `xvcams.com`

on 09/02/2025

XVIDEOS disclosed a bug submitted by mcblockchamp: https://hackerone.com/reports/2979153 [...]

See full content

CNWPP - Live lesson - Day 1 - Deliverables - 1/2

on 09/02/2025

See full content

Host Header Attac

on 08/02/2025

RubyGems disclosed a bug submitted by n_ob_o_dy: https://hackerone.com/reports/2627221 [...]

See full content

UK Is Ordering Apple to Break Its Own Encryption

on 08/02/2025

The Washington Post is reporting that the UK government has served Apple with a “technical capability notice” as defined by the 2016 Investigatory Powers Act, requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This is a big deal, and something we in the security community have worried was coming for a while now. The law, known by [...]

See full content

Release Notes: New Version Of Ghidra 11.3 - Reverse Engineering Tool

on 08/02/2025

See full content

("possible") UAF

on 08/02/2025

curl disclosed a bug submitted by 7mkrooal: https://hackerone.com/reports/2981245 [...]

See full content

Teen on Musk’s DOGE Team Graduated from ‘The Com’

by BrianKrebs on 08/02/2025

Wired reported this week that a 19-year-old working for Elon Musk‘s so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today’s story explores, the DOGE teen is a former denizen of ‘ [...]

See full content

Friday Squid Blogging: The Colossal Squid

on 07/02/2025

Long article on the colossal squid. Blog moderation policy. [...]

See full content

A Little Tale Of IDOR API Hacking - Demonstration Of How To Look For BAC #OWASP #BAC #bugbounty

on 07/02/2025

See full content

AI Security is API Security: What CISOs and CIOs Need to Know

by Tim Erlin on 07/02/2025

Just when CIOs and CISOs thought they were getting a grip on API security, AI came along and shook things up. In the past few years, a huge number of organizations have adopted AI, realizing innumerable productivity, operational, and efficiency benefits. However, they’re also having to deal with unprecedented API security challenges.  Wallarm’s Annual 2025 API ThreatStats™ Report reveals a [...]

See full content

Shellcode Loaders! (Windows Malware Development)

on 07/02/2025

See full content

Show SSRF Impact With These 3 Techniques

on 07/02/2025

See full content

Error Page Content Spoofing or Text Injection

on 07/02/2025

XVIDEOS disclosed a bug submitted by mcblockchamp: https://hackerone.com/reports/2979148 [...]

See full content

CVE-2024-53908: Django Potential SQL injection in `HasKey(lhs, rhs)` on Oracle

on 07/02/2025

Internet Bug Bounty disclosed a bug submitted by scyoon: https://hackerone.com/reports/2882887 [...]

See full content

CVE-2025-0167: netrc and default credential leak

on 07/02/2025

curl disclosed a bug submitted by sherlock2010: https://hackerone.com/reports/2917232 [...]

See full content

CVE-2025-0665: eventfd double close

on 07/02/2025

curl disclosed a bug submitted by ankomcoper: https://hackerone.com/reports/2954286 [...]

See full content

Gain Actionable, Data-backed Insights with HackerOne Recommendations

by Caroline Collins on 06/02/2025

What if your security program could self-optimize: analyze trends, identify weak points, and proactively propose actionable steps to strengthen defenses? With HackerOne Recommendations, it can. [...]

See full content

Experts Flag Security, Privacy Risks in DeepSeek AI App

by BrianKrebs on 06/02/2025

New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three “free” downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — intr [...]

See full content

Error Page Content Spoofing or Text Injection

on 06/02/2025

XVIDEOS disclosed a bug submitted by mcblockchamp: https://hackerone.com/reports/2968559 [...]

See full content

CVE-2024-56374 Potential denial-of-service in IPv6 validation

on 06/02/2025

Internet Bug Bounty disclosed a bug submitted by 0xsaravana: https://hackerone.com/reports/2939077 [...]

See full content

XSS on using the legacy "Graphie To Png" API

on 06/02/2025

Khan Academy disclosed a bug submitted by sikn: https://hackerone.com/reports/2846011 [...]

See full content

Open redirect

on 06/02/2025

XVIDEOS disclosed a bug submitted by p_anand1234: https://hackerone.com/reports/2957962 [...]

See full content

[CVE-2024-54133] Possible Content Security Policy bypass in Action Dispatch

on 06/02/2025

Internet Bug Bounty disclosed a bug submitted by ryotak: https://hackerone.com/reports/2905532 [...]

See full content

ActionView sanitize helper bypass with 'style' and 'svg' tags

on 06/02/2025

Internet Bug Bounty disclosed a bug submitted by taise: https://hackerone.com/reports/2931688 [...]

See full content

ActionView sanitize helper bypass with noscript

on 06/02/2025

Internet Bug Bounty disclosed a bug submitted by taise: https://hackerone.com/reports/2931691 [...]

See full content

ActionView sanitize helper bypass with style

on 06/02/2025

Internet Bug Bounty disclosed a bug submitted by mokusou: https://hackerone.com/reports/2931639 [...]

See full content

ActionView sanitize helper bypass with style and math

on 06/02/2025

Internet Bug Bounty disclosed a bug submitted by mokusou: https://hackerone.com/reports/2931636 [...]

See full content

#2931639 ActionView sanitize helper bypass with math-related tags

on 06/02/2025

Internet Bug Bounty disclosed a bug submitted by mokusou: https://hackerone.com/reports/2931710 [...]

See full content

GOAWAY HTTP/2 frames cause memory leak outside heap

on 06/02/2025

Node.js disclosed a bug submitted by newtmitch: https://hackerone.com/reports/2841362 [...]

See full content

curl allows SSH connection even if host is not in known_hosts

on 05/02/2025

curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2961050 [...]

See full content

CVE-2024-45230 - Potential denial-of-service in django.utils.html.urlize() (Another pattern)

on 05/02/2025

Internet Bug Bounty disclosed a bug submitted by mprogrammer: https://hackerone.com/reports/2881639 - Bounty: $2162 [...]

See full content

LIVE IoT Hacking | Matt Brown | AMA | Hardware Hacking

on 05/02/2025

See full content

Hackers found a way to unlock and track every Subaru! 🤯 #hacking #bugbounty #cybernews

on 05/02/2025

See full content

Weak credentials found in Jenkins endpoint

on 05/02/2025

IBM disclosed a bug submitted by sweetheart1337_: https://hackerone.com/reports/2954547 [...]

See full content

CVE-2025-0725: gzip integer overflow

on 05/02/2025

curl disclosed a bug submitted by z2_: https://hackerone.com/reports/2956023 [...]

See full content

Preventing account takeover on centralized cryptocurrency exchanges in 2025

on 05/02/2025

This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes. Imagine trying to log in to your centralized cryptocurrency exchange (CEX) account and your password and username just… don’t work. You […] [...]

See full content

Hybrid Pentesting: The Smart Approach to Securing your Assets

by Intigriti on 05/02/2025

Pentesting-as-a-Service is your next crucial layer of security For businesses dedicated to their security, they’ll know that truly mature infrastructure doesn’t involve just one kind of protection. Vulnerability scanners, firewalls, periodic penetration tests, and bug bounties are all independent layers of an onion of well-rounded cybersecurity. They each serve different purpos… [...]

See full content

This Simple Race Condition Made Everything FREE

on 04/02/2025

See full content

Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’?

by BrianKrebs on 04/02/2025

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to [...]

See full content

There is a POST based CSRF issue over IBM endpoint leading to modification of contact information.

on 04/02/2025

IBM disclosed a bug submitted by youssifs7: https://hackerone.com/reports/2919623 [...]

See full content

Action Text XSS (Rails 7.1.x)

on 04/02/2025

Ruby on Rails disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2389565 [...]

See full content

Welcome, Hackbots: How AI Is Shaping the Future of Vulnerability Discovery

by Michiel Prins on 03/02/2025

What are Hackbots and how are they impacting vulnerability discovery and the researcher community? [...]

See full content

Open Redirection effects autodiscover.rockstargames.com

on 03/02/2025

Rockstar Games disclosed a bug submitted by osama-hamad: https://hackerone.com/reports/1269332 [...]

See full content

almost got scammed

on 03/02/2025

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. Brett Buerhaus
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Ezequiel Pereira
  16. HackerOne
  17. HackerOne
  18. surajdisoja.me
  19. InsiderPhD
  20. Intigriti
  21. John Hammond
  22. LiveOverflow
  23. NahamSec
  24. PortSwigger Blog
  25. Rana Khalil
  26. Richard’s Infosec blog
  27. Ron Chan
  28. ropnop blog
  29. STÖK
  30. Sun Knudsen
  31. The Cyber Mentor
  32. The unofficial HackerOne disclosure timeline
  33. The XSS rat
  34. TomNomNom
  35. Wallarm