InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS

by BrianKrebs on 20/05/2025

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for mo [...]

See full content

ThinkPad FDE vs Apple Data Protection and WT_ is Opal

on 20/05/2025

See full content

How to Write Shellcode in 3 Minutes!

on 20/05/2025

See full content

Learn Quantum Computing!

on 20/05/2025

See full content

DoorDash Hack

on 20/05/2025

A DoorDash driver stole over $2.5 million over several months: The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the others involved had created. Devagiri would then mark the undelivered orders as complete and prompt DoorDas [...]

See full content

`Curl_socketpair()` fallback vulnerable to man-in-the-middle attack

on 20/05/2025

curl disclosed a bug submitted by jmanojlovich: https://hackerone.com/reports/3148937 [...]

See full content

CREST accreditation reinforces Intigriti’s pentesting excellence

by Eleanor Barlow on 20/05/2025

Intigriti, a global crowdsourced security provider, is delighted to announce that it is now CREST accredited. Who is CREST? CREST, a globally recognised not-for-profit authority in cyber security, rigorously assesses organisations against stringent standards for quality, technical proficiency, and operational integrity. This accreditation acknowledges that Intigriti meets CREST… [...]

See full content

Any WARP User Can Access Organization-Specific Application

on 19/05/2025

Cloudflare Public Bug Bounty disclosed a bug submitted by jai-kandepu: https://hackerone.com/reports/2802817 [...]

See full content

golang obfuscated malware goes crazy

on 19/05/2025

See full content

This Browser Hack Scored Me a $20,000 Bug Bounty

on 19/05/2025

See full content

The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)”

on 19/05/2025

In response to a FOIA request, the NSA released “Fifty Years of Mathematical Cryptanalysis (1937-1987),” by Glenn F. Stahly, with a lot of redactions. Weirdly, this is the second time the NSA has declassified the document. John Young got a copy in 2019. This one has a few less redactions. And nothing that was provided in 2019 was redacted here. If you find anything interesting in the d [...]

See full content

SQLi still exists in 2025 feat. Jasmin “JR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter

on 19/05/2025

See full content

CC5: introduction to bug bounties is on sale now

on 18/05/2025

See full content

Multi tenant architecture

on 18/05/2025

See full content

IDOR Hacking Guide With Practical Examples [FREE FULL 2 HOUR WEBINAR]

on 18/05/2025

See full content

CORS: A complete guide to exploiting advanced CORS misconfiguration vulnerabilities

by blackbird-eu on 18/05/2025

CORS misconfiguration vulnerabilities are a highly underestimated vulnerability class. With an impact ranging from sensitive information disclosure to facilitating SSRF attacks, this client-side security vulnerability should always be part of your security testing. In this article, we will explore the identification and exploitation of advanced CORS misconfiguration vulnerabili… [...]

See full content

Why one can’t secure erase older Macs

on 17/05/2025

See full content

Using match and replace rules for quickly applying polyglot payloads feat. Jasmin “JR0ch17” Landry #

on 17/05/2025

See full content

Manipulating referer policy when DOM Purify is used feat. Jasmin “JR0ch17” Landry #bugbounty #bugbou

on 17/05/2025

See full content

Friday Squid Blogging: Pet Squid Simulation

on 16/05/2025

From Hackaday.com, this is a neural network simulation of a pet squid. Autonomous Behavior: The squid moves autonomously, making decisions based on his current state (hunger, sleepiness, etc.). Implements a vision cone for food detection, simulating realistic foraging behavior. Neural network can make decisions and form associations. Weights are analysed, tweaked and trained by Hebbian learning a [...]

See full content

Meet Bjorn, the Easy to Build Hacking Tool!

on 16/05/2025

See full content

Communications Backdoor in Chinese Power Inverters

on 16/05/2025

This is a weird story: U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. […] Over the past nine months, undocumented communication devices, including cellular radios, have also been found in [...]

See full content

Second order injections feat. Jasmin “JR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter

on 16/05/2025

See full content

Top 3 Beginner Mistakes Every Bounty Hunter Makes

on 15/05/2025

See full content

Breachforums Boss to Pay $700k in Healthcare Breach

by BrianKrebs on 15/05/2025

In what experts are calling a novel legal outcome, the 22-year-old former administrator of the cybercrime community Breachforums will forfeit nearly $700,000 to settle a civil lawsuit from a health insurance company whose customer data was posted for sale on the forum in 2023. Conor Brian Fitzpatrick, a.k.a. “Pompompurin,” is slated for resentencing next month after pleading guilty to [...]

See full content

Shopify Partners Invitation Process Allows Privilege Escalation Without Email Verification

on 15/05/2025

Shopify disclosed a bug submitted by mr_asg: https://hackerone.com/reports/2885269 - Bounty: $3500 [...]

See full content

Bedrock Guardrails Evasion with Prompt Formatting

on 15/05/2025

AWS VDP disclosed a bug submitted by nkirk-nrlabs: https://hackerone.com/reports/3056937 [...]

See full content

Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string.

on 15/05/2025

Node.js disclosed a bug submitted by justinnietzel: https://hackerone.com/reports/3083428 [...]

See full content

How to find out if app is tracking you

on 15/05/2025

See full content

The CVE Foundation Interview

on 15/05/2025

See full content

Easy Weekend Project to Boost Your IT Resume!

on 15/05/2025

See full content

Weak Rate Limiting Controls in the (LOGIN) page Expose System to Brute Force and DoS Attacks

on 15/05/2025

Lichess disclosed a bug submitted by hajjaj-: https://hackerone.com/reports/3085889 [...]

See full content

Open Redirect Vulnerability in OAuth Flow Leading to Potential Phishing Attack

on 15/05/2025

Lichess disclosed a bug submitted by delsec_: https://hackerone.com/reports/3099816 [...]

See full content

AI-Generated Law

on 15/05/2025

On April 14, Dubai’s ruler, Sheikh Mohammed bin Rashid Al Maktoum, announced that the United Arab Emirates would begin using artificial intelligence to help write its laws. A new Regulatory Intelligence Office would use the technology to “regularly suggest updates” to the law and “accelerate the issuance of legislation by up to 70%.” AI would create a “comprehen [...]

See full content

Developer Leaks API Key for Private Tesla, SpaceX LLMs

by Tim Erlin on 15/05/2025

In AI, as with so many advancing technologies, security often lags innovation. The xAI incident, during which a sensitive API key remained exposed for nearly two months, is a stark reminder of this disconnect. Such oversights not only jeopardize proprietary technologies but also highlight systemic vulnerabilities in API management. As more organizations integrate AI into their operations, ensurin [...]

See full content

[Xenoblade Chronicles X: Definitive Edition] Unrestricted RPCs allow DoS and writing arbitrary flags remotely

on 15/05/2025

Nintendo disclosed a bug submitted by roccodev: https://hackerone.com/reports/3062122 [...]

See full content

[Xenoblade Chronicles X: Definitive Edition] Improper validation of names allows injecting formatting tags and bypassing profanity filter

on 15/05/2025

Nintendo disclosed a bug submitted by roccodev: https://hackerone.com/reports/3052880 [...]

See full content

Improper error handling in async cryptographic operations crashes process

on 14/05/2025

Node.js disclosed a bug submitted by tniessen: https://hackerone.com/reports/2817648 [...]

See full content

LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA

on 14/05/2025

See full content

Upcoming Speaking Engagements

on 14/05/2025

This is a current list of where and when I am scheduled to speak: I’m speaking (remotely) at the Sektor 3.0 Festival in Warsaw, Poland, May 21-22, 2025. The list is maintained on this page. [...]

See full content

Goodbye Samsung T7 Touch, you will be missed

on 14/05/2025

See full content

The mindset for finding highs and crits in bug bounty with JR0ch17

on 14/05/2025

See full content

Patch Tuesday, May 2025 Edition

by BrianKrebs on 14/05/2025

Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month’s patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available. Microsoft and several security firms [...]

See full content

Google’s Advanced Protection Now on Android

on 14/05/2025

Google has extended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users. Wired article, behind a paywall. [...]

See full content

The cryptography behind passkeys

on 14/05/2025

This post will examine the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates. [...]

See full content

What's new in Burp Suite Professional: A year of innovation

on 14/05/2025

Over the past year, we’ve been hard at work making Burp Suite Professional faster, smarter, and more powerful than ever before. From the launch of Burp AI to major performance upgrades, there's never [...]

See full content

Introducing assets: a first step to a more centralized approach

by Yannick Merckx on 14/05/2025

We’re pleased to share a significant new change to our platform for companies.  Our goal is to empower our customers with clear, actionable insights into their attack surface. We aim to create a platform where managing your digital footprint is intuitive, collaboration is effective, and understanding impact is straightforward.  Today, we’re taking a big step forward: Introducin… [...]

See full content

Meet Bjorn: The Viking Network Raider!

on 13/05/2025

See full content

What’s New in Android Security and Privacy in 2025

on 13/05/2025

Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy Android’s intelligent protections keep you safe from everyday dangers. Our dedication to your security is validated by security experts, who consistently rank top Android devices highest in security, and score Android smartphones, led by the Pixel 9 Pro, as leaders in anti-fraud efficacy.Android is always developing new [...]

See full content

Advanced Protection: Google’s Strongest Security for Mobile Devices

on 13/05/2025

Posted by Il-Sung Lee, Group Product Manager, Android Security Protecting users who need heightened security has been a long-standing commitment at Google, which is why we have our Advanced Protection Program that provides Google’s strongest protections against targeted attacks.To enhance these existing device defenses, Android 16 extends Advanced Protection with a device-level security setting [...]

See full content

user api key leaked

on 13/05/2025

WakaTime disclosed a bug submitted by atasec: https://hackerone.com/reports/3098717 [...]

See full content

New - In 2022 - XSS Attack Vectors By Garth Heyes

on 13/05/2025

See full content

Court Rules Against NSO Group

on 13/05/2025

The case is over: A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users. I’m sure it’ll be appealed. Everything always is. [...]

See full content

Netlify Authentication Token Exposed in Public Mozilla CI Logs

on 13/05/2025

Mozilla disclosed a bug submitted by samirsec0x01: https://hackerone.com/reports/2915647 - Bounty: $1500 [...]

See full content

Tales from the cloud trenches: The Attacker doth persist too much, methinks

on 13/05/2025

A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM [...]

See full content

insecure deserilize object leads to RCE On Sitecore (CVE--27218)

on 12/05/2025

Mars disclosed a bug submitted by reinhardtthe: https://hackerone.com/reports/3090123 [...]

See full content

Users Data Exposure via Insecure Endpoint

on 12/05/2025

Mars disclosed a bug submitted by bughunter0x7: https://hackerone.com/reports/2828608 [...]

See full content

debug.log leaked []

on 12/05/2025

Mars disclosed a bug submitted by imeng: https://hackerone.com/reports/3063026 [...]

See full content

massive PII leakage for

on 12/05/2025

Mars disclosed a bug submitted by thpless: https://hackerone.com/reports/2887506 [...]

See full content

change part of personal information all users

on 12/05/2025

Mars disclosed a bug submitted by bughunter0x7: https://hackerone.com/reports/2828693 [...]

See full content

Status update

on 12/05/2025

See full content

The Ongoing Risks of Hardcoded JWT Keys

by Sergei Okhotin on 12/05/2025

In early May 2025, Cisco released software fixes to address a flaw in its IOS XE Software for Wireless LAN Controllers (WLCs). The vulnerability, tracked as CVE-2025-20188, has a CVSS score of 10.0 and could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system – but the real story is that this vulnerability drives home the persistent risks associated with h [...]

See full content

This Tiny Chrome Behavior Leads to an Account Takeover

on 12/05/2025

See full content

The Gremlin Stealer Malware

on 12/05/2025

See full content

Florida Backdoor Bill Fails

on 12/05/2025

A Florida bill requiring encryption backdoors failed to pass. [...]

See full content

The link between security maturity and bug bounty success

by Eleanor Barlow on 12/05/2025

What defines a security maturity posture?   A security maturity posture refers to an organization’s ability to detect, manage, and mitigate security vulnerabilities and risks. It reflects how well the organization applies programs, processes, and controls to protect its assets and data. Generally, a higher security maturity posture indicates a stronger capability to identify an… [...]

See full content

Team Shellphish AIxCC Interview

on 11/05/2025

See full content

Memory Leak

on 10/05/2025

curl disclosed a bug submitted by antypanty: https://hackerone.com/reports/3137657 [...]

See full content

Artificial Intelligence x Cyber Challenge (DARPA Interview)

on 10/05/2025

See full content

Friday Squid Blogging: Japanese Divers Video Giant Squid

on 09/05/2025

The video is really amazing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]

See full content

How APTs Steal Your Secrets

on 09/05/2025

See full content

Race condition on add 1 free domain

on 09/05/2025

Automattic disclosed a bug submitted by root_geek280: https://hackerone.com/reports/2616045 [...]

See full content

How Hackers Steal Passwords

on 09/05/2025

See full content

Enable 2FA without verifying the email

on 09/05/2025

XVIDEOS disclosed a bug submitted by samtime: https://hackerone.com/reports/3016540 [...]

See full content

Free Cybersecurity & IT Training From TCM Security!

on 08/05/2025

See full content

Using AI to stop tech support scams in Chrome

on 08/05/2025

Posted by Jasika Bawa, Andy Lim, and Xinghui Lu, Google Chrome Security Tech support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data. In a tech support scam, the goal of the scammer is to trick you into believing your computer has a serious problem, such as a virus or malware infe [...]

See full content

Ability to access policy and updates for unauthorized program

on 08/05/2025

HackerOne disclosed a bug submitted by light3r: https://hackerone.com/reports/2965723 [...]

See full content

CRLF Injection in `--proxy-header` allows extra HTTP headers (CWE-93)

on 08/05/2025

curl disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3133379 [...]

See full content

API Threat Trends: How Attackers Are Exploiting Business Logic

by Tim Erlin on 08/05/2025

As businesses rely more on APIs, attackers are quick to turn that trust into opportunity. Among the most dangerous and difficult-to-detect threats are business logic exploits, which let cybercriminals manipulate legitimate functionality to gain unauthorized access, exfiltrate data, or disrupt operations. These attacks often slip past traditional defenses unnoticed, making them a growing concern f [...]

See full content

Unauthorized Account Access via Leaked Credentials in URL Format (Account Takeover )

on 07/05/2025

Khan Academy disclosed a bug submitted by firec4t: https://hackerone.com/reports/3080597 [...]

See full content

Pakistani Firm Shipped Fentanyl Analogs, Scams to US

by BrianKrebs on 07/05/2025

A Texas firm recently charged with conspiring to distribute synthetic opioids in the United States is at the center of a vast network of companies in the U.S. and Pakistan whose employees are accused of using online ads to scam westerners seeking help with trademarks, book writing, mobile app development and logo designs, a new investigation reveals. In an indictment (PDF) unsealed last month, the [...]

See full content

Path Traversal Vulnerability found on IBM Cloud

on 07/05/2025

IBM disclosed a bug submitted by 0x4bdo: https://hackerone.com/reports/3060373 [...]

See full content

LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA

on 07/05/2025

See full content

cybersecurity expert gets hacked

on 07/05/2025

See full content

HTML Injection in LinkedIn Premium Support Chat

on 07/05/2025

LinkedIn disclosed a bug submitted by nagu123: https://hackerone.com/reports/3079966 [...]

See full content

RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale

on 07/05/2025

Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. [...]

See full content

Hacking My Dog's Microchip With a Flipper Zero!

on 06/05/2025

See full content

BAC Bypass chatbot restrictions via unauthorized mention injection

on 06/05/2025

Dust disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3112106 [...]

See full content

Blocking EVERYTHING with Windows Firewall

on 06/05/2025

See full content

How I Got an AI Chatbot to Spill Its Secrets Using Just a Prompt

on 05/05/2025

See full content

HTTP/3 Stream Dependency Cycle Exploit

on 04/05/2025

curl disclosed a bug submitted by evilginx: https://hackerone.com/reports/3125832 [...]

See full content

CAPIE - Certified API hacking Expert [FULL 8 HOUR COURSE]

on 03/05/2025

See full content

Boys are a waste of time 🥹🙊

on 03/05/2025

See full content

`/names.nsf` and all `/names*` files route to public API on rubygems.org

on 03/05/2025

RubyGems disclosed a bug submitted by jagat-singh: https://hackerone.com/reports/3097900 [...]

See full content

Open Redirect on https://api.fastly.com/

on 02/05/2025

Fastly VDP disclosed a bug submitted by hasn0x: https://hackerone.com/reports/2265413 [...]

See full content

Learn Next Level OSINT!

on 02/05/2025

See full content

How to Pass the PNPT: From Zero to Hero!

on 02/05/2025

See full content

Middleware Authentication Bypass on IBM Portal

on 02/05/2025

IBM disclosed a bug submitted by muhammadwaseem3: https://hackerone.com/reports/3088290 [...]

See full content

Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover

on 02/05/2025

Dust disclosed a bug submitted by sjalu: https://hackerone.com/reports/3115705 [...]

See full content

Datasig: Fingerprinting AI/ML datasets to stop data-borne attacks

on 02/05/2025

Datasig generates compact, unique fingerprints for AI/ML datasets that let you compare training data with high accuracy—without needing access to the raw data itself. This critical capability helps AIBOM (AI bill of materials) tools detect data-borne vulnerabilities that traditional security tools completely miss. [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. Brett Buerhaus
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Ezequiel Pereira
  16. HackerOne
  17. surajdisoja.me
  18. InsiderPhD
  19. Intigriti
  20. John Hammond
  21. LiveOverflow
  22. NahamSec
  23. PortSwigger Blog
  24. Rana Khalil
  25. Richard’s Infosec blog
  26. Ron Chan
  27. ropnop blog
  28. STÖK
  29. Sun Knudsen
  30. The Cyber Mentor
  31. The unofficial HackerOne disclosure timeline
  32. HackerRats (XSS Rat)
  33. TomNomNom
  34. Wallarm