InfoSec Planet

AWS VDP disclosed a bug submitted by necr0mancer: https://hackerone.com/reports/2784712 [...]

See full content

The headline is pretty scary: “China’s Quantum Computer Scientists Crack Military-Grade Encryption.” No, it’s not true. This debunking saved me the trouble of writing one. It all seems to have come from this news article, which wasn’t bad but was taken widely out of proportion. Cryptography is safe, and will be for a long time [...]

See full content

See full content

Endless Group disclosed a bug submitted by seqode: https://hackerone.com/reports/791381 [...]

See full content

See full content

See full content

See full content

Tax farming is the practice of licensing tax collection to private contractors. Used heavily in ancient Rome, it’s largely fallen out of practice because of the obvious conflict of interest between the state and the contractor. Because tax farmers are primarily interested in short-term revenue, they have no problem abusing taxpayers and making things worse for them in the long term. Today, the U.S [...]

See full content

See full content

MTN Group disclosed a bug submitted by mathara: https://hackerone.com/reports/1779447 [...]

See full content

MTN Group disclosed a bug submitted by mathara: https://hackerone.com/reports/1780399 [...]

See full content

See full content

Cute squid scarf. Blog moderation policy. [...]

See full content

Phylum’s automated risk detection platform recently flagged several suspicious packages published to npm. Upon investigation, we found these packages attempting to exfiltrate Ethereum private keys and gain SSH access to the victim’s machine by writing the attacker’s SSH public key in the root user’s authorized_keys file.--cta--Stop me if you’ve heard this one bef [...]

See full content

See full content

The Wall Street Journal is reporting that the CEO of a still unnamed company has been indicted for creating a fake auditing company to falsify security certifications in order to win government business. [...]

See full content

WordPress disclosed a bug submitted by wshadow: https://hackerone.com/reports/2786591 [...]

See full content

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbe [...]

See full content

See full content

Mozilla disclosed a bug submitted by ghaazy: https://hackerone.com/reports/2412983 [...]

See full content

Passwordless authentication for end users is taking the world by storm, offering organizations and individuals alike unprecedented security, user experience, and efficiency benefits. By all indications, the next generation of authentication for end users has finally arrived, sending the password the way of the dodo.  Although they don’t get anywhere near the same hype, advanced authentica [...]

See full content

Mozilla disclosed a bug submitted by ghaazy: https://hackerone.com/reports/2380084 [...]

See full content

Mozilla disclosed a bug submitted by sushantd19: https://hackerone.com/reports/1913309 [...]

See full content

Mozilla disclosed a bug submitted by ghaazy: https://hackerone.com/reports/2401648 [...]

See full content

Automattic disclosed a bug submitted by nightpool: https://hackerone.com/reports/2258950 [...]

See full content

See full content

GitHub disclosed a bug submitted by pinguluk: https://hackerone.com/reports/2505761 - Bounty: $4000 [...]

See full content

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life [...]

See full content

See full content

See full content

See full content

Sorare disclosed a bug submitted by thebeast99: https://hackerone.com/reports/2048725 [...]

See full content

If there’s a vulnerability in your systems that cybercriminals could exploit, you’ll want to know about it. Collaborating with people outside your organization to alert you to these issues can be extremely powerful because it allows your business to discover vulnerabilities before malicious hackers do. This approach, known as vulnerability disclosure, requires clear reporting c… [...]

See full content

Internet Bug Bounty disclosed a bug submitted by 4xpl0r3r: https://hackerone.com/reports/2590608 - Bounty: $249 [...]

See full content

See full content

See full content

See full content

The men’s world conkers champion is accused of cheating with a steel chestnut. [...]

See full content

Posted by Alex Rebert, Security Foundations, and Chandler Carruth, Jen Engel, Andy Qin, Core Developers Error-prone interactions between software and memory1 are widely understood to create safety issues in software. It is estimated that about 70% of severe vulnerabilities2 in memory-unsafe codebases are due to memory safety bugs. Malicious actors exploit these vulnerabilities and continue to cr [...]

See full content

Posted by Jianing Sandra Guo, Product Manager and Nataliya Stanetsky, Staff Program Manager, Android Janine Roberta Ferreira was driving home from work in São Paulo when she stopped at a traffic light. A man suddenly appeared and broke the window of her unlocked car, grabbing her phone. She struggled with him for a moment before he wrestled the phone away and ran off. The incident left her dee [...]

See full content

See full content

The Washington Post has a long and detailed story about the operation that’s well worth reading (alternate version here). The sales pitch came from a marketing official trusted by Hezbollah with links to Apollo. The marketing official, a woman whose identity and nationality officials declined to reveal, was a former Middle East sales representative for the Taiwanese firm who had established [...]

See full content

Enjin disclosed a bug submitted by ndizon_: https://hackerone.com/reports/1623672 [...]

See full content

Enjin disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2682392 [...]

See full content

We all know that reconnaissance is important in bug bounty, in fact, it is the most important phase in bug bounty & web app pentesting. Bug bounty hunters who perform effective recon are always rewarded well as they come across untouched features and hidden assets more often than others. This provides them an edge and easily increases their chances of finding security vulnerabi… [...]

See full content

NIS2 will take effect across the EU from 18th October 2024, meaning time is running out to comply with its provisions. This Directive, replacing NIS1 (2016), strengthens requirements for in-scope sectors to report security incidents and manage risk.  In this guide, we’ll summarize which entities will need to comply with the enhanced legislation and the standards they must meet.… [...]

See full content

Use HackerOne's Global Vulnerability Policy Map to keep up with evolving VDP mandates and recommendations. [...]

See full content

This is a current list of where and when I am scheduled to speak: I’m speaking at SOSS Fusion 2024 in Atlanta, Georgia, USA. The event will be held on October 22 and 23, 2024, and my talk is  at 9:15 AM ET on October 22, 2024. The list is maintained on this page. [...]

See full content

See full content

Perfectl in an impressive piece of malware: The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that w [...]

See full content

See full content

Rocket.Chat disclosed a bug submitted by yash24: https://hackerone.com/reports/2028450 [...]

See full content

Learn about the EU Council's Cyber Resilience Act, where we're headed, and what we believe should happen next. [...]

See full content

Fishermen in Tamil Nadu are reporting smaller catches of squid. Blog moderation policy. [...]

See full content

See full content

In July, I wrote about my new book project on AI and democracy, to be published by MIT Press in fall 2025. My co-author and collaborator Nathan Sanders and I are hard at work writing. At this point, we would like feedback on titles. Here are four possibilities: Rewiring the Republic: How AI Will Transform our Politics, Government, and Citizenship The Thinking State: How AI Can Improve Democracy B [...]

See full content

GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/2579939 - Bounty: $25000 [...]

See full content

Learn how HackerOne's AI Risk Readiness Self-Assessment Tool helps measure your AI security and compliance preparedness. [...]

See full content

This is a joint post with the Hugging Face Gradio team; read their announcement here! You can find the full report with all of the detailed findings from our security audit of Gradio 5 here. Hugging Face hired Trail of Bits to audit Gradio 5, a popular open-source library that provides a web interface that lets machine learning (ML) developers quickly showcase their models. Based on our findings a [...]

See full content

Posted by Adrian Taylor, Security Engineer, Chrome .code { font-family: "Courier New", Courier, monospace; font-size: 11.8px; font-weight: bold; background-color: #f4f4f4; padding: 2px; border: 1px solid #ccc; border-radius: 2px; white-space: pre-wrap; display: inline-block; line-height: 12px; } .highlight { color: red; } Chrome’s [...]

See full content

See full content

See full content

See full content

See full content

See full content

GitLab disclosed a bug submitted by a92847865: https://hackerone.com/reports/2499070 [...]

See full content

See full content

The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August were carjacked a week later — while out house-hunting in a brand new Lamborghini. Prosecutors say the couple was beaten and briefly kidnapped by six young men who traveled from Florida as part of a botched plan to hold the parents for ransom. Image: ABC7NY.  youtube [...]

See full content

Learn how to optimize internal network pentesting through community-driven pentesting as a service (PTaaS). [...]

See full content

GitLab disclosed a bug submitted by fdeleite: https://hackerone.com/reports/2523654 [...]

See full content

MTN Group disclosed a bug submitted by m4lc0lmx: https://hackerone.com/reports/2182202 [...]

See full content

See full content

You need an API security solution. That much is a given (although some may argue it isn’t!). While essential for business growth and innovation, APIs, or Application Programming Interfaces, expose the organizations that use them to cyber threats. Attackers are both aware of and actively exploiting this fact: Wallarm recently revealed that attacks on APIs impacted 98.35 million users in Q2 2024.  [...]

See full content

inDrive disclosed a bug submitted by polem4rch: https://hackerone.com/reports/2588329 - Bounty: $2000 [...]

See full content

This post explores the risks and challenges of IP spoofing in cloud environments, particularly in setups using reverse proxies. It outlines various mitigation strategies to ensure accurate client IP identification for security purposes. [...]

See full content

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 “Sequoia” update that broke many cybersecurity tools. One of the zero-day flaws  [...]

See full content

Learn the ins and outs of IDOR vulnerabilities and how one exploitation led to malicious user profile modification. [...]

See full content

Ruby on Rails disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2334455 [...]

See full content

Ruby on Rails disclosed a bug submitted by trufflesecurity: https://hackerone.com/reports/1302395 [...]

See full content

GitLab disclosed a bug submitted by cryptopone: https://hackerone.com/reports/1935628 - Bounty: $1060 [...]

See full content

GitLab disclosed a bug submitted by 70rpedo: https://hackerone.com/reports/2104591 [...]

See full content

GitLab disclosed a bug submitted by afewgoats: https://hackerone.com/reports/1772063 [...]

See full content

See full content

Mozilla disclosed a bug submitted by anhchangmutrang: https://hackerone.com/reports/2735646 [...]

See full content

See full content

See full content

MTN Group disclosed a bug submitted by hazemhussien99: https://hackerone.com/reports/1773609 [...]

See full content

MTN Group disclosed a bug submitted by hazemhussien99: https://hackerone.com/reports/2039384 [...]

See full content

See full content

See full content

AWS VDP disclosed a bug submitted by hesham_elsheme: https://hackerone.com/reports/2731133 [...]

See full content

IBM disclosed a bug submitted by mersa-v6: https://hackerone.com/reports/2696271 [...]

See full content

Posted by Sherk Chung, Stephan Chen, Pixel team, and Roger Piqueras Jover, Ivan Lozano, Android team Pixel phones have earned a well-deserved reputation for being security-conscious. In this blog, we'll take a peek under the hood to see how Pixel mitigates common exploits on cellular basebands. Smartphones have become an integral part of our lives, but few of us think about the complex softwar [...]

See full content

See full content

Posted by Alex Gough, Chrome Security Team The Chrome Security Team is constantly striving to make it safer to browse the web. We invest in mechanisms to make classes of security bugs impossible, mitigations that make it more difficult to exploit a security bug, and sandboxing to reduce the capability exposed by an isolated security issue. When choosing where to invest it is helpful to consider [...]

See full content

Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child [...]

See full content

See full content

See full content

TikTok disclosed a bug submitted by ahmed_xyz: https://hackerone.com/reports/2306491 [...]

See full content

See full content