InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Friday Squid Blogging: The Giant Squid Nebula
on 18/07/2025
Beautiful photo.
Difficult to capture, this mysterious, squid-shaped interstellar cloud spans nearly three full moons in planet Earth’s sky. Discovered in 2011 by French astro-imager Nicolas Outters, the Squid Nebula’s bipolar shape is distinguished here by the telltale blue emission from doubly ionized oxygen atoms. Though apparently surrounded by the reddish hydrogen emission region [...]
See full content
API Key Exposed in JavaScript File on 1Password Developer Site
on 18/07/2025
1Password - Enterprise Password Manager disclosed a bug submitted by sudosu001: https://hackerone.com/reports/2923061 [...]
See full content
Side Projects for Cybersecurity Roles
on 18/07/2025
See full content
My New Hacking Labs - A (R)Evolution In Education
on 18/07/2025
See full content
how hackers hide (Intro to Beacon Object Files - with Empire C2!)
on 18/07/2025
See full content
New Mobile Phone Forensics Tool
on 18/07/2025
The Chinese have a new tool called Massistant.
Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico.
The forensics tool works in tandem with a corresponding desktop software.
Massistant gains access to device GPS location data, SMS messages, images, audio, contacts and phone se [...]
See full content
Building secure messaging is hard: A nuanced take on the Bitchat security debate
on 18/07/2025
The release of Bitchat last week was met with a mixture of glowing praise and sharp criticism. Both extremes bear some truth, but they also miss the mark and reveal gaps in how we discuss security in emerging products. [...]
See full content
Poor Passwords Tattle on AI Hiring Bot Maker Paradox.ai
by BrianKrebs on 18/07/2025
Security researchers recently revealed that the personal information of millions of people who applied for jobs at McDonald’s was exposed after they guessed the password (“123456”) for the fast food chain’s account at Paradox.ai, a company that makes artificial intelligence based hiring chatbots used by many Fortune 500 firms. Paradox.ai said the security oversight was an i [...]
See full content
Red Team vs. Blue Team: Which is Better?
on 17/07/2025
See full content
Account takeover of existing HackerOne accounts through SCIM provisioning
on 17/07/2025
HackerOne disclosed a bug submitted by boy_child_: https://hackerone.com/reports/3178999 [...]
See full content
BBGMA - Full Bug Bounty Guide - P2 - Starting to exploit
on 17/07/2025
See full content
Security Vulnerabilities in ICEBlock
on 17/07/2025
The ICEBlock tool has vulnerabilities:
The developer of ICEBlock, an iOS app for anonymously reporting sightings of US Immigration and Customs Enforcement (ICE) officials, promises that it “ensures user privacy by storing no personal data.” But that claim has come under scrutiny. ICEBlock creator Joshua Aaron has been accused of making false promises regarding user anonymity and privac [...]
See full content
Fail-Open Architecture for Secure Inline Protection on Azure
by Tim Erlin on 17/07/2025
Every inline deployment introduces a tradeoff: enhanced inspection versus increased risk of downtime. Inline protection is important, especially for APIs, which are now the most targeted attack surface, but so is consistent uptime and performance. This is where a fail-open architecture comes in.
This Wallarm How-To blog outlines how to deploy Wallarm’s Security Edge platform on Azure usi [...]
See full content
Reflected XSS in "Cost Tracker" Notes Field
on 17/07/2025
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3185205 - Bounty: $50 [...]
See full content
Reflected XSS in "Manage Tags" Notes Field
on 17/07/2025
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3181803 - Bounty: $50 [...]
See full content
Reflected XSS in "Create Category" Functionality of Post Creation Module
on 17/07/2025
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3179138 - Bounty: $50 [...]
See full content
Stored Cross-Site Scripting (XSS) in "Add Contact" Name Field MainWP Plugin
on 17/07/2025
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3176981 - Bounty: $50 [...]
See full content
Live: APT Intrusion Hunting | Cybersecurity | TryHackMe
on 16/07/2025
See full content
Hacking Trains
on 16/07/2025
Seems like an old system system that predates any care about security:
The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED), also known as an End-of-Train (EOT) device, is attached to the back of a train and sends data via radio signals to a corresponding device in the locomotive called the Head-of-Train (HOT). C [...]
See full content
exposure of personal IP address via email.
on 16/07/2025
Weblate disclosed a bug submitted by micael1: https://hackerone.com/reports/3179850 [...]
See full content
I SPy: Escalating to Entra ID's Global Admin with a first-party app
on 16/07/2025
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation from Application Administrator to any hybrid tenant user, [...]
See full content
HashDoS in V8
on 15/07/2025
Node.js disclosed a bug submitted by sharp_edged: https://hackerone.com/reports/3131758 [...]
See full content
Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
on 15/07/2025
Node.js disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3160912 [...]
See full content
mkfifo Reverse Shell Explained
on 15/07/2025
See full content
DOGE Denizen Marko Elez Leaked API Key for xAI
by BrianKrebs on 15/07/2025
Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a [...]
See full content
How security leaders are scaling testing with bug bounty programs
by Eleanor Barlow on 15/07/2025
For security leaders protecting fast-growing organizations, the pressure is on to identify vulnerabilities before threat actors do. Continuously testing environments, cost-effectively and at scale, is a significant challenge.
This is where bug bounty programs are reshaping the security landscape for CISOs, IT directors, and product security leads.
If you are ready to move bey… [...]
See full content
Banned user still has access to their deleted account via HackerOne's API using their API key
on 14/07/2025
HackerOne disclosed a bug submitted by mrmax4o4: https://hackerone.com/reports/1577940 [...]
See full content
Report from the Cambridge Cybercrime Conference
on 14/07/2025
The Cambridge Cybercrime Conference was held on 23 June. Summaries of the presentations are here.
[...]
See full content
Is Pentest Tools com worth it in 2025
on 14/07/2025
See full content
This Tiny JWT Mistake = Massive Bug Bounty
on 14/07/2025
See full content
Watch the on-demand webinar: Shift left without the strain
on 14/07/2025
Shifting security left promises faster, safer software delivery - but for many teams, that promise is undercut by painful scan performance, false positives, and pipeline friction. In our recent webina [...]
See full content
Disk Space Exhaustion leading to a Denial of Service (DoS)
on 14/07/2025
curl disclosed a bug submitted by tryhackplanet: https://hackerone.com/reports/3250490 [...]
See full content
Not a Vuln: Race Condition Allows Creation of Multiple Organizations with the Same Name
on 14/07/2025
WakaTime disclosed a bug submitted by ctrl_cipher: https://hackerone.com/reports/3248712 [...]
See full content
Intigriti teams with NVIDIA to launch bug bounty and vulnerability disclosure program (VDP)
by Eleanor Barlow on 14/07/2025
Innovating cyber defense by tapping global expertise
With an expanding threat landscape, a surge in AI-driven products, and a commitment to innovation, NVIDIA is enhancing cybersecurity with a proactive approach by tapping into the global security researcher community.
The Intigriti community includes over 125,000 ethical hackers, equipped to test mission-critical AI infrastruc… [...]
See full content
Kubernetes security fundamentals: PKI
on 14/07/2025
A look at how PKI configuration in Kubernetes clusters works [...]
See full content
Uncontrolled File Write/Arbitrary File Creation
on 13/07/2025
curl disclosed a bug submitted by tryhackplanet: https://hackerone.com/reports/3250117 [...]
See full content
Reflected XSS in "Client Notes" Field
on 13/07/2025
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3181802 - Bounty: $50 [...]
See full content
Unwinding 😍
on 13/07/2025
See full content
HTTP Request Smuggling Vulnerability Analysis - cURL Security Report
on 13/07/2025
curl disclosed a bug submitted by youssef111: https://hackerone.com/reports/3249936 [...]
See full content
GitHub dorking for beginners: How to find more vulnerabilities using GitHub search
by blackbird-eu on 13/07/2025
Bug bounty hunters who spend time in content discovery and reconnaissance are always rewarded well for their efforts, as they often come across untested and hidden assets or endpoints. GitHub dorking is another way to leverage public search engines to discover hidden assets, endpoints and even secrets to increase your chances of finding vulnerabilities. This article is a guide … [...]
See full content
Leaked reused password for a few Khan Academy users
on 12/07/2025
Khan Academy disclosed a bug submitted by a0xtrojan: https://hackerone.com/reports/3099978 [...]
See full content
Squid Dominated the Oceans in the Late Cretaceous
on 11/07/2025
New research:
One reason the early years of squids has been such a mystery is because squids’ lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks—hard mouthparts with high fossilization potential that could help the team figure out how squids evolved.
With that in mind, the team developed an advanced fossil discove [...]
See full content
Tradecraft in the Information Age
on 11/07/2025
Long article on the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance.
[...]
See full content
How to Study for Cybersecurity (Even When You're Busy!)
on 11/07/2025
See full content
how hackers avoid getting caught
on 11/07/2025
See full content
Default Minimum TLS Version Set to TLS v1.0 (Cryptographic Weakness)
on 10/07/2025
curl disclosed a bug submitted by monkey_dee: https://hackerone.com/reports/3246519 [...]
See full content
BBGMA - Full Bug Bounty Guide - P1 - Explorations and enum
on 10/07/2025
See full content
Build a Bjorn in 3 Minutes!
on 10/07/2025
See full content
UK Arrests Four in ‘Scattered Spider’ Ransom Group
by BrianKrebs on 10/07/2025
Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multip [...]
See full content
Using Signal Groups for Activism
on 10/07/2025
Good tutorial by Micah Lee. It includes some nonobvious use cases.
[...]
See full content
Understanding the NCSC’s New API Security Guidance
by Tim Erlin on 10/07/2025
Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that guidance and explore how Wallarm’s platform can help you align with each one.
Inside the NC [...]
See full content
Preventing the growing costs of repeat and duplicate bug bounty submissions
by Eleanor Barlow on 10/07/2025
What are duplicate submissions?
Within the bug bounty industry, duplicate submissions refer to when two or more researchers report the same issue or vulnerability.
When a researcher, who works with a bug bounty platform, identifies a vulnerability, they submit a report to the platform, such as Intigriti, where it is reviewed. If the issue has already been reported, then it is m… [...]
See full content
CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems
on 10/07/2025
Learn more about the emerging vulnerability affecting Git. [...]
See full content
LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA
on 09/07/2025
See full content
Use-After-Free in OpenSSL Keylog Callback via SSL_get_ex_data() in libcurl
on 09/07/2025
curl disclosed a bug submitted by brobagazzzx: https://hackerone.com/reports/3242005 [...]
See full content
Yet Another Strava Privacy Leak
on 09/07/2025
This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.)
This is ridiculous. Why do people continue to make their data public?
[...]
See full content
Arbitrary File Read via file:// Protocol in cURL
on 09/07/2025
curl disclosed a bug submitted by mr_tufan: https://hackerone.com/reports/3242087 [...]
See full content
Microsoft Patch Tuesday, July 2025 Edition
by BrianKrebs on 09/07/2025
Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help [...]
See full content
Chain Vulnerability lead to Full Control Group Live Accounts & Undeletable Creator
on 08/07/2025
TikTok disclosed a bug submitted by eneri: https://hackerone.com/reports/3027478 [...]
See full content
ReDoS in IPAddr
on 08/07/2025
Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1485717 [...]
See full content
ReDoS in Psych
on 08/07/2025
Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1487889 [...]
See full content
Learn Google Dorking!
on 08/07/2025
See full content
access notes without permission
on 08/07/2025
curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241304 [...]
See full content
Disclosure of email addresses
on 08/07/2025
curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241308 [...]
See full content
Clear Authentication Deficiencies & Potential for Man-in-the-Middle Attacks
on 08/07/2025
Sony disclosed a bug submitted by trapedev: https://hackerone.com/reports/2642615 [...]
See full content
Advancing Protection in Chrome on Android
on 08/07/2025
Posted by David Adrian, Javier Castro & Peter Kotwicz, Chrome Security Team
Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced Protection gives you the ability to activate Google’s strongest sec [...]
See full content
Information disclosure identified on IBM endpoint.
on 08/07/2025
IBM disclosed a bug submitted by devire: https://hackerone.com/reports/2402842 [...]
See full content
CSRF at Network feature
on 08/07/2025
Lichess disclosed a bug submitted by psfauzi: https://hackerone.com/reports/3230359 [...]
See full content
Are CTFs Actually Good for Learning Cybersecurity Skills?
on 08/07/2025
See full content
Inside the AI Threat Landscape: From Jailbreaks to Prompt Injections and Agentic AI Risks
by Tim Erlin on 08/07/2025
AI has officially moved out of the novelty phase. What began with people messing around with LLM-powered GenAI tools for content creation has rapidly evolved into a complex web of agentic AI systems that form a critical part of the modern corporate landscape. However, this transformation has given new life to old threats, transforming the API security landscape all over again.
I recently sat [...]
See full content
Investigate your dependencies with Deptective
on 08/07/2025
Deptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime. [...]
See full content
PortSwigger at Black Hat & DEF CON 33
on 08/07/2025
Las Vegas. August. Protocols are getting torn apart. This summer, PortSwigger returns to Black Hat USA and DEF CON 33 with a host of new talks, events and ways to meet PortSwigger and the the teams be [...]
See full content
Hiding Prompt Injections in Academic Papers
on 07/07/2025
Academic papers were found to contain hidden instructions to LLMs:
It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University of Singapore, as well as the University of Washington and Columbia University in the U.S. Most of the pap [...]
See full content
curl --continue-at confusion
on 07/07/2025
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2859735 [...]
See full content
Information Disclosure at : https://curl.se/.mailmap
on 07/07/2025
curl disclosed a bug submitted by haithamzakaria: https://hackerone.com/reports/2853023 [...]
See full content
information disclosure
on 07/07/2025
curl disclosed a bug submitted by rono_07: https://hackerone.com/reports/2841436 [...]
See full content
netrc crlf injection
on 07/07/2025
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2831558 [...]
See full content
curl mishandles `%0c%0b` sequences in HTTP responses leading to CRLF confusions, Headers and Cookies Injection
on 07/07/2025
curl disclosed a bug submitted by mdakh404: https://hackerone.com/reports/2861797 [...]
See full content
Arbitrary File Deletion Vulnerability in curl Source Code via os.unlink()
on 07/07/2025
curl disclosed a bug submitted by aadityaathehacker: https://hackerone.com/reports/2864414 [...]
See full content
-H with space prefix leads to previous header injection when used with --proxy
on 07/07/2025
curl disclosed a bug submitted by spongebhav: https://hackerone.com/reports/2864859 [...]
See full content
OS Command Injection (subprocess Module Usage)
on 07/07/2025
curl disclosed a bug submitted by bulter: https://hackerone.com/reports/2904921 [...]
See full content
Git repository found
on 07/07/2025
curl disclosed a bug submitted by tefa_: https://hackerone.com/reports/2915426 [...]
See full content
Integer Overflow Risk in HTTP/2 Proxy Window Size Calculations
on 07/07/2025
curl disclosed a bug submitted by extramayoextracheeseextrafries: https://hackerone.com/reports/3238249 [...]
See full content
[MK8DX] Improper ranking/replay file parsing
on 06/07/2025
Nintendo disclosed a bug submitted by crazy_man123: https://hackerone.com/reports/1813453 [...]
See full content
TLS Cipher Misconfiguration in HTTP/3/QUIC Support
on 06/07/2025
curl disclosed a bug submitted by zzq1015: https://hackerone.com/reports/2981303 [...]
See full content
Reverse Engineering Anti-Debugging Techniques (with Nathan Baggs!)
on 05/07/2025
See full content
Build a Structured Threat Hunting Methodology
on 04/07/2025
See full content
CRLF injection in libcurl's SMTP client via --mail-from and --mail-rcpt allows SMTP command smuggling
on 03/07/2025
curl disclosed a bug submitted by skrcprst: https://hackerone.com/reports/3235428 [...]
See full content
HackerOne Leading AI Agent ... Should We Be Worried?
on 03/07/2025
See full content
Inside Axis’s Approach to Cybersecurity with Bugcrowd
on 03/07/2025
See full content
Big Tech’s Mixed Response to U.S. Treasury Sanctions
by BrianKrebs on 03/07/2025
In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies — including Facebook, Github, PayPal and Twitter/X.
On May 29, the U.S. Department of the Treasur [...]
See full content
MozillaVPN: Elevation of Privilege via a Logic Vulnerability
on 03/07/2025
Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2686750 [...]
See full content
MozillaVPN: Elevation of Privilege via a Race Condition Vulnerability
on 03/07/2025
Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2261577 [...]
See full content
Subdomain takeover on live.firefox.com
on 03/07/2025
Mozilla disclosed a bug submitted by martinvw: https://hackerone.com/reports/2899858 - Bounty: $500 [...]
See full content
What CISA’s BOD 25-01 Means for API Security and How Wallarm Can Help
by Tim Erlin on 03/07/2025
The US government has taken another significant step towards strengthening cloud security with the release of CISA’s Binding Operational Directive (BOD) 25-01. Aimed at improving the security posture of federal cloud environments, BOD 25-01 mandates robust configuration, visibility, and control across cloud-based services. While the directive doesn’t explicitly name API security, securing mo [...]
See full content
curl doesn't hide credentials in /proc/XXX/cmdline provided via CLI arguments
on 03/07/2025
curl disclosed a bug submitted by stogusho: https://hackerone.com/reports/3000639 [...]
See full content
Elevation of Privileges (EoP) vulnerabilities related to the some easy_options on Windows
on 03/07/2025
curl disclosed a bug submitted by justlikebono_official: https://hackerone.com/reports/2941920 [...]
See full content
Authorization Header Leak via --location-trusted in Curl
on 03/07/2025
curl disclosed a bug submitted by voggerloops: https://hackerone.com/reports/2946924 [...]
See full content
LIVE: Memory Forensics | Cybersecurity | Blue Team
on 03/07/2025
See full content
this malware hides in a WALLPAPER
on 02/07/2025
See full content