InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Upcoming Speaking Engagements

on 15/06/2025

This is a current list of where and when I am scheduled to speak: I’m speaking at the International Conference on Digital Trust, AI and the Future in Edinburgh, Scotland on Tuesday, June 24 at 4:00 PM. The list is maintained on this page. [...]

See full content

Learning to Hack Active Directory Certificate Services (with Shikata!)

on 14/06/2025

See full content

This is why you should run bug bounty tools from a VPS feat. Arthur Aires #bugbounty #bugbountytips

on 14/06/2025

See full content

Improper HTTP header block termination in llhttp

on 13/06/2025

Node.js disclosed a bug submitted by kenballus: https://hackerone.com/reports/2054283 [...]

See full content

Friday Squid Blogging: Stubby Squid

on 13/06/2025

Video of the stubby squid (Rossia pacifica) from offshore Vancouver Island. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]

See full content

[20.98.103.245] Cross-Site Scripting (XSS) via /ssl-vpn/getconfig.esp at GlobalProtect VPN Portal

on 13/06/2025

Informatica disclosed a bug submitted by xbow: https://hackerone.com/reports/3096384 [...]

See full content

Crafted smart contract can take 8 minutes to execute due to bug in modexp precompile.

on 13/06/2025

Rootstock Labs disclosed a bug submitted by guido: https://hackerone.com/reports/2412583 [...]

See full content

Mitigating prompt injection attacks with a layered defense strategy

on 13/06/2025

Posted by Google GenAI Security TeamWith the rapid adoption of generative AI, a new wave of threats is emerging across the industry with the aim of manipulating the AI systems themselves. One such emerging attack vector is indirect prompt injections. Unlike direct prompt injections, where an attacker directly inputs malicious commands into a prompt, indirect prompt injections involve hidden malici [...]

See full content

Building a Malicious USB Hacking Device for Only $5

on 13/06/2025

See full content

How Security Leaders Build AI-Augmented Defense in Depth

on 13/06/2025

See full content

DOS of RSKJ server

on 13/06/2025

Rootstock Labs disclosed a bug submitted by spacewasp: https://hackerone.com/reports/2105808 - Bounty: $5000 [...]

See full content

Two months of Burp AI: empowering security testers with the future of AppSec

on 13/06/2025

It’s been a whirlwind two months since AI-powered features landed in Burp Suite Professional. Thousands of security testers across the world have been using Burp AI to find vulnerabilities and secure [...]

See full content

Paragon Spyware Used to Spy on European Journalists

on 13/06/2025

Paragon is an Israeli spyware company, increasingly in the news (now that NSO Group seems to be waning). “Graphite” is the name of its product. Citizen Lab caught it spying on multiple European journalists with a zero-click iOS exploit: On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalis [...]

See full content

Improper Authentication Throttling Allows Attacker-Controlled Account Lockouts

on 13/06/2025

Lichess disclosed a bug submitted by closec4ll: https://hackerone.com/reports/3160210 [...]

See full content

IDOR on in-app hardcoded zombie endpoint

on 13/06/2025

Bykea disclosed a bug submitted by bugbountywithmarco: https://hackerone.com/reports/3085742 [...]

See full content

Bypassing Bronze Partner Wallet Restriction to Accept Trips with Negative Balance

on 13/06/2025

Bykea disclosed a bug submitted by bugbountywithmarco: https://hackerone.com/reports/2868164 [...]

See full content

Ability to increase any customer offered fare (BAC)

on 13/06/2025

Bykea disclosed a bug submitted by grassye: https://hackerone.com/reports/2861888 [...]

See full content

Broken Access Control (IDOR) in Booking Detail and Bids Could Leads to Sensitive Information Disclosure

on 13/06/2025

Bykea disclosed a bug submitted by back2arie: https://hackerone.com/reports/2374730 [...]

See full content

WordPress Version Exposure via /wp-links-opml.php on hemi.xyz

on 13/06/2025

Hemi VDP disclosed a bug submitted by 1_ali_raza: https://hackerone.com/reports/3198394 [...]

See full content

Intigriti Bug Bytes #225 - June 2025 🚀

by Intigriti on 13/06/2025

Hello hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Becoming an Intigriti Pentester Exploiting CORS in 2025 (even when SameSite is set to ‘Strict’) A forgotten tool to quickly score new hidden endpoints (right before you close Burp Suite) 12 API hacking techniques Common ways to find RCEs in your bug bounty target And so … [...]

See full content

Inside a Dark Adtech Empire Fed by Fake CAPTCHAs

by BrianKrebs on 12/06/2025

Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and i [...]

See full content

Managing your blind XSS payloads feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

on 12/06/2025

See full content

[XSS] Reflected XSS via POST request in ()

on 12/06/2025

Mars disclosed a bug submitted by morphykutay: https://hackerone.com/reports/3146996 [...]

See full content

Crafted smart contract can take 1.5 minutes to execute due to inefficient CODESIZE implementation

on 12/06/2025

Rootstock Labs disclosed a bug submitted by guido: https://hackerone.com/reports/2489843 [...]

See full content

Crafted smart contract can take ~23 seconds to execute due to immense error string construction

on 12/06/2025

Rootstock Labs disclosed a bug submitted by guido: https://hackerone.com/reports/2559404 [...]

See full content

Airlines Secretly Selling Passenger Data to the Government

on 12/06/2025

This is news: A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected U.S. travellers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes pa [...]

See full content

Lack of Feedback Validation Permits Arbitrary Driver Ratings

on 12/06/2025

Bykea disclosed a bug submitted by bugbountywithmarco: https://hackerone.com/reports/2894018 [...]

See full content

Plugging in a Suspicious Mystery USB

on 12/06/2025

See full content

Generating target-specific wordlists feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

on 12/06/2025

See full content

CISO Spotlight: Rick Bohm on Building Bridges, Taming AI, and the Future of API Security

by aarampatzis on 12/06/2025

Nestled in a log cabin high in the Rocky Mountains, Rick Bohm starts his day the same way he’s approached his career: intentionally, with a quiet commitment to learning and action. Boasting more than three decades of cybersecurity experience, Rick has watched tech evolve from dial-up ISPs to advanced AI-driven security architectures – and through it all, he’s focused on one enduring mission: prot [...]

See full content

🔴 LIVE: TCMS CERT TIPS | Interview with an Expert | AMA

on 12/06/2025

See full content

Learn Phishing!

on 11/06/2025

See full content

Hunting Phishing Kits

on 11/06/2025

See full content

Automation to get Hackerone program updates feat. Arthur Aires #bugbounty #bugbountytips #bugbountyh

on 11/06/2025

See full content

Patch Tuesday, June 2025 Edition

by BrianKrebs on 11/06/2025

Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public. The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows [...]

See full content

Threat Hunting in 3 Easy Steps!

on 10/06/2025

See full content

Bug bounty tools that actually land bugs with Arthur Aires

on 10/06/2025

See full content

Windows Endpoint Telemetry (ft. Jonny Johnson)

on 10/06/2025

See full content

What we learned reviewing one of the first DKLs23 libraries from Silence Laboratories

on 10/06/2025

In October 2023, we audited Silence Laboratories’ DKLs23 threshold signature scheme (TSS) library—one of the first production implementations of this then-novel protocol that uses oblivious transfer (OT) instead of traditional Paillier cryptography. Our review uncovered serious flaws that could enable key destruction attacks, which Silence Laboratories promptly fixed. [...]

See full content

Security maturity, complexity, and bug bounty program effectiveness: A deep dive

by Eleanor Barlow on 10/06/2025

There are three key elements that, when combined, support the planning of a bug bounty program to attract the right researchers. These three components are the attack surface, security maturity, and asset complexity. In this article, we explore each of these elements, how they impact one another, and their influence on bug bounty programs. What defines an attack surface? And ho… [...]

See full content

Puny-Code, 0-Click Account Takeover | @YShahinzadeh & @AmirMSafari | #NahamCon2025

on 09/06/2025

See full content

Path Traversal Vulnerability in Lila Project

on 09/06/2025

Lichess disclosed a bug submitted by immm: https://hackerone.com/reports/3181066 [...]

See full content

New Way to Covertly Track Android Users

on 09/06/2025

Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught. The details are interesting, and worth reading in detail: Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other bro [...]

See full content

IDOR Vulnerability at AddTagToAssets operation name

on 08/06/2025

HackerOne disclosed a bug submitted by root_geek280: https://hackerone.com/reports/2633771 [...]

See full content

Friday Squid Blogging: Squid Run in Southern New England

on 06/06/2025

Southern New England is having the best squid run in years. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]

See full content

ImageId Format Injection in Image Upload Endpoint

on 06/06/2025

Lichess disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3175928 [...]

See full content

Hearing on the Federal Government and AI

on 06/06/2025

On Thursday I testified before the House Committee on Oversight and Government Reform at a hearing titled “The Federal Government in the Age of Artificial Intelligence.” The other speakers mostly talked about how cool AI was—and sometimes about how cool their own company was—but I was asked by the Democrats to specifically talk about DOGE and the risks of exfiltrating our d [...]

See full content

Getting Started with HackTheBox in 2025 | Cheatsheet Inside

on 06/06/2025

See full content

Report on the Malicious Uses of AI

on 06/06/2025

OpenAI just published its annual report on malicious uses of AI. By using AI as a force multiplier for our expert investigative teams, in the three months since our last report we’ve been able to detect, disrupt and expose abusive activity including social engineering, cyber espionage, deceptive employment schemes, covert influence operations and scams. These operations originated in many parts o [...]

See full content

1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com

on 06/06/2025

hostinger disclosed a bug submitted by aziz0x48: https://hackerone.com/reports/3081691 [...]

See full content

The One Thing You Keep Forgetting About Broad Scope -ShuffelDNS

on 06/06/2025

See full content

Proxy Services Feast on Ukraine’s IP Address Exodus

by BrianKrebs on 05/06/2025

Image: Mark Rademaker, via Shutterstock. Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service [...]

See full content

Impress Interviewers With This IT Weekend Project!

on 05/06/2025

See full content

Addressing API Security with NIST SP 800-228

by Tim Erlin on 05/06/2025

According to the Wallarm Q1 2025 ThreatStats report, 70% of all application attacks target APIs. The industry can no longer treat API security as a sidenote; it’s time to treat it as the main event. NIST seems to be on board with this view, releasing the initial public draft of NIST SP 800-228, a set of recommendations for securing APIs.  I recently sat down with AJ Debole, Field CISO at Oracl [...]

See full content

DoS Vulnerability via Cache Poisoning on cdn.shopify.com and shopify-assets.shopifycdn.com

on 04/06/2025

Shopify disclosed a bug submitted by bassem_sadaqah: https://hackerone.com/reports/1695604 - Bounty: $3800 [...]

See full content

🔴 LIVE: Conti Ransomware | Cybersecurity | TryHackme | AMA

on 04/06/2025

See full content

returnUrl= allow attacker to redirect users to the another phising website and takeover credientials

on 04/06/2025

Insightly disclosed a bug submitted by basant0x01: https://hackerone.com/reports/1544236 [...]

See full content

The Ramifications of Ukraine’s Drone Attack

on 04/06/2025

You can read the details of Operation Spiderweb elsewhere. What interests me are the implications for future warfare: If the Ukrainians could sneak drones so close to major air bases in a police state such as Russia, what is to prevent the Chinese from doing the same with U.S. air bases? Or the Pakistanis with Indian air bases? Or the North Koreans with South Korean air bases? Militaries that thou [...]

See full content

CVE-2025-5399: WebSocket endless loop

on 04/06/2025

curl disclosed a bug submitted by z2_: https://hackerone.com/reports/3168039 [...]

See full content

What does it take to become CREST-accredited? Top 10 questions answered

by Eleanor Barlow on 04/06/2025

Reputation – What is CREST?   CREST is the gold standard for quality assurance accreditation in the cybersecurity industry. It is a globally recognised not-for-profit cybersecurity authority that rigorously assesses organisations against stringent standards for quality, technical proficiency, and operational integrity.   ‘Keeping information safe in today’s digital world is a s… [...]

See full content

What Is ASLR and Why Does It Matter?

on 03/06/2025

See full content

Server-Side Request Forgery (SSRF) via Game Export API

on 03/06/2025

Lichess disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3165242 [...]

See full content

New Linux Vulnerabilities

on 03/06/2025

They’re interesting: Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. […] “This means that if a local attacker manages to induce a crash in a priv [...]

See full content

IDOR: Account Deletion via Session Misbinding Attacker Can Delete Victim Account

on 03/06/2025

Mozilla disclosed a bug submitted by z3phyrus: https://hackerone.com/reports/3154983 - Bounty: $6000 [...]

See full content

Discovering hidden parameters: An advanced guide

by blackbird-eu on 03/06/2025

Reconnaissance plays an integral part in bug bounty hunting, with hidden parameter discovery an even more crucial role as they are often left with inadequate validation. Making these types of parameters usually more susceptible to common injection vulnerabilities such as SQLs, XSS, IDORs and even command injections. In this article, we will cover 5 various ways to detect possi… [...]

See full content

Top 10 Bug Bounty Bits - Tip2 - 3 ways to test for BAC

on 02/06/2025

See full content

The XSS Rat - Underground rats By Nimble [Music Video]

on 02/06/2025

See full content

#NahamCon2025 Day 1 Keynote: Hacking, Prompt Engineering, and the Future of Pentesting with AI

on 02/06/2025

See full content

Top 10 Bug Bounty Bits - Tip1 - XSS Detection Techniques

on 31/05/2025

See full content

Public GitHub repositories for multiple HackerOne managed triage team profiles contain private HackerOne reports information

on 31/05/2025

HackerOne disclosed a bug submitted by w2w: https://hackerone.com/reports/2937622 - Bounty: $1200 [...]

See full content

How Hackers Establish Persistence

on 30/05/2025

See full content

Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store

on 30/05/2025

Posted by Chrome Root Program, Chrome Security Team Note: Google Chrome communicated its removal of default trust of Chunghwa Telecom and Netlock in the public forum on May 30, 2025. The Chrome Root Program Policy states that Certification Authority (CA) certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It [...]

See full content

Malware & Hackers Evade Antivirus with Windows Sandbox

on 30/05/2025

See full content

A deep dive into Axiom’s Halo2 circuits

on 30/05/2025

Over two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, in [...]

See full content

PortSwigger Honored with the King's Award for Enterprise in International Trade

on 30/05/2025

We’re proud to announce that PortSwigger has been awarded the prestigious King’s Award for Enterprise in the category of International Trade - a recognition that reflects our sustained international s [...]

See full content

Information Disclosure of metrics fax.wavecell.com/metrics

on 30/05/2025

8x8 Bounty disclosed a bug submitted by kauenavarro: https://hackerone.com/reports/1365076 [...]

See full content

Facebook Username Takeover via Broken Link in Footer

on 30/05/2025

Omise disclosed a bug submitted by vulnerability_is_here: https://hackerone.com/reports/3119034 [...]

See full content

U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams

by BrianKrebs on 30/05/2025

Image: Shutterstock, ArtHead. The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that ca [...]

See full content

Pipe To Vim

on 29/05/2025

See full content

Vibe Coding in Cursor for Cyber Security

on 29/05/2025

See full content

How Swiss Cheese is Like Cybersecurity

on 29/05/2025

See full content

hackers weaponize... really long filenames??

on 29/05/2025

See full content

Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli

on 29/05/2025

Internet Bug Bounty disclosed a bug submitted by saurabhb: https://hackerone.com/reports/3073507 [...]

See full content

Meet Burp Suite DAST: Your questions answered

on 29/05/2025

We recently hosted a webinar to introduce Burp Suite DAST, the new name for Burp Suite Enterprise Edition, the best-in-class, automated web application and API security scanning solution for modern Ap [...]

See full content

CISO Spotlight: Mike Wilkes on Building Resilience in an Evolving Threat Landscape

by Tim Erlin on 29/05/2025

Mike Wilkes has had a career many cybersecurity professionals could only dream of. An adjunct professor, former CISO of Marvel and MLS, member of the World Economic Forum, drummer, and board member at the National Jazz Museum in Harlem, his interests and achievements are as eclectic as they are impressive.  In the first edition of CISO Spotlight, we sat down with Mike to explore the skill [...]

See full content

The Custodial Stablecoin Rekt Test

on 29/05/2025

Introducing the Custodial Stablecoin Rekt Test; a new spin on the classic Rekt Test for evaluating the security maturity of stablecoin issuers. [...]

See full content

LIVE: HackTheBox | Pentesting | AppSec | Cybersecurity

on 28/05/2025

See full content

Pakistan Arrests 21 in ‘Heartsender’ Malware Service

by BrianKrebs on 28/05/2025

Authorities in Pakistan have arrested 21 individuals accused of operating “Heartsender,” a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecur [...]

See full content

Remote Code Execution via unsafe usage of `reply.view({ raw })` in @fastify/view (EJS template engine)

on 28/05/2025

Fastify disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3122019 [...]

See full content

This Sneaky Malware Uses Cloudflare to Steal Your Password

on 28/05/2025

See full content

RCE via deserialization with a class allowlist bypass and DNS exfiltration with Arthur Aires

on 28/05/2025

See full content

CVE-2025-5025: No QUIC certificate pinning with wolfSSL

on 28/05/2025

curl disclosed a bug submitted by kurohiro: https://hackerone.com/reports/3153497 [...]

See full content

CVE-2025-4947: QUIC certificate check skip with wolfSSL

on 28/05/2025

curl disclosed a bug submitted by kurohiro: https://hackerone.com/reports/3150884 [...]

See full content

Non-Production API Endpoints for the bedrock-agent Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

on 28/05/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/2800091 [...]

See full content

Non-Production API Endpoints for the bedrock Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

on 28/05/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/2951803 [...]

See full content

Non-Production API Endpoint for the EventBridge Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration

on 28/05/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3021618 [...]

See full content

Non-Production API Endpoints for the Global Accelerator Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

on 28/05/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3029552 [...]

See full content

Non-Production API Endpoints for the Health Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

on 28/05/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3042588 [...]

See full content

Amazon Pinpoint SMS and Voice, version 2 Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

on 28/05/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3072841 [...]

See full content

Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

on 28/05/2025

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3044471 [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. Brett Buerhaus
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Ezequiel Pereira
  16. HackerOne
  17. surajdisoja.me
  18. InsiderPhD
  19. Intigriti
  20. John Hammond
  21. LiveOverflow
  22. NahamSec
  23. PortSwigger Blog
  24. Rana Khalil
  25. Richard’s Infosec blog
  26. Ron Chan
  27. ropnop blog
  28. STÖK
  29. Sun Knudsen
  30. The Cyber Mentor
  31. The unofficial HackerOne disclosure timeline
  32. HackerRats (XSS Rat)
  33. TomNomNom
  34. Wallarm