InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
AI Control Platform vs. AI Firewall vs. AI Gateway: Clearing Up The Terminology
by Tim Erlin on 13/07/2026
Editor's note: This article was originally published by Tim Erlin on LinkedIn. It has been republished here with the author's permission. https://www.linkedin.com/pulse/ai-control-platform-vs-firewall-gateway-clearing-up-tim-erlin-ypodc
It seems like every security vendor now sells "AI security." The WAF companies, the API gateway companies, the cloud platforms, the proxy startups: all of them [...]
See full content
SELECT ... INTO OUTFILE does not enforce the FILE WRITE privilege unprivileged arbitrary file write on the server
on 13/07/2026
SingleStore disclosed a bug submitted by bisht-ji: https://hackerone.com/reports/3780695 [...]
See full content
Lessons Learned from CISA’s Recent GitHub Leak
by BrianKrebs on 13/07/2026
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important [...]
See full content
Payload Podcast 009 - Steven Flores
on 13/07/2026
See full content
This Hacker Made $8,000 Hacking a Major Retailer's AI Chatbot Over DNS (Live Demo!)
on 13/07/2026
See full content
AI Data Centers and the Concentration of Wealth
on 13/07/2026
This essay was written with Nathan E. Sanders, and originally appeared in The Guardian.
Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data center [...]
See full content
Rust-proof your code with our new Testing Handbook chapter
on 13/07/2026
We’ve added a new chapter to our Testing Handbook: a comprehensive guide to security testing Rust programs. This chapter covers the tools and techniques we use at Trail of Bits to validate the security of Rust programs and systems.
fn
main()
{(|f:&dyn
Fn(u128)->Box<
dyn Iterator<Item=
char>+'static>|f(*[&(
0x7B736D70683F73u128<<64|
0x7A6A6D7C3F7A667D),&(0x7B73 [...]
See full content
NEW AI Hacking Challenges with Andrew Bellini!
on 11/07/2026
See full content
Friday Squid Blogging: “Squidbleed” Vulnerability
on 10/07/2026
In a rare combined cybersecurity/squid post, a twenty-nine-year-old squid proxy bug can leak HTTP requests.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Blog moderation policy.
[...]
See full content
Soft Skills for the Job Market: Applying for Jobs
on 10/07/2026
See full content
The most severe exposure lives in the quiet overlap between tech, people, and process. ♾️
on 10/07/2026
See full content
Fake Microsoft Installer
on 10/07/2026
See full content
AI Surveillance and Social Progress
on 10/07/2026
In the near future, AI-powered surveillance systems will be able to track everything we do in public, and much of what we do in private. And if we do something wrong—shoplift, litter, jaywalk, you name it—the system will notice, retain it, tie it to your official government record, communicate that fact to you, and provide real-time alerts to any relevant authorities… and maybe a [...]
See full content
See you at Black Hat USA 2026!
on 09/07/2026
See full content
Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644)
on 09/07/2026
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3630605 [...]
See full content
The Language of AI Could Change How Humans Speak
on 09/07/2026
Because of the way they are trained, large language models capture only a slice of human language. They’re trained on the written word, from textbooks to social media posts, and our speech as captured in movies and on television. These models have minimal access to the unscripted conversations we have face to face or voice to voice. This is the vast majority of speech, and a vital component [...]
See full content
Heading to Vegas? Meet PortSwigger at Black Hat, BSides, and DEF CON 34.
on 09/07/2026
First hand of the week: Find us at BSides Workshop: Burp But Yours, with Hannah and Tib3rius Center stage: Visit us at Black Hat USA - Booth 5342 Lightning talks at the booth Catch our researchers' br [...]
See full content
Not-so-anonymous telemetry: The @injectivelabs/sdk-ts backdoor
on 09/07/2026
A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys. [...]
See full content
LIVE: 1 Million Subscribers | DEF CON/Summer Camp Giveaway
on 08/07/2026
See full content
TeamPCP Attention
on 08/07/2026
See full content
Welcome to the best security page ever.
on 08/07/2026
See full content
Felons, Fraudsters Flog Offensive Cybersecurity Startup
by BrianKrebs on 08/07/2026
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names.
The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 [...]
See full content
Cybersecurity and the Gap Between Skill and Ability
on 08/07/2026
Last week, national security agencies from the Five Eyes—that’s the rich, English-language-speaking countries club—jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more measured than some of the breathless headlines about it, and the advice they gave is p [...]
See full content
Mutation testing comes to DAML
on 08/07/2026
In April we released Mewt, our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many [...]
See full content
Coordinated GitHub API enumeration and access token abuse
on 08/07/2026
Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories. [...]
See full content
Google Is Suing Chinese Scammers Who Are Using Gemini
on 07/07/2026
Not sure this will have any effect, but I support the effort:
According to Google’s legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their own. In its Telegram channels, Outsider Enterprise reportedly provided instructions on how to use [...]
See full content
OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)
on 06/07/2026
AWS VDP disclosed a bug submitted by kaporia: https://hackerone.com/reports/3637898 [...]
See full content
Stop what you're doing
on 06/07/2026
See full content
Open Source Malware
on 06/07/2026
See full content
I Made an AI Agent That Reverses CVEs While I Sleep
on 06/07/2026
See full content
France to Stop Certifying Non-Quantum-Safe Encryption
on 06/07/2026
France is accelerating its transition to post-quantum encryption:
France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems.
Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the age [...]
See full content
THE MOD WORKS! lets improve it
on 06/07/2026
See full content
Entra Agent ID: Protect, detect, respond
on 06/07/2026
This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant. [...]
See full content
the vibe continues
on 05/07/2026
See full content
Any installed app can force immediate logout and persistent DOS of authenticated Basecamp sessions via unprotected exported StartActivity
on 04/07/2026
Basecamp disclosed a bug submitted by zerodaysec_xyz: https://hackerone.com/reports/3764217 - Bounty: $287 [...]
See full content
let's vibe
on 04/07/2026
See full content
admin.shopify.com: Shopify Flow continues sending internal emails to a configured recipient after the staff author is removed
on 03/07/2026
Shopify disclosed a bug submitted by abahack: https://hackerone.com/reports/3628961 [...]
See full content
Are your employees using AI?
on 03/07/2026
See full content
Flock Cameras Can Surveil Cars Without License Plates
on 03/07/2026
This is from a 2024 company presentation:
Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags.
Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the c [...]
See full content
FBI Seizes NetNut Proxy Platform, Popa Botnet
by BrianKrebs on 02/07/2026
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]
See full content
Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration
on 02/07/2026
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]
See full content
We get this question a lot
on 02/07/2026
See full content
jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing
on 02/07/2026
8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]
See full content
jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`
on 02/07/2026
8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]
See full content
Yelp for Business: locked Email field silently editable via API
on 02/07/2026
Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]
See full content
Celebrating 1 Million Subscribers on July 8th!
on 02/07/2026
See full content
Cybersecurity Mission Creep in the US
on 02/07/2026
Interesting paper: “Cybersecurity Mission Creep.”
Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what t [...]
See full content
GPT-5.5-Cyber built a zlib fuzzing lab in a day
on 02/07/2026
We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]
See full content
Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission
on 02/07/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]
See full content
[Splatoon 3] Kick other players with NplnLogin message
on 02/07/2026
Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]
See full content
Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]
See full content
Insecure Direct Object Reference (IDOR) allows creating folders.
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]
See full content
Delete any folder for any user within the organization
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]
See full content
Privilege Escalation Access to the Alert Subscribers page for users with low privileges
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]
See full content
Improper Input Validation HTTP Response Parser Unconditionally Accepts Bare CR in Status Line
on 01/07/2026
Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]
See full content
Beyond Usernames
on 01/07/2026
See full content
Papa Johns Surveillance-Based Advertising
on 01/07/2026
Papa Johns is spying on people’s buying activities to predict when they are low on food:
The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge w [...]
See full content
Backdoors & Breaches: New scenarios and adaptations
on 01/07/2026
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]
See full content
Beyond CTF Labs
on 30/06/2026
See full content
heap-use-after-free in curl_easy_cleanup() called from callback
on 30/06/2026
curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]
See full content
setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse
on 30/06/2026
curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]
See full content
Shipping post-quantum cryptography to Python
on 30/06/2026
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography.
On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]
See full content
ssh_config_matches is dead code: unauthorized SSH key reuse
on 30/06/2026
curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]
See full content
CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer
on 30/06/2026
curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]
See full content
libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF
on 30/06/2026
curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]
See full content
Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint
on 30/06/2026
Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]
See full content
Annual testing starts to look a little dusty when...
on 29/06/2026
See full content
Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports
on 29/06/2026
Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]
See full content
Remote node DOS
on 29/06/2026
Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]
See full content
ConsentFix Exposed
on 29/06/2026
See full content
Inside H1-813 Live Hacking Event with Salesforce in Tokyo
on 29/06/2026
See full content
Reconnaissance for exposure management: why context matters in the AI era
by Radu Voloaga on 29/06/2026
Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]
See full content
UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback
on 28/06/2026
curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]
See full content
Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)
on 28/06/2026
curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]
See full content
How to pentest - 101 [CNWPP] deliverables + basic network hacking
on 27/06/2026
See full content
Exploiting insecure cookie policies
by Aurélien on 27/06/2026
Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely.
In this article, we'll explore what cookies are, how they work and [...]
See full content
Security debt has a nasty interest rate.
on 26/06/2026
See full content
Facebook Phishing Fails
on 26/06/2026
See full content
Real Folks of Cyber | Pearce Barry | Day in the Life
on 26/06/2026
See full content
mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0
on 26/06/2026
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
See full content
CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection
on 26/06/2026
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]
See full content
Intigriti Bug Bytes #237 - June 2026 🚀
by Ayoub on 26/06/2026
Hi hackers,
Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring:
A 10-year-old pre-auth RCE in phpBB
Earning $500K hacking Google with AI
Reading any Salesforce Marketing Cloud account's emails
New DOMPurify sanitizer bypass
Mapping abandoned S3 buckets to redo SolarWinds at scale
And so much more! Let's dive in!
Using AI the smart way: interview with Cristian [...]
See full content
Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more
on 26/06/2026
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]
See full content
Getting Started with the TCM Security Academy
on 25/06/2026
See full content
Disable SmartScreen Fast
on 25/06/2026
See full content
PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting
on 25/06/2026
Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]
See full content
XMLRPC login leak exposes valid session ID enabling unauthorized API access
on 25/06/2026
Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]
See full content
Reflected XSS via unsanitised refresh parameter in zone invocation tag
on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]
See full content
PHP code injection in delivery-limitation `logical` validation bypass
on 25/06/2026
Revive Adserver disclosed a bug submitted by riodrwn: https://hackerone.com/reports/3780854 [...]
See full content
Stored XSS in maintenance tools via unescaped entity names
on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781311 [...]
See full content
CSRF in zoneinclude.php allows unauthorized banner and campaign linking
on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781691 [...]
See full content
Missing ownership validation allows crossmanager trackercampaign linking
on 25/06/2026
Revive Adserver disclosed a bug submitted by hakuopi: https://hackerone.com/reports/3780709 [...]
See full content
Reflected XSS in statsvideo.php via improperly encoded URL parameters
on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3793243 [...]
See full content
HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`
on 25/06/2026
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3582376 [...]
See full content
Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)
on 25/06/2026
Node.js disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3618831 [...]
See full content
Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat
on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3688064 [...]
See full content
Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching
on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656869 [...]
See full content
TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections
on 25/06/2026
Node.js disclosed a bug submitted by 3d7omb: https://hackerone.com/reports/3649802 [...]
See full content
Permission Model bypass via FileHandle.utimes() in the promises API
on 25/06/2026
Node.js disclosed a bug submitted by muhammaddaffa: https://hackerone.com/reports/3625987 [...]
See full content
Proxy credentials leaked in ERR_PROXY_TUNNEL error message
on 25/06/2026
Node.js disclosed a bug submitted by nssys: https://hackerone.com/reports/3720313 [...]
See full content