InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

My Team Hacked KnightCTF 2025!

on 20/01/2025

See full content

Bug Bounty Stream Q and A - Launch Bug Bounty Guide 2025

on 20/01/2025

See full content

Hunting Scam Popups

on 20/01/2025

See full content

Stop Submitting Duplicate Bug Reports in 2025 (Bug Bounty) šŸŽÆ

on 20/01/2025

See full content

Biden Signs New Cybersecurity Order

on 20/01/2025

President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidentsĀ­—namely, the security failures of federal cont [...]

See full content

The State Of Bug Bounties - A YesWeHack Report Reading

on 20/01/2025

See full content

Considerations for Selecting the Best API Authentication Option

by Ivan Novikov on 20/01/2025

Implementing API authentication is one of the most critical stages of API design and development. Properly implemented authentication protects data, user privacy, and other resources while streamlining compliance, preventing fraud, and establishing accountability. In fact, broken authentication is one of the leading causes of API-related breaches.  Ultimately, by applying robust authentic [...]

See full content

Object Level access control leads to reading user's full requests, sessions, and error messages

on 18/01/2025

Yelp disclosed a bug submitted by mester_x: https://hackerone.com/reports/2891449 [...]

See full content

CVE-2022-40604: Apache Airflow: Format String Vulnerability

on 18/01/2025

Internet Bug Bounty disclosed a bug submitted by leixiao: https://hackerone.com/reports/1707287 - Bounty: $8000 [...]

See full content

Friday Squid Blogging: Opioid Alternatives from Squid Research

on 17/01/2025

Is there nothing that squid research can’t solve? “If you’re working with an organism like squid that can edit genetic information way better than any other organism, then it makes sense that that might be useful for a therapeutic application like deadening pain,” he said. […] Researchers hope to mimic how squid and octopus use RNA editing in nerve channels that inter [...]

See full content

I Hacked Myself & Analyzed It with Sysmon

on 17/01/2025

See full content

Binary Ninja Scripting with Python!

on 17/01/2025

See full content

Social Engineering to Disable iMessage Protections

on 17/01/2025

I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some personal information into a website. But because they came from unknown phone numbers, the links did not [...]

See full content

DORA is here - are you ready?

by Intigriti on 17/01/2025

Today, January 17, 2025, marks a pivotal moment for the EU financial sector as the Digital Operational Resilience Act (DORA) officially comes into effect. Designed to combat the growing threat of cyberattacks, DORA sets a new standard for cybersecurity resilience across financial institutions and their critical ICT service providers.Ā  With cyberattacks costing the financial secā€¦ [...]

See full content

Broken Security Promises: How Human-AI Collaboration Rebuilds Developer Trust

on 16/01/2025

See full content

Incorrect security UI of files' download source on brave MacOS

on 16/01/2025

Brave Software disclosed a bug submitted by syarif07: https://hackerone.com/reports/2888770 [...]

See full content

RFID Fun - Arduino RFID Project - Learning Arduino

on 16/01/2025

See full content

Bugcrowd Security Flash: Salt Typhoon

on 16/01/2025

See full content

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

by BrianKrebs on 16/01/2025

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road op [...]

See full content

Decoding Shellcode into Assembly Code - Made Easy!

on 16/01/2025

See full content

OSV-SCALIBR: A library for Software Composition Analysis

on 16/01/2025

Posted by Erik Varga, Vulnerability Management, and Rex Pan, Open Source Security TeamIn December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, weā€™ve continued to build this tool, adding remediation features, as well as expanding ecosystem support to 11 programming languages [...]

See full content

Detection Engineering with Wazuh

on 16/01/2025

See full content

FBI Deletes PlugX Malware from Thousands of Computers

on 16/01/2025

According to a DOJ press release, the FBI was able to delete the Chinese-used PlugX malware from “approximately 4,258 U.S.-based computers and networks.” Details: To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the hacking group. According to the FBI, at least 45,000 IP addresses in the US h [...]

See full content

Lack of Rate Limiting on Account Creation Endpoint

on 16/01/2025

XVIDEOS disclosed a bug submitted by nagu123: https://hackerone.com/reports/2915502 - Bounty: $200 [...]

See full content

Open URL redirects: A complete guide to exploiting open URL redirect vulnerabilities

by blackbird-eu on 16/01/2025

Open URL redirect vulnerabilities are easy to find as they are quite common in applications. This vulnerability type is also often considered a low-hanging fruit. However, as modern applications get more complex, so do the vulnerabilities. And that also makes it possible to escalate these lower-hanging fruits to higher-severity security issues. Just as we've seen how it is possā€¦ [...]

See full content

Attacker can use any non-enabled capability

on 15/01/2025

Cosmos disclosed a bug submitted by julianor: https://hackerone.com/reports/2930811 - Bounty: $2000 [...]

See full content

LIVE: Blue Team Hangout | PCAP Investigation | AMA

on 15/01/2025

See full content

The State of Cybercrime [2024]

on 15/01/2025

See full content

netrc and redirect credential leak

on 15/01/2025

Internet Bug Bounty disclosed a bug submitted by nyymi: https://hackerone.com/reports/2894283 - Bounty: $505 [...]

See full content

Phishing False Alarm

on 15/01/2025

A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards. [...]

See full content

Innovation in action: Investing in the future of bug bountyĀ 

by Intigriti on 15/01/2025

In an industry where security needs evolve as rapidly as the threats themselves, standing still isn't an option. At Intigriti, our commitment to innovation goes beyond mere product development ā€“ it's about making strategic investments in solutions that truly matter to our customers and the broader security community.Ā  The voice of our customers: Shaping tomorrow's security soluā€¦ [...]

See full content

Microsoft: Happy 2025. Hereā€™s 161 Security Updates

by BrianKrebs on 14/01/2025

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017. Rapid7‘s Adam Barnett says January marks the fourth consecutive month wh [...]

See full content

Information Disclosure: .dockerignore file is publicly accessible

on 14/01/2025

Flickr disclosed a bug submitted by himu_xjjj: https://hackerone.com/reports/2888001 [...]

See full content

Upcoming Speaking Engagements

on 14/01/2025

This is a current list of where and when I am scheduled to speak: Iā€™m speaking on ā€œAI: Trust & Powerā€ at Capricon 45 in Chicago, Illinois, USA, at 11:30 AM on February 7, 2025. Iā€™m also signing books there on Saturday, February 8, starting at 1:45 PM. Iā€™m speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. Iā€™m speaking at the Rossfest Symposium in Cambr [...]

See full content

Critical Data Breach - Big Data for all domains

on 14/01/2025

Basecamp disclosed a bug submitted by shezxi: https://hackerone.com/reports/2686225 [...]

See full content

BLOB Based Phishing Scams

on 14/01/2025

See full content

The First Password on the Internet

on 14/01/2025

It was created in 1973 by Peter Kirstein: So from the beginning I put password protection on my gateway. This had been done in such a way that even if UK users telephoned directly into the communications computer provided by Darpa in UCL, they would require a password. In fact this was the first password on Arpanet. It proved invaluable in satisfying authorities on both sides of the Atlantic for t [...]

See full content

Blind SSRF Vulnerability in Appstore Release Upload Form

on 14/01/2025

Nextcloud disclosed a bug submitted by offensiveops: https://hackerone.com/reports/2925666 [...]

See full content

WAF bypass and java script incomplete handling of Unicode characters might leads to dom-xss

on 13/01/2025

Doppler disclosed a bug submitted by clubbable: https://hackerone.com/reports/2921905 [...]

See full content

Microsoft Takes Legal Action Against AI ā€œHacking as a Serviceā€ Scheme

on 13/01/2025

Not sure this will matter in the end, but it’s a positive move: Microsoft is accusing three individuals of running a “hacking-as-a-service” scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content. The foreign-based defendants developed tools specifically designed to bypass safety guardrails Microsof [...]

See full content

7 Overlooked recon techniques to find more vulnerabilities

by blackbird-eu on 13/01/2025

Reconnaissance is an important phase in bug bounty and in pentesting in general. As every target is unique and as we often do not have access to the code base, we'd need to come up with unique methods to gather useful and accurate data about our target to help us find vulnerabilities. In this article, we will be covering 7 overlooked reconnaissance techniques that you can applyā€¦ [...]

See full content

Unauthenticated Path Traversal and Command Injection in Trellix Enterprise Security Manager 11.6.10

on 12/01/2025

Trellix disclosed a bug submitted by r4v: https://hackerone.com/reports/2817658 [...]

See full content

How 3 Hackers Combined Their Skills for Big Bounties! (And how you can do it too)

on 11/01/2025

See full content

What The IDOR!? - IDORs Explained 101

on 11/01/2025

See full content

Top hackers on collaboration, crits and collecting bounty

on 11/01/2025

See full content

Friday Squid Blogging: Cotton-and-Squid-Bone Sponge

on 10/01/2025

News: A sponge made of cotton and squid bone that has absorbed about 99.9% of microplastics in water samples in China could provide an elusive answer to ubiquitous microplastic pollution in water across the globe, a new report suggests. […] The study tested the material in an irrigation ditch, a lake, seawater and a pond, where it removed up to 99.9% of plastic. It addressed 95%-98% of plast [...]

See full content

Learn Active Directory!

on 10/01/2025

See full content

A Partial Victory for AI Researchers

by Ilona Cohen on 10/01/2025

What is the Digital Millennium Copyright Act and what are the implications of its recent ruling for AI researchers? [...]

See full content

The Best FREE Tool to Secure Open Source Software

on 10/01/2025

See full content

Apps That Are Spying on Your Location

on 10/01/2025

404 Media and Wired are reporting on all the apps that are spying on your location, based on a hack of the location data company Gravy Analytics: The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS. Because mu [...]

See full content

Make Burp Suite your own: high-powered extensibility to customize and enhance your testing. šŸ› ļø

on 10/01/2025

Extensibility in Burp Suite is about giving you and your team the power to customize, enhance, and extend Burp Suite to match your testing needs and objectives. This comprises a powerful suite of tool [...]

See full content

āØā€Œć…¤ā©

on 10/01/2025

See full content

AI in your terminal feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter

on 10/01/2025

See full content

Intigriti Bug Bytes #220 - January 2025 šŸš€

by blackbird-eu on 10/01/2025

Welcome to the first Bug Bytes of 2025! Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community eventsā€”all to help you find more bugs! Latest Platform Updates Altera, an Intel company, has officially opened its public bug bounty program on our platform! Ā  Ā  Ready to put your skills to the test and get rewardedā€¦ [...]

See full content

HackerOne Live Hacking Event Recap: Edinburgh w/ Amazon and AWS

on 09/01/2025

See full content

Godot Game Used As Malware

on 09/01/2025

See full content

Web cache deception [Spanish - English subtitles]

on 09/01/2025

See full content

Areas of impact in #bugbounty #hack #hacker #hacks

on 09/01/2025

See full content

The extension that integrates Burp with the terminal feat. doomerhunter #bugbounty #bugbountytips #b

on 09/01/2025

See full content

New Course Q&A | Assembly | Andrew Bellini (DigitalAndrew)

on 09/01/2025

See full content

Supercharge your vulnerability triage: Our investment in your efficiency

by Intigriti on 09/01/2025

As we step into 2025, many of us are setting resolutions to improve, grow, and achieve more. At Intigriti, weā€™re doing the sameā€”but with a twist. Our commitment isnā€™t just about us - itā€™s about you. When you invest in us, we invest in you.Ā  This year, weā€™re kicking off a blog series to showcase how weā€™re doubling down on the areas that matter most to our customers. First up: Trā€¦ [...]

See full content

HTTP Parameter Pollution - Bug Bounties Overlooked Opportunities

on 08/01/2025

See full content

GitLabā€™s First Critical SSRF since 2020

on 08/01/2025

See full content

Effective API Throttling for Enhanced API Security

by Raymond Kirk on 08/01/2025

APIs are the backbone of modern digital ecosystems, but their misuse can expose systems to cyber threats. Effective API throttling not only optimizes performance but also acts as a critical defense mechanism against abuse, such as denial-of-service attacks. Discover how this powerful strategy enhances API security and safeguards your organizationā€™s data in an interconnected world.  What i [...]

See full content

Yet Another OTP code Leaked in the API Response

on 08/01/2025

MTN Group disclosed a bug submitted by tinopreter: https://hackerone.com/reports/2635315 [...]

See full content

SQL injection in URL path leads to Database Access

on 08/01/2025

MTN Group disclosed a bug submitted by tinopreter: https://hackerone.com/reports/2633959 [...]

See full content

OTP code Leaked in API Response

on 08/01/2025

MTN Group disclosed a bug submitted by tinopreter: https://hackerone.com/reports/2633888 [...]

See full content

Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org

on 08/01/2025

Mozilla disclosed a bug submitted by jabiyev: https://hackerone.com/reports/2860983 [...]

See full content

A Day in the Life of a Prolific Voice Phishing Crew

by BrianKrebs on 07/01/2025

Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emai [...]

See full content

How to win competing with hundereds of hunters? feat. doomerhunter #bugbounty #bugbountytips #bugbou

on 07/01/2025

See full content

What The Cheese Is Mutation XSS? mXSS - One Of The Newest Techniques In XSS

on 07/01/2025

See full content

ROI Isnā€™t Cutting It: 6 Questions to Help CISOs Better Quantify Security Investments

by Naz Bozdemir on 07/01/2025

Why ROI is not the most effective method to quantify cybersecurity investments ā€” and how ROM can help. [...]

See full content

Bypass Email Verification on Add Email Monitoring

on 07/01/2025

Mozilla disclosed a bug submitted by dotxml: https://hackerone.com/reports/2387297 [...]

See full content

Microagents to help you bug hunting feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter

on 07/01/2025

See full content

HackerOne Customer Testimonial: Amazon and AWS

on 06/01/2025

See full content

I was just awarded $100,000 for hacking into Facebook! #bugbounty #hacking #pentest

on 06/01/2025

See full content

How to uncover hidden attack surface feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter

on 06/01/2025

See full content

Can you get bounties for DoS bugs? feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter

on 04/01/2025

See full content

Hunting for blind XSS vulnerabilities: A complete guide

by blackbird-eu on 04/01/2025

Cross-site scripting (XSS) vulnerabilities are quite common and fun to find. They also carry great impact when chained with other vulnerabilities. But there's another variant of this vulnerability type that's not as easy or common to find as the other XSS types. Especially with the delayed execution and the hidden injection point, it makes it difficult for most hunters to searcā€¦ [...]

See full content

Achieving Your Goals in 2025

on 03/01/2025

See full content

You should spend more time fuzzing feat. doomerhunter #bugbounty #bugbountytips #bugbountyhunter

on 03/01/2025

See full content

A pizza baā€¦.RAT?!??

on 01/01/2025

See full content

Mastering File Layers: Unlocking Payload Secrets

on 01/01/2025

See full content

Spying on Scammers

on 31/12/2024

See full content

Creating a Secure Password Archive: Step-by-Step Guide

on 31/12/2024

See full content

Revolutionary Tool to Combat Session Hijacking Risks

on 31/12/2024

See full content

U.S. Army Soldier Arrested in AT&T, Verizon Extortions

by BrianKrebs on 31/12/2024

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. One of several se [...]

See full content

Apache Airflow: Sensitive Information Exposure in DAG Run Logs

on 30/12/2024

Internet Bug Bounty disclosed a bug submitted by saurabhb: https://hackerone.com/reports/2828271 [...]

See full content

Secrets not masked in UI when sensitive variables are set via Airflow cli

on 30/12/2024

Internet Bug Bounty disclosed a bug submitted by saurabhb: https://hackerone.com/reports/2828263 [...]

See full content

Uncovering GNU vs. BusyBox TAR: The Hidden Tricks

on 30/12/2024

See full content

Unlocking Your Browser: Secure Your Saved Passwords Today

on 30/12/2024

See full content

Happy 15th Anniversary, KrebsOnSecurity!

by BrianKrebs on 29/12/2024

Image: Shutterstock, Dreamansions. KrebsOnSecurity.com turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year [...]

See full content

Understanding Docker Changes: OCI Format Explained

on 29/12/2024

See full content

Lack of URL Validation in avatarUrl at /v4/profile

on 28/12/2024

Truecaller disclosed a bug submitted by marcotuliocnd: https://hackerone.com/reports/2493860 - Bounty: $500 [...]

See full content

[oem.acronis.com] Reflected Cross Site Scripting

on 28/12/2024

Acronis disclosed a bug submitted by darkdream: https://hackerone.com/reports/2038943 - Bounty: $100 [...]

See full content

Cookie Jar Overflows Explained

on 27/12/2024

See full content

A potential risk in the aws-lambda-ecs-run-task which can be used to privilege escalation.

on 27/12/2024

AWS VDP disclosed a bug submitted by zolaer9527: https://hackerone.com/reports/2894222 [...]

See full content

This one-of-a-kind Kanguru flash drive has a hardware read-only switch

on 27/12/2024

See full content

Hackers Attack Curl Vulnerability Accessing Sensitive Information

on 27/12/2024

curl disclosed a bug submitted by scottarterbury: https://hackerone.com/reports/2912277 [...]

See full content

DOM Based Reflected Cross Site Scripting

on 25/12/2024

MTN Group disclosed a bug submitted by nhx1: https://hackerone.com/reports/2321874 [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : SƩcuritƩ informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. victoria.dev
  12. Brett Buerhaus
  13. Bug Bounty Reports Explained
  14. Bugcrowd
  15. cat ~/footstep.ninja/blog.txt
  16. Ezequiel Pereira
  17. HackerOne
  18. HackerOne
  19. surajdisoja.me
  20. InsiderPhD
  21. Intigriti
  22. John Hammond
  23. LiveOverflow
  24. NahamSec
  25. PortSwigger Blog
  26. Rana Khalil
  27. Richardā€™s Infosec blog
  28. Ron Chan
  29. ropnop blog
  30. STƖK
  31. Sun Knudsen
  32. The Cyber Mentor
  33. The unofficial HackerOne disclosure timeline
  34. The XSS rat
  35. TomNomNom
  36. Wallarm