InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Squid Dominated the Oceans in the Late Cretaceous

on 11/07/2025

New research: One reason the early years of squids has been such a mystery is because squids’ lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks—hard mouthparts with high fossilization potential that could help the team figure out how squids evolved. With that in mind, the team developed an advanced fossil discove [...]

See full content

Tradecraft in the Information Age

on 11/07/2025

Long article on the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance. [...]

See full content

How to Study for Cybersecurity (Even When You're Busy!)

on 11/07/2025

See full content

how hackers avoid getting caught

on 11/07/2025

See full content

Default Minimum TLS Version Set to TLS v1.0 (Cryptographic Weakness)

on 10/07/2025

curl disclosed a bug submitted by monkey_dee: https://hackerone.com/reports/3246519 [...]

See full content

BBGMA - Full Bug Bounty Guide - P1 - Explorations and enum

on 10/07/2025

See full content

Build a Bjorn in 3 Minutes!

on 10/07/2025

See full content

UK Arrests Four in ‘Scattered Spider’ Ransom Group

by BrianKrebs on 10/07/2025

Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multip [...]

See full content

Using Signal Groups for Activism

on 10/07/2025

Good tutorial by Micah Lee. It includes some nonobvious use cases. [...]

See full content

Understanding the NCSC’s New API Security Guidance

by Tim Erlin on 10/07/2025

Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that guidance and explore how Wallarm’s platform can help you align with each one.  Inside the NC [...]

See full content

Preventing the growing costs of repeat and duplicate bug bounty submissions

by Eleanor Barlow on 10/07/2025

What are duplicate submissions? Within the bug bounty industry, duplicate submissions refer to when two or more researchers report the same issue or vulnerability. When a researcher, who works with a bug bounty platform, identifies a vulnerability, they submit a report to the platform, such as Intigriti, where it is reviewed. If the issue has already been reported, then it is m… [...]

See full content

CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems

on 10/07/2025

Learn more about the emerging vulnerability affecting Git. [...]

See full content

LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA

on 09/07/2025

See full content

Use-After-Free in OpenSSL Keylog Callback via SSL_get_ex_data() in libcurl

on 09/07/2025

curl disclosed a bug submitted by brobagazzzx: https://hackerone.com/reports/3242005 [...]

See full content

Yet Another Strava Privacy Leak

on 09/07/2025

This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.) This is ridiculous. Why do people continue to make their data public? [...]

See full content

Arbitrary File Read via file:// Protocol in cURL

on 09/07/2025

curl disclosed a bug submitted by mr_tufan: https://hackerone.com/reports/3242087 [...]

See full content

Microsoft Patch Tuesday, July 2025 Edition

by BrianKrebs on 09/07/2025

Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help [...]

See full content

Chain Vulnerability lead to Full Control Group Live Accounts & Undeletable Creator

on 08/07/2025

TikTok disclosed a bug submitted by eneri: https://hackerone.com/reports/3027478 [...]

See full content

ReDoS in IPAddr

on 08/07/2025

Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1485717 [...]

See full content

ReDoS in Psych

on 08/07/2025

Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1487889 [...]

See full content

Learn Google Dorking!

on 08/07/2025

See full content

access notes without permission

on 08/07/2025

curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241304 [...]

See full content

Disclosure of email addresses

on 08/07/2025

curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241308 [...]

See full content

Clear Authentication Deficiencies & Potential for Man-in-the-Middle Attacks

on 08/07/2025

Sony disclosed a bug submitted by trapedev: https://hackerone.com/reports/2642615 [...]

See full content

Advancing Protection in Chrome on Android

on 08/07/2025

Posted by David Adrian, Javier Castro & Peter Kotwicz, Chrome Security Team Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced Protection gives you the ability to activate Google’s strongest sec [...]

See full content

Information disclosure identified on IBM endpoint.

on 08/07/2025

IBM disclosed a bug submitted by devire: https://hackerone.com/reports/2402842 [...]

See full content

CSRF at Network feature

on 08/07/2025

Lichess disclosed a bug submitted by psfauzi: https://hackerone.com/reports/3230359 [...]

See full content

Are CTFs Actually Good for Learning Cybersecurity Skills?

on 08/07/2025

See full content

Inside the AI Threat Landscape: From Jailbreaks to Prompt Injections and Agentic AI Risks

by Tim Erlin on 08/07/2025

AI has officially moved out of the novelty phase. What began with people messing around with LLM-powered GenAI tools for content creation has rapidly evolved into a complex web of agentic AI systems that form a critical part of the modern corporate landscape. However, this transformation has given new life to old threats, transforming the API security landscape all over again.  I recently sat [...]

See full content

Investigate your dependencies with Deptective

on 08/07/2025

Deptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime. [...]

See full content

PortSwigger at Black Hat & DEF CON 33

on 08/07/2025

Las Vegas. August. Protocols are getting torn apart. This summer, PortSwigger returns to Black Hat USA and DEF CON 33 with a host of new talks, events and ways to meet PortSwigger and the the teams be [...]

See full content

Hiding Prompt Injections in Academic Papers

on 07/07/2025

Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University of Singapore, as well as the University of Washington and Columbia University in the U.S. Most of the pap [...]

See full content

curl --continue-at confusion

on 07/07/2025

curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2859735 [...]

See full content

Information Disclosure at : https://curl.se/.mailmap

on 07/07/2025

curl disclosed a bug submitted by haithamzakaria: https://hackerone.com/reports/2853023 [...]

See full content

information disclosure

on 07/07/2025

curl disclosed a bug submitted by rono_07: https://hackerone.com/reports/2841436 [...]

See full content

netrc crlf injection

on 07/07/2025

curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2831558 [...]

See full content

curl mishandles `%0c%0b` sequences in HTTP responses leading to CRLF confusions, Headers and Cookies Injection

on 07/07/2025

curl disclosed a bug submitted by mdakh404: https://hackerone.com/reports/2861797 [...]

See full content

Arbitrary File Deletion Vulnerability in curl Source Code via os.unlink()

on 07/07/2025

curl disclosed a bug submitted by aadityaathehacker: https://hackerone.com/reports/2864414 [...]

See full content

-H with space prefix leads to previous header injection when used with --proxy

on 07/07/2025

curl disclosed a bug submitted by spongebhav: https://hackerone.com/reports/2864859 [...]

See full content

OS Command Injection (subprocess Module Usage)

on 07/07/2025

curl disclosed a bug submitted by bulter: https://hackerone.com/reports/2904921 [...]

See full content

Git repository found

on 07/07/2025

curl disclosed a bug submitted by tefa_: https://hackerone.com/reports/2915426 [...]

See full content

Integer Overflow Risk in HTTP/2 Proxy Window Size Calculations

on 07/07/2025

curl disclosed a bug submitted by extramayoextracheeseextrafries: https://hackerone.com/reports/3238249 [...]

See full content

[MK8DX] Improper ranking/replay file parsing

on 06/07/2025

Nintendo disclosed a bug submitted by crazy_man123: https://hackerone.com/reports/1813453 [...]

See full content

TLS Cipher Misconfiguration in HTTP/3/QUIC Support

on 06/07/2025

curl disclosed a bug submitted by zzq1015: https://hackerone.com/reports/2981303 [...]

See full content

Reverse Engineering Anti-Debugging Techniques (with Nathan Baggs!)

on 05/07/2025

See full content

Friday Squid Blogging: How Squid Skin Distorts Light

on 04/07/2025

New research. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]

See full content

Build a Structured Threat Hunting Methodology

on 04/07/2025

See full content

CRLF injection in libcurl's SMTP client via --mail-from and --mail-rcpt allows SMTP command smuggling

on 03/07/2025

curl disclosed a bug submitted by skrcprst: https://hackerone.com/reports/3235428 [...]

See full content

HackerOne Leading AI Agent ... Should We Be Worried?

on 03/07/2025

See full content

Inside Axis’s Approach to Cybersecurity with Bugcrowd

on 03/07/2025

See full content

Big Tech’s Mixed Response to U.S. Treasury Sanctions

by BrianKrebs on 03/07/2025

In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies — including Facebook, Github, PayPal and Twitter/X. On May 29, the U.S. Department of the Treasur [...]

See full content

MozillaVPN: Elevation of Privilege via a Logic Vulnerability

on 03/07/2025

Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2686750 [...]

See full content

MozillaVPN: Elevation of Privilege via a Race Condition Vulnerability

on 03/07/2025

Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2261577 [...]

See full content

Surveillance Used by a Drug Cartel

on 03/07/2025

Once you build a surveillance system, you can’t control who will use it: A hacker working for the Sinaloa drug cartel was able to obtain an FBI official’s phone records and use Mexico City’s surveillance cameras to help track and kill the agency’s informants in 2018, according to a new US justice department report. The incident was disclosed in a justice department inspector general’s audit [...]

See full content

Subdomain takeover on live.firefox.com

on 03/07/2025

Mozilla disclosed a bug submitted by martinvw: https://hackerone.com/reports/2899858 - Bounty: $500 [...]

See full content

What CISA’s BOD 25-01 Means for API Security and How Wallarm Can Help

by Tim Erlin on 03/07/2025

The US government has taken another significant step towards strengthening cloud security with the release of CISA’s Binding Operational Directive (BOD) 25-01. Aimed at improving the security posture of federal cloud environments, BOD 25-01 mandates robust configuration, visibility, and control across cloud-based services. While the directive doesn’t explicitly name API security, securing mo [...]

See full content

curl doesn't hide credentials in /proc/XXX/cmdline provided via CLI arguments

on 03/07/2025

curl disclosed a bug submitted by stogusho: https://hackerone.com/reports/3000639 [...]

See full content

Elevation of Privileges (EoP) vulnerabilities related to the some easy_options on Windows

on 03/07/2025

curl disclosed a bug submitted by justlikebono_official: https://hackerone.com/reports/2941920 [...]

See full content

Authorization Header Leak via --location-trusted in Curl

on 03/07/2025

curl disclosed a bug submitted by voggerloops: https://hackerone.com/reports/2946924 [...]

See full content

LIVE: Memory Forensics | Cybersecurity | Blue Team

on 03/07/2025

See full content

this malware hides a payload in a WALLPAPER

on 02/07/2025

See full content

Ubuntu Disables Spectre/Meltdown Protections

on 02/07/2025

A whole class of speculative execution attacks against CPUs were published in 2018. They seemed pretty catastrophic at the time. But the fixes were as well. Speculative execution was a way to speed up CPUs, and removing those enhancements resulted in significant performance drops. Now, people are rethinking the trade-off. Ubuntu has disabled some protections, resulting in 20% performance boost. A [...]

See full content

Buckle up, Buttercup, AIxCC’s scored round is underway!

on 02/07/2025

Our CRS (Cyber Reasoning System), Buttercup, is now competing in the one and only scored round of DARPA’s AI Cyber Challenge (AIxCC) against six other teams to see which autonomous AI-driven system can find and patch the most software vulnerabilities. [...]

See full content

The One Thing Vulnerability Scanners Can't Do!

on 01/07/2025

See full content

Memory leak of ftp (with proxy reuse)

on 01/07/2025

curl disclosed a bug submitted by catenacyber: https://hackerone.com/reports/3023139 [...]

See full content

HTTP Proxy Bypass via `CURLOPT_CUSTOMREQUEST` Verb Tunneling

on 01/07/2025

curl disclosed a bug submitted by alphox: https://hackerone.com/reports/3231321 [...]

See full content

Speculative Execution Side-Channel in `curl`

on 01/07/2025

curl disclosed a bug submitted by evilginx1: https://hackerone.com/reports/3124490 [...]

See full content

arbitrary file read via `file://` path traversal with `--path-as-is`

on 01/07/2025

curl disclosed a bug submitted by demsese: https://hackerone.com/reports/3226502 [...]

See full content

Heap buffer overflow vulnerability in conncache.c: incorrect use of pointer arrays resulting in out-of-bounds memory writes.

on 01/07/2025

curl disclosed a bug submitted by freak_coding: https://hackerone.com/reports/3156384 [...]

See full content

curl -OJ allows creating custom .curlrc file which allows exfiltrating private data, among other things

on 01/07/2025

curl disclosed a bug submitted by wolfsage: https://hackerone.com/reports/3135673 [...]

See full content

curl_easy_header runs at O(N) or worse and can be abused to use minute(s) of CPU time

on 01/07/2025

curl disclosed a bug submitted by wolfsage: https://hackerone.com/reports/3133253 [...]

See full content

hackers trick everyone to run malware (FileFix)

on 01/07/2025

See full content

Iranian Blackout Affected Misinformation Campaigns

on 01/07/2025

Dozens of accounts on X that promoted Scottish independence went dark during an internet blackout in Iran. Well, that’s one way to identify fake accounts and misinformation campaigns. [...]

See full content

[High] MITM via Insecure CA Path Handling in cURL (--capath, CURLOPT_CAPATH) (CWE-494: Download of Code Without Integrity Check)

on 30/06/2025

curl disclosed a bug submitted by oicus: https://hackerone.com/reports/3120969 [...]

See full content

[High] Arbitrary File Write via Path Traversal in cURL CLI (`-o`, `--output`) (CWE-22: Improper Limitation of a Pathname to a Restricted Directory)

on 30/06/2025

curl disclosed a bug submitted by oicus: https://hackerone.com/reports/3120987 [...]

See full content

Potential XSS vector in curl via unsanitized URL parameter handling

on 30/06/2025

curl disclosed a bug submitted by redfoxsec: https://hackerone.com/reports/3118915 [...]

See full content

Double free caused by mqtt_doing()

on 30/06/2025

curl disclosed a bug submitted by tdp3kel9g: https://hackerone.com/reports/3045390 [...]

See full content

Buffer Overflow in curl's Rustls Backend

on 30/06/2025

curl disclosed a bug submitted by cyberguardianrd: https://hackerone.com/reports/3037583 [...]

See full content

Stack-based Buffer Overflow in TELNET NEW_ENV Option Handling

on 30/06/2025

curl disclosed a bug submitted by agent_0: https://hackerone.com/reports/3230082 [...]

See full content

Senator Chides FBI for Weak Advice on Mobile Security

by BrianKrebs on 30/06/2025

Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Sena [...]

See full content

RXSS AT https://proze.yelp.com/tmsubscribe.net/vidsn.aspx

on 30/06/2025

Yelp disclosed a bug submitted by 0xold: https://hackerone.com/reports/2947762 [...]

See full content

Making transfer v2 channel unupgradable through the forwarding

on 30/06/2025

Cosmos disclosed a bug submitted by unknown_feature: https://hackerone.com/reports/2914705 [...]

See full content

Replacing ICA active channel during the upgrade and a bit more

on 30/06/2025

Cosmos disclosed a bug submitted by unknown_feature: https://hackerone.com/reports/2917368 [...]

See full content

Unlock underage blocked app without support interaction using airplane mode

on 30/06/2025

Tools for Humanity disclosed a bug submitted by polem4rch: https://hackerone.com/reports/3136790 - Bounty: $300 [...]

See full content

How Cybersecurity Fears Affect Confidence in Voting Systems

on 30/06/2025

American democracy runs on trust, and that trust is cracking. Nearly half of Americans, both Democrats and Republicans, question whether elections are conducted fairly. Some voters accept election results only when their side wins. The problem isn’t just political polarization—it’s a creeping erosion of trust in the machinery of democracy itself. Commentators blame ideological tr [...]

See full content

GraphQL CSRF via the HEAD method #bugbounty #bugbountytips #bugbountyhunter

on 30/06/2025

See full content

Heap Buffer Overflow in libcurl curl_slist_append via Unterminated String

on 30/06/2025

curl disclosed a bug submitted by geeknik: https://hackerone.com/reports/3229490 [...]

See full content

Memory leak from doh_write_cb

on 29/06/2025

curl disclosed a bug submitted by catenacyber: https://hackerone.com/reports/3089595 [...]

See full content

Unauthorized coins transfer from locking account(s)

on 29/06/2025

Cosmos disclosed a bug submitted by unknown_feature: https://hackerone.com/reports/2976481 [...]

See full content

Exploiting Log4Shell (Log4J) in 2025

by blackbird-eu on 29/06/2025

It's been a few years since Log4Shell, an injection attack in Log4J Apache logging software, has struck thousands of companies around the world. And despite all the efforts organisations took to patch this critical flaw in their systems, some web services running in 2025 are still vulnerable to Log4Shell, often due to legacy systems still relying on vulnerable versions, (hidden… [...]

See full content

CNWPP - This Is Why You Suck At Pentesting

on 28/06/2025

See full content

HTTP/2 CONTINUATION Flood Vulnerability

on 28/06/2025

curl disclosed a bug submitted by evilginx1: https://hackerone.com/reports/3125820 [...]

See full content

Path Traversal Vulnerability in curl via Unsanitized IPFS_PATH Environment Variable

on 28/06/2025

curl disclosed a bug submitted by ziad616: https://hackerone.com/reports/3100073 [...]

See full content

Buffer Overflow in curl MQTT Test Server (tests/server/mqttd.c) via Malicious CONNECT Packet

on 28/06/2025

curl disclosed a bug submitted by deep-hackerone: https://hackerone.com/reports/3101127 [...]

See full content

Free of uninitialized pointer in doh_decode_rdata_name()

on 28/06/2025

curl disclosed a bug submitted by tdp3kel9g: https://hackerone.com/reports/3037326 [...]

See full content

Improper Restriction of Authentication Attempts in cURL

on 28/06/2025

curl disclosed a bug submitted by irfanmughal1122: https://hackerone.com/reports/3030158 [...]

See full content

Stack Buffer Overflow in curl's OpenSSL Provider Handling

on 28/06/2025

curl disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3153971 [...]

See full content

OS Command Injection in scripts/firefox-db2pem.sh via untrusted certificate nicknames

on 28/06/2025

curl disclosed a bug submitted by behindtheblackwall: https://hackerone.com/reports/3225565 [...]

See full content

10/10 GraphQL SQL injection bug #bugbounty #bugbountytips #bugbountyhunter

on 28/06/2025

See full content

Unauthorized Access to Private Video Description via Translation API for Private Accounts

on 27/06/2025

TikTok disclosed a bug submitted by z3phyrus: https://hackerone.com/reports/2921830 [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. ziot
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Ezequiel Pereira
  16. HackerOne
  17. surajdisoja.me
  18. InsiderPhD
  19. Intigriti
  20. John Hammond
  21. LiveOverflow
  22. NahamSec
  23. PortSwigger Blog
  24. Rana Khalil
  25. Richard’s Infosec blog
  26. Ron Chan
  27. ropnop blog
  28. STÖK
  29. Sun Knudsen
  30. The Cyber Mentor
  31. The unofficial HackerOne disclosure timeline
  32. HackerRats (XSS Rat)
  33. TomNomNom
  34. Wallarm