InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Cybersecurity Q&A with Heath Adams

on 11/12/2024

See full content

Top Tool Capabilities to Prevent AI-Powered Attacks

by Raymond Kirk on 11/12/2024

Recent advances in AI technologies have granted organizations and individuals alike unprecedented productivity, efficiency, and operational benefits. AI is, without question, the single most exciting emerging technology in the world. However, it also brings enormous risks. While the dystopian, AI-ruled worlds of sci-fi films are a long way off, AI is helping cyber threat actors launch attacks at [...]

See full content

Auditing the Ruby ecosystem’s central package repository

by Trail of Bits on 11/12/2024

Ruby Central hired Trail of Bits to complete a security assessment and a competitive analysis of RubyGems.org, the official package management system for Ruby applications. With over 184+ billion downloads to date, RubyGems.org is critical infrastructure for the Ruby language ecosystem. This is a joint post with the Ruby Central team; read their announcement here! The full report, which includes a [...]

See full content

Jailbreaking LLM-Controlled Robots

on 11/12/2024

Surprising no one, it’s easy to trick an LLM-controlled robot into ignoring its safety instructions. [...]

See full content

Mastering Token Access: Uncovering Microsoft Graph API Secrets

on 11/12/2024

See full content

netrc + redirect credential leak

on 11/12/2024

curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2829063 [...]

See full content

Unlocking Docker Inside Docker: The DIND Revolution

on 11/12/2024

See full content

Learn Cryptography!

on 11/12/2024

See full content

Patch Tuesday, December 2024 Edition

by BrianKrebs on 11/12/2024

Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks. The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenti [...]

See full content

Introducing the Wells Fargo Public Bug Bounty Program

by HackerOne on 10/12/2024

Wells Fargo announces its public bug bounty program after several years of engaging the HackerOne community. [...]

See full content

Six Years of Proactive Defense: Deribit’s Journey with HackerOne

by HackerOne on 10/12/2024

Learn how Deribit uses its HackerOne bug bounty program for its proactive security strategy. [...]

See full content

Google Cloud expands vulnerability detection for Artifact Registry using OSV

on 10/12/2024

Posted by Greg Mucci, Product Manager, Artifact Analysis, Oliver Chang, Senior Staff Engineering, OSV, and Charl de Nysschen, Product Manager OSVDevOps teams dedicated to securing their supply chain and predicting potential risks consistently face novel threats. Fortunately, they can now improve their image and container security by harnessing Google-grade vulnerability scanning, which offers expa [...]

See full content

Full-Face Masks to Frustrate Identification

on 10/12/2024

This is going to be interesting. It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap. [...]

See full content

Social Engineering: Accessing Microsoft Graph API Secrets

on 10/12/2024

See full content

Mastering Docker: Build Your Own Authentication & Registry Service

on 10/12/2024

See full content

New Guidance for Federal AI Procurement Embraces Red Teaming and Other HackerOne Suggestions

by Michael Woolslayer on 09/12/2024

The U.S. government has embraced HackerOne's recommendations for the new federal AI procurements guidance. [...]

See full content

How To Pick A Bug Bounty Target And Platform - Tips And Tricks

on 09/12/2024

See full content

Render content from untrusted sources via web_preview endpoint on Acronis Cloud

on 09/12/2024

Acronis disclosed a bug submitted by mr-medi: https://hackerone.com/reports/1848118 - Bounty: $200 [...]

See full content

35 more Semgrep rules: infrastructure, supply chain, and Ruby

by Trail of Bits on 09/12/2024

By Matt Schwager and Travis Peters We are publishing another set of custom Semgrep rules, bringing our total number of public rules to 115. This blog post will briefly cover the new rules, then explore two Semgrep features in depth: regex mode (especially how it compares against generic mode), and HCL language support for technologies such as Terraform and Nomad. With these features, we can search [...]

See full content

Understanding ⛔️403 Bypasses⛔️ (With Examples)

on 09/12/2024

See full content

Trust Issues in AI

on 09/12/2024

For a technology that seems startling in its modernity, AI sure has a long history. Google Translate, OpenAI chatbots, and Meta AI image generators are built on decades of advancements in linguistics, signal processing, statistics, and other fields going back to the early days of computing—and, often, on seed funding from the U.S. Department of Defense. But today’s tools are hardly the [...]

See full content

Clone Security Groups: Unveiling Rogue User Risks

on 09/12/2024

See full content

Unlocking the Secrets of Docker: A Creative Journey

on 09/12/2024

See full content

Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4

on 08/12/2024

curl disclosed a bug submitted by napol-webug: https://hackerone.com/reports/2887487 [...]

See full content

RCE on worker host due to unsanitized "env" variable name in task definition on community-tc.services.mozilla.com

on 08/12/2024

Mozilla disclosed a bug submitted by ebrietas: https://hackerone.com/reports/2221404 [...]

See full content

Unlocking Our Backdoor Account: Dynamic Admin Setup Made Easy

on 08/12/2024

See full content

Unlocking Service User Secrets: Bypassing Authentication Flaws

on 08/12/2024

See full content

Unlocking Guest Invites: Secrets of EntraID

on 07/12/2024

See full content

Master Docker Images with Scopio: Simplify Your Workflow

on 07/12/2024

See full content

CVE-2024-45498: Apache Airflow Command injection in read_dataset_event_from_classic DAG

on 07/12/2024

Internet Bug Bounty disclosed a bug submitted by nhienit2010: https://hackerone.com/reports/2705661 [...]

See full content

Broken authentication: 7 Advanced ways of bypassing insecure 2-FA implementations

by novasecio on 07/12/2024

Two-factor authentication (2FA) has become the go-to solution for strengthening account security. More and more companies are deploying 2FA implementations, and some even enforce them on their users to keep them secure against unauthorized access. But what if 2FA wasn't correctly implemented? In this article, we are exploring 7 ways of bypassing 2FA implementations, including s… [...]

See full content

Hack My Career: Saskia Braucher

by Marina Briones on 06/12/2024

See full content

Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device

on 06/12/2024

Fifteen years ago I blogged about a different SQUID. Here’s an update: Fleeing drivers are a common problem for law enforcement. They just won’t stop unless persuaded­—persuaded by bullets, barriers, spikes, or snares. Each option is risky business. Shooting up a fugitive’s car is one possibility. But what if children or hostages are in it? Lay down barriers, and the driver might swerv [...]

See full content

Getting to Know GraphQL

on 06/12/2024

See full content

Detecting Pegasus Infections

on 06/12/2024

This tool seems to do a pretty good job. The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a fr [...]

See full content

[ addons-preview-cdn.mozilla.net ] A subdomain takeover is available via unregistered domain in Fastly

on 06/12/2024

Mozilla disclosed a bug submitted by haveaniceday: https://hackerone.com/reports/2706358 [...]

See full content

Effortlessly Invite Guests with Graphrunner's Commandlet

on 06/12/2024

See full content

Inside the Registry Challenge: CTF Zone Finals 2024

on 06/12/2024

See full content

Linux Challenges for Holiday Hacking

on 06/12/2024

See full content

Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages

on 06/12/2024

Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages [...]

See full content

Harnessing the Working Genius for Team Success

by debbie@hackerone.com on 05/12/2024

See full content

Announcing the launch of Vanir: Open-source Security Patch Validation

on 05/12/2024

Posted by Hyunkwook Baek, Duy Truong, Justin Dunlap and Lauren Stan from Android Security and Privacy, and Oliver Chang with the Google Open Source Security TeamToday, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom p [...]

See full content

Capture the Flag! Command Injection by Docker Layers

on 05/12/2024

See full content

IP restriction bypass via X-Forwarded-For header

on 05/12/2024

Acronis disclosed a bug submitted by mrityu: https://hackerone.com/reports/1224089 - Bounty: $250 [...]

See full content

The cyber threat landscape part 5: Staying safe with multi-layered defense

by Intigriti on 05/12/2024

Before diving into security controls or implementing bug bounty programs, to first establish a strong foundation in risk management and define your risk acceptance criteria. Defending your assets requires identifying and mapping each asset to the specific types and levels of threats that could impact them. Security cannot be approached reactively - securing assets is a strategi… [...]

See full content

U.S. Offered $10M for Hacker Just Arrested by Russia

by BrianKrebs on 04/12/2024

In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrest [...]

See full content

Protecting Against Bot-Enabled API Abuse

by Nikolay Tkachenko on 04/12/2024

APIs have become the backbone of modern digital ecosystems, powering everything from mobile apps to e-commerce platforms. However, as APIs grow in importance, they also become prime targets for malicious actors. Increasingly, bots are being weaponized to exploit vulnerabilities, overwhelm systems, and siphon sensitive data—all without triggering alarms until it’s too late. The rise in bot-driv [...]

See full content

AI and the 2024 Elections

on 04/12/2024

It’s been the biggest year for elections in human history: 2024 is a “super-cycle” year in which 3.7 billion eligible voters in 72 countries had the chance to go the polls. These are also the first AI elections, where many feared that deepfakes and artificial intelligence-generated misinformation would overwhelm the democratic processes. As 2024 draws to a close, it’s instr [...]

See full content

#guineapig 🐹

on 03/12/2024

See full content

Invisible Salamanders Attack against end_to_end_encryption in Nextcloud

on 03/12/2024

Nextcloud disclosed a bug submitted by pseudo-llrktbeyk: https://hackerone.com/reports/2497947 [...]

See full content

Hai’s Latest Evolution: Intelligence, Context, and More Intuitive UX

by Martijn Russchen on 03/12/2024

Hai, HackerOne's AI copilot has 3 new capabilities: Hai analytics, contextual conversations, and an enhanced user experience. [...]

See full content

Why You MUST Audit Open Source Tools Before Use

on 03/12/2024

See full content

#toverland winter feelings

on 03/12/2024

See full content

Why Phishers Love New TLDs Like .shop, .top and .xyz

by BrianKrebs on 03/12/2024

Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is [...]

See full content

Algorithms Are Coming for Democracy—but It’s Not All Bad

on 03/12/2024

In 2025, AI is poised to change every aspect of democratic politics—but it won’t necessarily be for the worse. India’s prime minister, Narendra Modi, has used AI to translate his speeches for his multilingual electorate in real time, demonstrating how AI can help diverse democracies to be more inclusive. AI avatars were used by presidential candidates in South Korea in electionee [...]

See full content

5 Questions to Assess Your Organization’s Bug Bounty Readiness

by Josh Jacobson on 02/12/2024

Is your organization ready for a bug bounty program? These 5 questions will help assess your security program's bug bounty readiness. [...]

See full content

How To Write A Pentest Report That Gets Your Findings Fixed

on 02/12/2024

See full content

open redirected by host header

on 02/12/2024

Localize disclosed a bug submitted by black_world: https://hackerone.com/reports/2828499 [...]

See full content

Details about the iOS Inactivity Reboot Feature

on 02/12/2024

I recently wrote about the new iOS feature that forces an iPhone to reboot after it’s been inactive for a longish period of time. Here are the technical details, discovered through reverse engineering. The feature triggers after seventy-two hours of inactivity, even it is remains connected to Wi-Fi. [...]

See full content

Buffer Overflow Vulnerability in strcpy() Leading to Remote Code Execution

on 02/12/2024

curl disclosed a bug submitted by tix01: https://hackerone.com/reports/2871792 [...]

See full content

#rat #rats 🐀 ding dong

on 01/12/2024

See full content

The Mother Of All BAC Exploits - FULL

on 01/12/2024

See full content

Can You Hack a Car With a Flipper Zero?

on 30/11/2024

See full content

CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()

on 30/11/2024

Internet Bug Bounty disclosed a bug submitted by mprogrammer: https://hackerone.com/reports/2795558 - Bounty: $2162 [...]

See full content

CVE-2024-49761: ReDoS vulnerability in REXML

on 30/11/2024

Internet Bug Bounty disclosed a bug submitted by manun: https://hackerone.com/reports/2807139 [...]

See full content

Broken authentication: A complete guide to exploiting advanced authentication vulnerabilities

by novasecio on 30/11/2024

Authentication vulnerabilities are fun to find as they are impactful by nature and often grant unauthorized users access to various resources with elevated privileges. Even though they are harder to spot, placed just at the 7th position on the OWASP Top 10 list, they still form a significant risk and are of course worth testing for. In this article, we will be covering what aut… [...]

See full content

Friday Squid Blogging: Squid-Inspired Needle Technology

on 29/11/2024

Interesting research: Using jet propulsion inspired by squid, researchers demonstrate a microjet system that delivers medications directly into tissues, matching the effectiveness of traditional needles. Blog moderation policy. [...]

See full content

Staying Focused in Cybersecurity

on 29/11/2024

See full content

Race Condition Attacks against LLMs

on 29/11/2024

These are two attacks against the system components surrounding LLMs: We propose that LLM Flowbreaking, following jailbreaking and prompt injection, joins as the third on the growing list of LLM attack types. Flowbreaking is less about whether prompt or response guardrails can be bypassed, and more about whether user inputs and generated model outputs can adversely affect these other components in [...]

See full content

[CVE-2024-47888] Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text

on 28/11/2024

Internet Bug Bounty disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2792776 - Bounty: $505 [...]

See full content

Rate limit bypass on passport.acronis.work using X-Forwarded-For request header

on 28/11/2024

Acronis disclosed a bug submitted by analyz3r: https://hackerone.com/reports/2627062 - Bounty: $250 [...]

See full content

LIVE: Hacking, AppSec and Cybersecurity | GraphQL | Ask Me Anything

on 27/11/2024

See full content

Why Retail and E-commerce Organizations Trust Security Researchers During the Holiday Shopping Season

by HackerOne on 27/11/2024

Security leaders at REI, AS Watson, and Mercado Libre explain why retail and e-commerce organizations trust security researchers. [...]

See full content

How Is API Abuse Different from Web Application Attacks by Bots?

by wlrmblog on 27/11/2024

API abuse and web application bot attacks are often confused. This is understandable, as both involve automated interactions and are usually executed by bots. Both attack vectors are prevalent; criminals are always eager to disrupt the foundations on which businesses base their operations to achieve their malicious goals and they frequently automate their actions for maximum results. However, the [...]

See full content

Hacker in Snowflake Extortions May Be a U.S. Soldier

by BrianKrebs on 27/11/2024

Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily [...]

See full content

The cyber threat landscape part 4: Emerging technologies and their security implications

by Intigriti on 27/11/2024

As organizations continue adopting emerging technologies, they gain immense benefits but also face new security challenges. Cloud computing, AI, IoT, and blockchain are reshaping the cyber threat landscape, introducing powerful tools for defenders along with vulnerabilities for attackers to exploit. In this post, we explore how these technologies impact cybersecurity, the uniqu… [...]

See full content

when adding branches to your account

on 26/11/2024

Mars disclosed a bug submitted by kh4rish34v3n: https://hackerone.com/reports/2756402 [...]

See full content

RXSS on via configUrl parameter

on 26/11/2024

Mars disclosed a bug submitted by kh4rish34v3n: https://hackerone.com/reports/2684274 [...]

See full content

Insecure API Response Leads to Disclosure of Hashed Passwords

on 26/11/2024

Mars disclosed a bug submitted by itsmatinx: https://hackerone.com/reports/2788557 [...]

See full content

Network and Information Systems Directive (NIS2) Compliance: What You Need to Know

by Sandeep Singh on 26/11/2024

Learn about the new NIS2 Directive requirements and how to achieve compliance through pentesting, VDP, and bug bounty. [...]

See full content

It’s sometimes hard to get paid for a non-standard vulnerability #bugbounty #bugbountytips #bugbount

on 26/11/2024

See full content

Here’s why you should look for deletion bugs #bugbounty #bugbountytips #bugbountyhunter

on 26/11/2024

See full content

Are paywall bypasses worth looking for? #bugbounty #bugbountytips #bugbountyhunter

on 26/11/2024

See full content

The truth about bug bounty reports that just seem too simple… #bugbounty #bugbountytips #bugbountyhu

on 26/11/2024

See full content

Try this if you are deleting resources with GraphQL mutations #bugbounty #bugbountytips #bugbountyhu

on 26/11/2024

See full content

Surprising fact about git that some developers don’t know about #bugbounty #bugbountytips #bugbounty

on 26/11/2024

See full content

$12,500 file leakage bug in Facebook #bugbounty #bugbountytips #bugbountyhunter

on 26/11/2024

See full content

Build Your Own Wi-Fi Pen Testing Device: ESP-32 Marauder

on 26/11/2024

See full content

5 Insights Attendees Gained from the Security@ World Tour

by HackerOne on 25/11/2024

Read the top 5 learnings attendees gained by joining one of our Security@ 2024 World Tour events. [...]

See full content

Reflected HTML Injection via contact (faq) search parameter on

on 25/11/2024

Mars disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2587101 [...]

See full content

Reflected HTML Injection via contact (faq) search parameter on ]=

on 25/11/2024

Mars disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2578985 [...]

See full content

unsubscribe anyone from all emails @

on 25/11/2024

Mars disclosed a bug submitted by abfe: https://hackerone.com/reports/2354888 [...]

See full content

Information Exposure due to enabled debug mode

on 25/11/2024

Mars disclosed a bug submitted by thpless: https://hackerone.com/reports/2243003 [...]

See full content

The Blueprint to Your First $1,000+ Bounty

on 25/11/2024

See full content

Crafting your bug bounty methodology: A complete guide for beginners

by novasecio on 25/11/2024

Bug bounty hunting can seem overwhelming when you're just starting, especially when you are coming from a non-technical background. And even then, bug bounty (or web security in general) is a vast topic with so much to grasp. Participating in bug bounties often also means competing along on bug bounty programs where thousands of other hunters are also actively hacking, with som… [...]

See full content

TCM Security Black Friday / Cyber Monday Deals 2024

on 22/11/2024

See full content

`std::process::Command` batch files argument escaping could be bypassed with trailing whitespace or periods

on 22/11/2024

Internet Bug Bounty disclosed a bug submitted by 4xpl0r3r: https://hackerone.com/reports/2721478 - Bounty: $505 [...]

See full content

MUT-8694: An NPM and PyPI Malicious Campaign Targeting Windows Users

on 22/11/2024

This post includes an analysis of an infostealer supply chain attack targeting Windows users [...]

See full content

Python Crypto Library Updated to Steal Private Keys

by Phylum Research Team on 21/11/2024

Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean of the malicious code to evade d [...]

See full content

5 Things You Need to Learn From the New Hacker-Powered Security Report

on 21/11/2024

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. Trail of Bits Blog
  3. Phylum Research | Software Supply Chain Security
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. victoria.dev
  12. Brett Buerhaus
  13. Bug Bounty Reports Explained
  14. Bugcrowd
  15. cat ~/footstep.ninja/blog.txt
  16. Ezequiel Pereira
  17. HackerOne
  18. HackerOne
  19. surajdisoja.me
  20. InsiderPhD
  21. Intigriti
  22. John Hammond
  23. LiveOverflow
  24. NahamSec
  25. PortSwigger Blog
  26. Rana Khalil
  27. Richard’s Infosec blog
  28. Ron Chan
  29. ropnop blog
  30. STÖK
  31. Sun Knudsen
  32. The Cyber Mentor
  33. The unofficial HackerOne disclosure timeline
  34. The XSS rat
  35. TomNomNom
  36. Wallarm