InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Top Tool Capabilities to Prevent AI-Powered Attacks by Raymond Kirk on 11/12/2024
Recent advances in AI technologies have granted organizations and individuals alike unprecedented productivity, efficiency, and operational benefits. AI is, without question, the single most exciting emerging technology in the world. However, it also brings enormous risks. While the dystopian, AI-ruled worlds of sci-fi films are a long way off, AI is helping cyber threat actors launch attacks at [...]
Auditing the Ruby ecosystem’s central package repository by Trail of Bits on 11/12/2024
Ruby Central hired Trail of Bits to complete a security assessment and a competitive analysis of RubyGems.org, the official package management system for Ruby applications. With over 184+ billion downloads to date, RubyGems.org is critical infrastructure for the Ruby language ecosystem. This is a joint post with the Ruby Central team; read their announcement here! The full report, which includes a [...]
Jailbreaking LLM-Controlled Robots on 11/12/2024
Surprising no one, it’s easy to trick an LLM-controlled robot into ignoring its safety instructions. [...]
Mastering Token Access: Uncovering Microsoft Graph API Secrets on 11/12/2024
netrc + redirect credential leak on 11/12/2024
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2829063 [...]
Unlocking Docker Inside Docker: The DIND Revolution on 11/12/2024
Learn Cryptography! on 11/12/2024
Patch Tuesday, December 2024 Edition by BrianKrebs on 11/12/2024
Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks. The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenti [...]
Introducing the Wells Fargo Public Bug Bounty Program by HackerOne on 10/12/2024
Wells Fargo announces its public bug bounty program after several years of engaging the HackerOne community. [...]
Six Years of Proactive Defense: Deribit’s Journey with HackerOne by HackerOne on 10/12/2024
Learn how Deribit uses its HackerOne bug bounty program for its proactive security strategy. [...]
Google Cloud expands vulnerability detection for Artifact Registry using OSV on 10/12/2024
Posted by Greg Mucci, Product Manager, Artifact Analysis, Oliver Chang, Senior Staff Engineering, OSV, and Charl de Nysschen, Product Manager OSVDevOps teams dedicated to securing their supply chain and predicting potential risks consistently face novel threats. Fortunately, they can now improve their image and container security by harnessing Google-grade vulnerability scanning, which offers expa [...]
Full-Face Masks to Frustrate Identification on 10/12/2024
This is going to be interesting. It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap. [...]
Social Engineering: Accessing Microsoft Graph API Secrets on 10/12/2024
Mastering Docker: Build Your Own Authentication & Registry Service on 10/12/2024
New Guidance for Federal AI Procurement Embraces Red Teaming and Other HackerOne Suggestions by Michael Woolslayer on 09/12/2024
The U.S. government has embraced HackerOne's recommendations for the new federal AI procurements guidance. [...]
How To Pick A Bug Bounty Target And Platform - Tips And Tricks on 09/12/2024
Render content from untrusted sources via web_preview endpoint on Acronis Cloud on 09/12/2024
Acronis disclosed a bug submitted by mr-medi: https://hackerone.com/reports/1848118 - Bounty: $200 [...]
35 more Semgrep rules: infrastructure, supply chain, and Ruby by Trail of Bits on 09/12/2024
By Matt Schwager and Travis Peters We are publishing another set of custom Semgrep rules, bringing our total number of public rules to 115. This blog post will briefly cover the new rules, then explore two Semgrep features in depth: regex mode (especially how it compares against generic mode), and HCL language support for technologies such as Terraform and Nomad. With these features, we can search [...]
Understanding ⛔️403 Bypasses⛔️ (With Examples) on 09/12/2024
Trust Issues in AI on 09/12/2024
For a technology that seems startling in its modernity, AI sure has a long history. Google Translate, OpenAI chatbots, and Meta AI image generators are built on decades of advancements in linguistics, signal processing, statistics, and other fields going back to the early days of computing—and, often, on seed funding from the U.S. Department of Defense. But today’s tools are hardly the [...]
Clone Security Groups: Unveiling Rogue User Risks on 09/12/2024
Unlocking the Secrets of Docker: A Creative Journey on 09/12/2024
Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4 on 08/12/2024
curl disclosed a bug submitted by napol-webug: https://hackerone.com/reports/2887487 [...]
RCE on worker host due to unsanitized "env" variable name in task definition on community-tc.services.mozilla.com on 08/12/2024
Mozilla disclosed a bug submitted by ebrietas: https://hackerone.com/reports/2221404 [...]
Unlocking Our Backdoor Account: Dynamic Admin Setup Made Easy on 08/12/2024
Unlocking Service User Secrets: Bypassing Authentication Flaws on 08/12/2024
Unlocking Guest Invites: Secrets of EntraID on 07/12/2024
Master Docker Images with Scopio: Simplify Your Workflow on 07/12/2024
CVE-2024-45498: Apache Airflow Command injection in read_dataset_event_from_classic DAG on 07/12/2024
Internet Bug Bounty disclosed a bug submitted by nhienit2010: https://hackerone.com/reports/2705661 [...]
Broken authentication: 7 Advanced ways of bypassing insecure 2-FA implementations by novasecio on 07/12/2024
Two-factor authentication (2FA) has become the go-to solution for strengthening account security. More and more companies are deploying 2FA implementations, and some even enforce them on their users to keep them secure against unauthorized access. But what if 2FA wasn't correctly implemented? In this article, we are exploring 7 ways of bypassing 2FA implementations, including s… [...]
Hack My Career: Saskia Braucher by Marina Briones on 06/12/2024
Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device on 06/12/2024
Fifteen years ago I blogged about a different SQUID. Here’s an update: Fleeing drivers are a common problem for law enforcement. They just won’t stop unless persuaded—persuaded by bullets, barriers, spikes, or snares. Each option is risky business. Shooting up a fugitive’s car is one possibility. But what if children or hostages are in it? Lay down barriers, and the driver might swerv [...]
Getting to Know GraphQL on 06/12/2024
Detecting Pegasus Infections on 06/12/2024
This tool seems to do a pretty good job. The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a fr [...]
[ addons-preview-cdn.mozilla.net ] A subdomain takeover is available via unregistered domain in Fastly on 06/12/2024
Mozilla disclosed a bug submitted by haveaniceday: https://hackerone.com/reports/2706358 [...]
Effortlessly Invite Guests with Graphrunner's Commandlet on 06/12/2024
Inside the Registry Challenge: CTF Zone Finals 2024 on 06/12/2024
Linux Challenges for Holiday Hacking on 06/12/2024
Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages on 06/12/2024
Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages [...]
Harnessing the Working Genius for Team Success by debbie@hackerone.com on 05/12/2024
Announcing the launch of Vanir: Open-source Security Patch Validation on 05/12/2024
Posted by Hyunkwook Baek, Duy Truong, Justin Dunlap and Lauren Stan from Android Security and Privacy, and Oliver Chang with the Google Open Source Security TeamToday, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom p [...]
Capture the Flag! Command Injection by Docker Layers on 05/12/2024
IP restriction bypass via X-Forwarded-For header on 05/12/2024
Acronis disclosed a bug submitted by mrityu: https://hackerone.com/reports/1224089 - Bounty: $250 [...]
The cyber threat landscape part 5: Staying safe with multi-layered defense by Intigriti on 05/12/2024
Before diving into security controls or implementing bug bounty programs, to first establish a strong foundation in risk management and define your risk acceptance criteria. Defending your assets requires identifying and mapping each asset to the specific types and levels of threats that could impact them. Security cannot be approached reactively - securing assets is a strategi… [...]
U.S. Offered $10M for Hacker Just Arrested by Russia by BrianKrebs on 04/12/2024
In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrest [...]
Protecting Against Bot-Enabled API Abuse by Nikolay Tkachenko on 04/12/2024
APIs have become the backbone of modern digital ecosystems, powering everything from mobile apps to e-commerce platforms. However, as APIs grow in importance, they also become prime targets for malicious actors. Increasingly, bots are being weaponized to exploit vulnerabilities, overwhelm systems, and siphon sensitive data—all without triggering alarms until it’s too late. The rise in bot-driv [...]
AI and the 2024 Elections on 04/12/2024
It’s been the biggest year for elections in human history: 2024 is a “super-cycle” year in which 3.7 billion eligible voters in 72 countries had the chance to go the polls. These are also the first AI elections, where many feared that deepfakes and artificial intelligence-generated misinformation would overwhelm the democratic processes. As 2024 draws to a close, it’s instr [...]
#guineapig 🐹 on 03/12/2024
Invisible Salamanders Attack against end_to_end_encryption in Nextcloud on 03/12/2024
Nextcloud disclosed a bug submitted by pseudo-llrktbeyk: https://hackerone.com/reports/2497947 [...]
Hai’s Latest Evolution: Intelligence, Context, and More Intuitive UX by Martijn Russchen on 03/12/2024
Hai, HackerOne's AI copilot has 3 new capabilities: Hai analytics, contextual conversations, and an enhanced user experience. [...]
Why You MUST Audit Open Source Tools Before Use on 03/12/2024
#toverland winter feelings on 03/12/2024
Why Phishers Love New TLDs Like .shop, .top and .xyz by BrianKrebs on 03/12/2024
Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is [...]
Algorithms Are Coming for Democracy—but It’s Not All Bad on 03/12/2024
In 2025, AI is poised to change every aspect of democratic politics—but it won’t necessarily be for the worse. India’s prime minister, Narendra Modi, has used AI to translate his speeches for his multilingual electorate in real time, demonstrating how AI can help diverse democracies to be more inclusive. AI avatars were used by presidential candidates in South Korea in electionee [...]
5 Questions to Assess Your Organization’s Bug Bounty Readiness by Josh Jacobson on 02/12/2024
Is your organization ready for a bug bounty program? These 5 questions will help assess your security program's bug bounty readiness. [...]
How To Write A Pentest Report That Gets Your Findings Fixed on 02/12/2024
open redirected by host header on 02/12/2024
Localize disclosed a bug submitted by black_world: https://hackerone.com/reports/2828499 [...]
Details about the iOS Inactivity Reboot Feature on 02/12/2024
I recently wrote about the new iOS feature that forces an iPhone to reboot after it’s been inactive for a longish period of time. Here are the technical details, discovered through reverse engineering. The feature triggers after seventy-two hours of inactivity, even it is remains connected to Wi-Fi. [...]
Buffer Overflow Vulnerability in strcpy() Leading to Remote Code Execution on 02/12/2024
curl disclosed a bug submitted by tix01: https://hackerone.com/reports/2871792 [...]
#rat #rats 🐀 ding dong on 01/12/2024
The Mother Of All BAC Exploits - FULL on 01/12/2024
Can You Hack a Car With a Flipper Zero? on 30/11/2024
CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize() on 30/11/2024
Internet Bug Bounty disclosed a bug submitted by mprogrammer: https://hackerone.com/reports/2795558 - Bounty: $2162 [...]
CVE-2024-49761: ReDoS vulnerability in REXML on 30/11/2024
Internet Bug Bounty disclosed a bug submitted by manun: https://hackerone.com/reports/2807139 [...]
Broken authentication: A complete guide to exploiting advanced authentication vulnerabilities by novasecio on 30/11/2024
Authentication vulnerabilities are fun to find as they are impactful by nature and often grant unauthorized users access to various resources with elevated privileges. Even though they are harder to spot, placed just at the 7th position on the OWASP Top 10 list, they still form a significant risk and are of course worth testing for. In this article, we will be covering what aut… [...]
Friday Squid Blogging: Squid-Inspired Needle Technology on 29/11/2024
Interesting research: Using jet propulsion inspired by squid, researchers demonstrate a microjet system that delivers medications directly into tissues, matching the effectiveness of traditional needles. Blog moderation policy. [...]
Staying Focused in Cybersecurity on 29/11/2024
Race Condition Attacks against LLMs on 29/11/2024
These are two attacks against the system components surrounding LLMs: We propose that LLM Flowbreaking, following jailbreaking and prompt injection, joins as the third on the growing list of LLM attack types. Flowbreaking is less about whether prompt or response guardrails can be bypassed, and more about whether user inputs and generated model outputs can adversely affect these other components in [...]
[CVE-2024-47888] Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text on 28/11/2024
Internet Bug Bounty disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2792776 - Bounty: $505 [...]
Rate limit bypass on passport.acronis.work using X-Forwarded-For request header on 28/11/2024
Acronis disclosed a bug submitted by analyz3r: https://hackerone.com/reports/2627062 - Bounty: $250 [...]
LIVE: Hacking, AppSec and Cybersecurity | GraphQL | Ask Me Anything on 27/11/2024
Why Retail and E-commerce Organizations Trust Security Researchers During the Holiday Shopping Season by HackerOne on 27/11/2024
Security leaders at REI, AS Watson, and Mercado Libre explain why retail and e-commerce organizations trust security researchers. [...]
How Is API Abuse Different from Web Application Attacks by Bots? by wlrmblog on 27/11/2024
API abuse and web application bot attacks are often confused. This is understandable, as both involve automated interactions and are usually executed by bots. Both attack vectors are prevalent; criminals are always eager to disrupt the foundations on which businesses base their operations to achieve their malicious goals and they frequently automate their actions for maximum results. However, the [...]
Hacker in Snowflake Extortions May Be a U.S. Soldier by BrianKrebs on 27/11/2024
Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily [...]
The cyber threat landscape part 4: Emerging technologies and their security implications by Intigriti on 27/11/2024
As organizations continue adopting emerging technologies, they gain immense benefits but also face new security challenges. Cloud computing, AI, IoT, and blockchain are reshaping the cyber threat landscape, introducing powerful tools for defenders along with vulnerabilities for attackers to exploit. In this post, we explore how these technologies impact cybersecurity, the uniqu… [...]
when adding branches to your account on 26/11/2024
Mars disclosed a bug submitted by kh4rish34v3n: https://hackerone.com/reports/2756402 [...]
RXSS on via configUrl parameter on 26/11/2024
Mars disclosed a bug submitted by kh4rish34v3n: https://hackerone.com/reports/2684274 [...]
Insecure API Response Leads to Disclosure of Hashed Passwords on 26/11/2024
Mars disclosed a bug submitted by itsmatinx: https://hackerone.com/reports/2788557 [...]
Network and Information Systems Directive (NIS2) Compliance: What You Need to Know by Sandeep Singh on 26/11/2024
Learn about the new NIS2 Directive requirements and how to achieve compliance through pentesting, VDP, and bug bounty. [...]
It’s sometimes hard to get paid for a non-standard vulnerability #bugbounty #bugbountytips #bugbount on 26/11/2024
Here’s why you should look for deletion bugs #bugbounty #bugbountytips #bugbountyhunter on 26/11/2024
Are paywall bypasses worth looking for? #bugbounty #bugbountytips #bugbountyhunter on 26/11/2024
The truth about bug bounty reports that just seem too simple… #bugbounty #bugbountytips #bugbountyhu on 26/11/2024
Try this if you are deleting resources with GraphQL mutations #bugbounty #bugbountytips #bugbountyhu on 26/11/2024
Surprising fact about git that some developers don’t know about #bugbounty #bugbountytips #bugbounty on 26/11/2024
$12,500 file leakage bug in Facebook #bugbounty #bugbountytips #bugbountyhunter on 26/11/2024
Build Your Own Wi-Fi Pen Testing Device: ESP-32 Marauder on 26/11/2024
5 Insights Attendees Gained from the Security@ World Tour by HackerOne on 25/11/2024
Read the top 5 learnings attendees gained by joining one of our Security@ 2024 World Tour events. [...]
Reflected HTML Injection via contact (faq) search parameter on on 25/11/2024
Mars disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2587101 [...]
Reflected HTML Injection via contact (faq) search parameter on ]= on 25/11/2024
Mars disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2578985 [...]
unsubscribe anyone from all emails @ on 25/11/2024
Mars disclosed a bug submitted by abfe: https://hackerone.com/reports/2354888 [...]
Information Exposure due to enabled debug mode on 25/11/2024
Mars disclosed a bug submitted by thpless: https://hackerone.com/reports/2243003 [...]
The Blueprint to Your First $1,000+ Bounty on 25/11/2024
Crafting your bug bounty methodology: A complete guide for beginners by novasecio on 25/11/2024
Bug bounty hunting can seem overwhelming when you're just starting, especially when you are coming from a non-technical background. And even then, bug bounty (or web security in general) is a vast topic with so much to grasp. Participating in bug bounties often also means competing along on bug bounty programs where thousands of other hunters are also actively hacking, with som… [...]
TCM Security Black Friday / Cyber Monday Deals 2024 on 22/11/2024
`std::process::Command` batch files argument escaping could be bypassed with trailing whitespace or periods on 22/11/2024
Internet Bug Bounty disclosed a bug submitted by 4xpl0r3r: https://hackerone.com/reports/2721478 - Bounty: $505 [...]
MUT-8694: An NPM and PyPI Malicious Campaign Targeting Windows Users on 22/11/2024
This post includes an analysis of an infostealer supply chain attack targeting Windows users [...]
Python Crypto Library Updated to Steal Private Keys by Phylum Research Team on 21/11/2024
Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean of the malicious code to evade d [...]