InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Uncle Rat Presents: 002-B: Uncle Rat's Ultimate Bug Bounty Guide - P 2 - Broad Scope And API Hacking on 18/03/2025
Notepad Saves Your Notes - Even If You Don't! on 18/03/2025
SSRF in Autodesk Rendering leading to account takeover on 18/03/2025
Autodesk disclosed a bug submitted by metereorpreter: https://hackerone.com/reports/3024673 [...]
Django Debug Mode Enabled - Information Disclosure on api.wwm-dev.autodesk.com on 18/03/2025
Autodesk disclosed a bug submitted by khoof: https://hackerone.com/reports/2965143 [...]
How To Get Hacked Downloading Torrents - Malware Analysis on 18/03/2025
Quantifying the Financial Impact of Cybersecurity with Return on Mitigation (RoM) on 18/03/2025
ms teams is now a C2 (command-and-control) on 18/03/2025
Is Security Human Factors Research Skewed Towards Western Ideas and Habits? on 18/03/2025
Really interesting research: “How WEIRD is Usable Privacy and Security Research?” by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama: Abstract: In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew [...]
How to Find Your First Help Desk Role! on 17/03/2025
Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source on 17/03/2025
Posted by Rex Pan and Xueqin Cui, Google Open Source Security TeamIn December 2022, we released the open source OSV-Scanner tool, and earlier this year, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, together with OSV.dev are components of an open platform for managing vulnerability metadata and enabling simple and accurate matching and remediation of known vulnerabilities. Our goal is [...]
Improvements in Brute Force Attacks on 17/03/2025
New paper: “GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3.” Abstract: Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit keys are recommended, there are many standards and real-world applications that use shorter [...]
This is How a Simple IDOR Earned Me a Max Bug Bounty Payout on 17/03/2025
I took the TryHackMe Security Analyst Level 1 Certification (SAL1) on 17/03/2025
CNWPP How To Fail An Exam Part 2:4 on 16/03/2025
Sensitive Information Disclosure via Back Button Post Logout on https://apps.nextcloud.com/account/ on 16/03/2025
Nextcloud disclosed a bug submitted by vulnerability_is_here: https://hackerone.com/reports/2946927 [...]
ClickFix: How to Infect Your PC in Three Easy Steps by BrianKrebs on 14/03/2025
A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. ClickFix attacks mimic the “Verify You are [...]
Friday Squid Blogging: SQUID Band on 14/03/2025
A bagpipe and drum band: SQUID transforms traditional Bagpipe and Drum Band entertainment into a multi-sensory rush of excitement, featuring high energy bagpipes, pop music influences and visually stunning percussion! As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]
My Recap Of BSides Limburg 2025 on 14/03/2025
The German Hacking Championship on 14/03/2025
Upcoming Speaking Engagements on 14/03/2025
This is a current list of where and when I am scheduled to speak: I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. I’m speaking at the University of Toronto’s Rotman School of Management in Toronto, Canada, on April 3, 2025. The list is maintained on this page. [...]
IoT Hacking Tools You MUST Know: An In-Depth Review on 14/03/2025
2FA Bypass leads to impersonation of legimate users on 14/03/2025
Drugs.com disclosed a bug submitted by dedoxd2: https://hackerone.com/reports/2885636 [...]
Stored Cross-Site Scripting found in custom integration app on https://admin.b360.autodesk.com. on 14/03/2025
Autodesk disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2971572 [...]
TP-Link Router Botnet on 14/03/2025
There is a new botnet that is infecting TP-Link routers: The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet [...]
One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild by Ivan Novikov on 14/03/2025
A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857. Exploit Breakdown: How a Simple PUT Request Leads to Full RCE This att [...]
Intigriti Bug Bytes #222 - March 2025 🚀 by Intigriti on 14/03/2025
Hey hackers, Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community events—all to help you find more bugs! Product updates New Feature: Gain Deeper Insights into Researcher Activity We're excited to introduce a new way for researchers to gain valuable insights into their time allocation across different domai… [...]
Hack Smart Devices For Only $2! on 13/03/2025
Stored Cross-Site Scripting in mercadopago.com.ar on 13/03/2025
MercadoLibre disclosed a bug submitted by elmago: https://hackerone.com/reports/1955485 [...]
Domain highlighting on External link warning is not working on Chrome & Microsoft Edge browsers on Mobile on 13/03/2025
HackerOne disclosed a bug submitted by sarthakbhingare015: https://hackerone.com/reports/2553026 [...]
RIP Mark Klein on 13/03/2025
2006 AT&T whistleblower Mark Klein has died. [...]
cgi scripts wordlist entry for windmail.exe has payload that sends arbitrary file read result to third-party on 13/03/2025
PortSwigger Web Security disclosed a bug submitted by floyd: https://hackerone.com/reports/2733994 - Bounty: $200 [...]
they tried to hack me so i confronted them on 13/03/2025
Burp Everywhere, All Around the World: Bringing AppSec Enthusiasts Together in 2025 on 13/03/2025
Security is a team sport. Whether you're a pentester, bug bounty hunter, student, or just love breaking (and fixing) things, our field thrives on shared knowledge, collaboration, and support. We want [...]
Access control vulnerability in the retail industry. Cross-Site Scripting (XSS) use case by Eleanor Barlow on 13/03/2025
Why is the retail industry being targeted? Large-scale operations and the extensive attack surface of the retail industry render it particularly susceptible to cybercrime, on a global scale. Websites, mobile apps, and company programs create numerous entry points for malicious actors. The high volume of payment transactions and financial incentives of successful attacks present… [...]
CNWPP How To Fail An Exam Part 1:4 on 12/03/2025
Uncle Rat's 4 Hour API Hacking MasterClass - Zero To Hero - OWASP top 10 - Tools - Demo's on 12/03/2025
LIVE: USB and Log Analysis | Cybersecurity | Blue Team | AMA on 12/03/2025
Hunting for privilege escalations by modifying the JS feat. renniepak #bugbounty #bugbountytips #bug on 12/03/2025
The mysterious bug bounty methodology on 12/03/2025
$50k XSS in a web3 website feat. renniepak #bugbounty #bugbountytips #bugbountyhunter on 12/03/2025
Using javascript bookmarks to speed up bug hunting feat. renniepak #bugbounty #bugbountytips #bugbou on 12/03/2025
An XSS payload tattooed on the forearm feat. renniepak #bugbounty #bugbountytips #bugbountyhunter on 12/03/2025
The CSPBypass website feat. renniepak #bugbounty #bugbountytips #bugbountyhunter on 12/03/2025
How to become an XSS expert with renniepak on 12/03/2025
Behind the Scenes of Burp AI: How we built it, and what's next on 12/03/2025
Why now? Artificial intelligence is rapidly transforming industries, and security testing is no exception. At PortSwigger, we’ve always been driven by innovation, but we don’t chase trends for the sak [...]
LEAKED Russian Hackers Internal Chats on 12/03/2025
China, Russia, Iran, and North Korea Intelligence Sharing on 12/03/2025
Former CISA Director Jen Easterly writes about a new international intelligence sharing co-op: Historically, China, Russia, Iran & North Korea have cooperated to some extent on military and intelligence matters, but differences in language, culture, politics & technological sophistication have hindered deeper collaboration, including in cyber. Shifting geopolitical dynamics, however, cou [...]
Best practices to avoid Bugcrowd platform violations with Anon Hunter (Sharik Khan) on 12/03/2025
Microsoft: 6 Zero-Days in March 2025 Patch Tuesday by BrianKrebs on 11/03/2025
Microsoft today issued more than 50 security updates for its various Windows operating systems, including fixes for a whopping six zero-day vulnerabilities that are already seeing active exploitation. Two of the zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in NTFS, the default file system for Windows and Windows Server. Both require the attacker to trick a target [...]
Non-Production API Endpoints for the DocumentDB Elastic Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration on 11/03/2025
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3009411 [...]
CSRF to Reflected XSS at echo.urbandictionary.biz via spoofing content type on 11/03/2025
Urban Dictionary disclosed a bug submitted by osama-hamad: https://hackerone.com/reports/1237321 [...]
Account Takeover Vulnerability in Shopify Collabs Platform Due to Missing Email Verification on 11/03/2025
Shopify disclosed a bug submitted by kun_19: https://hackerone.com/reports/1679734 - Bounty: $800 [...]
Silk Typhoon Hackers Indicted on 11/03/2025
Lots of interesting details in the story: The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security who allegedly worked with them, and two other alleged hackers who are said to be part [...]
Alleged Co-Founder of Garantex Arrested in India by BrianKrebs on 11/03/2025
Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing [...]
4 platforms to practice hacking as a beginner 👆 on 11/03/2025
Get Hired In Cybersecurity Without Previous Experience on 11/03/2025
XXE: A complete guide to exploiting advanced XXE vulnerabilities by blackbird-eu on 11/03/2025
XML External Entity (XXE) vulnerabilities are one of the most overlooked yet impactful vulnerabilities in modern web applications. Although they've become seemingly harder to detect and exploit, their impact remains severe, often allowing attackers to read internal files, reach internal-only networks, and in severe cases even execute remote code execution! In this article, we w… [...]
RCE through collaboration with tess on 10/03/2025
How Ethical Hackers ACTUALLY Use ChatGPT With Real Examples on 10/03/2025
Thousands of WordPress Websites Infected with Malware on 10/03/2025
The malware includes four separate backdoors: Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed. A unique case we haven’t seen before. Which introduces another type of attack made possibly by abusing websites that don’t monitor 3rd party dependencies in the browser of their users. The four backdoors: The functions of [...]
My Top 7 Burp Suite Extensions - Community Edition - 2025 on 10/03/2025
MSPGEEKCON is back for 2025 on 09/03/2025
TECH SUPPORT GONE WRONG on 08/03/2025
Feds Link $150M Cyberheist to 2022 LastPass Hacks by BrianKrebs on 08/03/2025
In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached t [...]
Level Up Your OSINT Skills! on 07/03/2025
Friday Squid Blogging: Squid Loyalty Cards on 07/03/2025
Squid is a loyalty card platform in Ireland. Blog moderation policy. [...]
Deadlock in x86 HVM standard VGA handling on 07/03/2025
Internet Bug Bounty disclosed a bug submitted by stonksy: https://hackerone.com/reports/2921724 - Bounty: $2162 [...]
Security Flash: Breaking Down H.R. 872 on 07/03/2025
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch on 07/03/2025
Internet Bug Bounty disclosed a bug submitted by scyoon: https://hackerone.com/reports/2872502 [...]
Vulnerability Reward Program: 2024 in Review on 07/03/2025
Posted by Dirk GöhmannIn 2024, our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer. This was evident as we awarded just shy of $12 million to over 600 researchers based in countries around the globe across all of our programs.Vulnerability Reward Program 2024 in NumbersYou can learn about who’s reportin [...]
How to Get Hired in Cybersecurity in 2025 on 07/03/2025
Who is the DOGE and X Technician Branden Spikes? by BrianKrebs on 07/03/2025
At 49, Branden Spikes isn’t just one of the oldest technologists who has been involved in Elon Musk’s Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musk’s most loyal employees. Here’s a closer look at this trusted Musk lieutenant, whose Russ [...]
Sale cancellations from other sellers without restrictions on 06/03/2025
MercadoLibre disclosed a bug submitted by capablanca0: https://hackerone.com/reports/2495989 [...]
Exposing debug.log file leads to server full path disclosure on 06/03/2025
Autodesk disclosed a bug submitted by kanon4: https://hackerone.com/reports/3002345 [...]
the tools that real hackers use on 06/03/2025
SQLi | in URL paths on 06/03/2025
MTN Group disclosed a bug submitted by almuntadhar: https://hackerone.com/reports/2958619 [...]
Use after free (read) in curl_multi_perform with DoH and Proxy options, and resolve timeouts on 06/03/2025
curl disclosed a bug submitted by catenacyber: https://hackerone.com/reports/3022041 [...]
LIVE: New Certification Release | Q&A | Helpdesk | Cybersecurity on 06/03/2025
Benchmarking OpenSearch and Elasticsearch on 06/03/2025
This post concludes a four-month performance study of OpenSearch and Elasticsearch search engines across realistic scenarios using OpenSearch Benchmark (OSB). Our full report includes the detailed findings and comparison results of several versions of these two applications. [...]
A message to the xss twat - I got hacked on 05/03/2025
Session Timeout Does Not Enforce Re-Authentication on AWS Access Portal on 05/03/2025
AWS VDP disclosed a bug submitted by xendaviour: https://hackerone.com/reports/2800511 [...]
CVE-2023-5561 on Payapps.com on 05/03/2025
Autodesk disclosed a bug submitted by khoof: https://hackerone.com/reports/2997549 [...]
Hardware hacking with Erik de Jong and the University of New Brunswick Cybersec Club on 05/03/2025
Non-Production API Endpoints for the Device Farm Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration on 04/03/2025
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/2999116 [...]
Why You Should Start Your Career With IT Help Desk on 04/03/2025
New AI-Powered Scam Detection Features to Help Protect You on Android on 04/03/2025
Posted by Lyubov Farafonova, Product Manager, Phone by Google; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse Google has been at the forefront of protecting users from the ever-growing threat of scams and fraud with cutting-edge technologies and security expertise for years. In 2024, scammers used increasingly sophisticated tactics and generative AI-powered tool [...]
are built-in windows programs vulnerable? on 04/03/2025
Sensitive API Key Leakage on 04/03/2025
AWS VDP disclosed a bug submitted by hemant1: https://hackerone.com/reports/3017105 [...]
Ability to Add and Verify Uncontrolled Mobile Numbers Leading to Account Takeover (ATO) on 04/03/2025
MTN Group disclosed a bug submitted by trev0ck: https://hackerone.com/reports/2762462 [...]
API Specifications: Why, When, and How to Enforce Them by Tim Erlin on 04/03/2025
APIs facilitate communication between different software applications and power a wide range of everyday digital experiences, from weather apps to streaming services and everything in between. They are also a critical ingredient of AI. However, if not structured and standardized properly, APIs can become inconsistent, insecure, and difficult to maintain. This is where API specifications come into [...]
Getting Into Bug Bounties With AI - Recon Script on 03/03/2025
Continuous TRAIL on 03/03/2025
You and your team should incrementally update your threat model as your system changes, integrating threat modeling into each phase of your SDLC to create a Threat and Risk Analysis Informed Lifecycle (TRAIL). Here, we cover how to do that: how to further tailor the threat model we built, how to maintain it, when to update it as development continues, and how to make use of it. [...]
Broken Access Control leads to disclosure of transaction history via /v2/rechargeTransactionHistory endpoint on 02/03/2025
MTN Group disclosed a bug submitted by hafiz-ng: https://hackerone.com/reports/2746709 [...]
Admin Dashboard Access Leads to Updating Merchant Info on 02/03/2025
MTN Group disclosed a bug submitted by tinopreter: https://hackerone.com/reports/2801787 [...]
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab by BrianKrebs on 28/02/2025
One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned. Security experts say the Russia-based service provider Prospero OOO (the triple O is the Russian version of “LLC”) has long been a per [...]
The latest insights on global VDP adoption & IoT security trends on 28/02/2025
Enhance Your WordPress Security With These Tips! on 28/02/2025
Do you know this common Go vulnerability? on 28/02/2025
API Armor: How Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist by Ivan Novikov on 28/02/2025
APIs present a security risk—that much is a given. Attacks on APIs have caused some of the most significant security incidents of the past decades. But the question now is: How can we flip the script and leverage their power to enhance security? Bybit might just have the answer. Bybit—one of the world’s leading cryptocurrency exchanges— recently leveraged the power of an API in the [...]