InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS
by BrianKrebs on 20/05/2025
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for mo [...]
See full content
ThinkPad FDE vs Apple Data Protection and WT_ is Opal
on 20/05/2025
See full content
How to Write Shellcode in 3 Minutes!
on 20/05/2025
See full content
Learn Quantum Computing!
on 20/05/2025
See full content
DoorDash Hack
on 20/05/2025
A DoorDash driver stole over $2.5 million over several months:
The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the others involved had created. Devagiri would then mark the undelivered orders as complete and prompt DoorDas [...]
See full content
`Curl_socketpair()` fallback vulnerable to man-in-the-middle attack
on 20/05/2025
curl disclosed a bug submitted by jmanojlovich: https://hackerone.com/reports/3148937 [...]
See full content
CREST accreditation reinforces Intigriti’s pentesting excellence
by Eleanor Barlow on 20/05/2025
Intigriti, a global crowdsourced security provider, is delighted to announce that it is now CREST accredited.
Who is CREST?
CREST, a globally recognised not-for-profit authority in cyber security, rigorously assesses organisations against stringent standards for quality, technical proficiency, and operational integrity. This accreditation acknowledges that Intigriti meets CREST… [...]
See full content
Any WARP User Can Access Organization-Specific Application
on 19/05/2025
Cloudflare Public Bug Bounty disclosed a bug submitted by jai-kandepu: https://hackerone.com/reports/2802817 [...]
See full content
golang obfuscated malware goes crazy
on 19/05/2025
See full content
This Browser Hack Scored Me a $20,000 Bug Bounty
on 19/05/2025
See full content
The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)”
on 19/05/2025
In response to a FOIA request, the NSA released “Fifty Years of Mathematical Cryptanalysis (1937-1987),” by Glenn F. Stahly, with a lot of redactions.
Weirdly, this is the second time the NSA has declassified the document. John Young got a copy in 2019. This one has a few less redactions. And nothing that was provided in 2019 was redacted here.
If you find anything interesting in the d [...]
See full content
SQLi still exists in 2025 feat. Jasmin “JR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter
on 19/05/2025
See full content
CC5: introduction to bug bounties is on sale now
on 18/05/2025
See full content
Multi tenant architecture
on 18/05/2025
See full content
IDOR Hacking Guide With Practical Examples [FREE FULL 2 HOUR WEBINAR]
on 18/05/2025
See full content
CORS: A complete guide to exploiting advanced CORS misconfiguration vulnerabilities
by blackbird-eu on 18/05/2025
CORS misconfiguration vulnerabilities are a highly underestimated vulnerability class. With an impact ranging from sensitive information disclosure to facilitating SSRF attacks, this client-side security vulnerability should always be part of your security testing.
In this article, we will explore the identification and exploitation of advanced CORS misconfiguration vulnerabili… [...]
See full content
Why one can’t secure erase older Macs
on 17/05/2025
See full content
Using match and replace rules for quickly applying polyglot payloads feat. Jasmin “JR0ch17” Landry #
on 17/05/2025
See full content
Manipulating referer policy when DOM Purify is used feat. Jasmin “JR0ch17” Landry #bugbounty #bugbou
on 17/05/2025
See full content
Friday Squid Blogging: Pet Squid Simulation
on 16/05/2025
From Hackaday.com, this is a neural network simulation of a pet squid.
Autonomous Behavior:
The squid moves autonomously, making decisions based on his current state (hunger, sleepiness, etc.).
Implements a vision cone for food detection, simulating realistic foraging behavior.
Neural network can make decisions and form associations.
Weights are analysed, tweaked and trained by Hebbian learning a [...]
See full content
Meet Bjorn, the Easy to Build Hacking Tool!
on 16/05/2025
See full content
Communications Backdoor in Chinese Power Inverters
on 16/05/2025
This is a weird story:
U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said.
[…]
Over the past nine months, undocumented communication devices, including cellular radios, have also been found in [...]
See full content
Second order injections feat. Jasmin “JR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter
on 16/05/2025
See full content
Top 3 Beginner Mistakes Every Bounty Hunter Makes
on 15/05/2025
See full content
Breachforums Boss to Pay $700k in Healthcare Breach
by BrianKrebs on 15/05/2025
In what experts are calling a novel legal outcome, the 22-year-old former administrator of the cybercrime community Breachforums will forfeit nearly $700,000 to settle a civil lawsuit from a health insurance company whose customer data was posted for sale on the forum in 2023. Conor Brian Fitzpatrick, a.k.a. “Pompompurin,” is slated for resentencing next month after pleading guilty to [...]
See full content
Shopify Partners Invitation Process Allows Privilege Escalation Without Email Verification
on 15/05/2025
Shopify disclosed a bug submitted by mr_asg: https://hackerone.com/reports/2885269 - Bounty: $3500 [...]
See full content
Bedrock Guardrails Evasion with Prompt Formatting
on 15/05/2025
AWS VDP disclosed a bug submitted by nkirk-nrlabs: https://hackerone.com/reports/3056937 [...]
See full content
Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string.
on 15/05/2025
Node.js disclosed a bug submitted by justinnietzel: https://hackerone.com/reports/3083428 [...]
See full content
How to find out if app is tracking you
on 15/05/2025
See full content
The CVE Foundation Interview
on 15/05/2025
See full content
Easy Weekend Project to Boost Your IT Resume!
on 15/05/2025
See full content
Weak Rate Limiting Controls in the (LOGIN) page Expose System to Brute Force and DoS Attacks
on 15/05/2025
Lichess disclosed a bug submitted by hajjaj-: https://hackerone.com/reports/3085889 [...]
See full content
Open Redirect Vulnerability in OAuth Flow Leading to Potential Phishing Attack
on 15/05/2025
Lichess disclosed a bug submitted by delsec_: https://hackerone.com/reports/3099816 [...]
See full content
AI-Generated Law
on 15/05/2025
On April 14, Dubai’s ruler, Sheikh Mohammed bin Rashid Al Maktoum, announced that the United Arab Emirates would begin using artificial intelligence to help write its laws. A new Regulatory Intelligence Office would use the technology to “regularly suggest updates” to the law and “accelerate the issuance of legislation by up to 70%.” AI would create a “comprehen [...]
See full content
Developer Leaks API Key for Private Tesla, SpaceX LLMs
by Tim Erlin on 15/05/2025
In AI, as with so many advancing technologies, security often lags innovation. The xAI incident, during which a sensitive API key remained exposed for nearly two months, is a stark reminder of this disconnect. Such oversights not only jeopardize proprietary technologies but also highlight systemic vulnerabilities in API management. As more organizations integrate AI into their operations, ensurin [...]
See full content
[Xenoblade Chronicles X: Definitive Edition] Unrestricted RPCs allow DoS and writing arbitrary flags remotely
on 15/05/2025
Nintendo disclosed a bug submitted by roccodev: https://hackerone.com/reports/3062122 [...]
See full content
[Xenoblade Chronicles X: Definitive Edition] Improper validation of names allows injecting formatting tags and bypassing profanity filter
on 15/05/2025
Nintendo disclosed a bug submitted by roccodev: https://hackerone.com/reports/3052880 [...]
See full content
Improper error handling in async cryptographic operations crashes process
on 14/05/2025
Node.js disclosed a bug submitted by tniessen: https://hackerone.com/reports/2817648 [...]
See full content
LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA
on 14/05/2025
See full content
Upcoming Speaking Engagements
on 14/05/2025
This is a current list of where and when I am scheduled to speak:
I’m speaking (remotely) at the Sektor 3.0 Festival in Warsaw, Poland, May 21-22, 2025.
The list is maintained on this page.
[...]
See full content
Goodbye Samsung T7 Touch, you will be missed
on 14/05/2025
See full content
The mindset for finding highs and crits in bug bounty with JR0ch17
on 14/05/2025
See full content
Patch Tuesday, May 2025 Edition
by BrianKrebs on 14/05/2025
Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month’s patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available.
Microsoft and several security firms [...]
See full content
Google’s Advanced Protection Now on Android
on 14/05/2025
Google has extended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users.
Wired article, behind a paywall.
[...]
See full content
The cryptography behind passkeys
on 14/05/2025
This post will examine the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates. [...]
See full content
What's new in Burp Suite Professional: A year of innovation
on 14/05/2025
Over the past year, we’ve been hard at work making Burp Suite Professional faster, smarter, and more powerful than ever before. From the launch of Burp AI to major performance upgrades, there's never [...]
See full content
Introducing assets: a first step to a more centralized approach
by Yannick Merckx on 14/05/2025
We’re pleased to share a significant new change to our platform for companies.
Our goal is to empower our customers with clear, actionable insights into their attack surface. We aim to create a platform where managing your digital footprint is intuitive, collaboration is effective, and understanding impact is straightforward.
Today, we’re taking a big step forward: Introducin… [...]
See full content
Meet Bjorn: The Viking Network Raider!
on 13/05/2025
See full content
What’s New in Android Security and Privacy in 2025
on 13/05/2025
Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy
Android’s intelligent protections keep you safe from everyday dangers. Our dedication to your security is validated by security experts, who consistently rank top Android devices highest in security, and score Android smartphones, led by the Pixel 9 Pro, as leaders in anti-fraud efficacy.Android is always developing new [...]
See full content
Advanced Protection: Google’s Strongest Security for Mobile Devices
on 13/05/2025
Posted by Il-Sung Lee, Group Product Manager, Android Security
Protecting users who need heightened security has been a long-standing commitment at Google, which is why we have our Advanced Protection Program that provides Google’s strongest protections against targeted attacks.To enhance these existing device defenses, Android 16 extends Advanced Protection with a device-level security setting [...]
See full content
user api key leaked
on 13/05/2025
WakaTime disclosed a bug submitted by atasec: https://hackerone.com/reports/3098717 [...]
See full content
New - In 2022 - XSS Attack Vectors By Garth Heyes
on 13/05/2025
See full content
Court Rules Against NSO Group
on 13/05/2025
The case is over:
A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users.
I’m sure it’ll be appealed. Everything always is.
[...]
See full content
Netlify Authentication Token Exposed in Public Mozilla CI Logs
on 13/05/2025
Mozilla disclosed a bug submitted by samirsec0x01: https://hackerone.com/reports/2915647 - Bounty: $1500 [...]
See full content
Tales from the cloud trenches: The Attacker doth persist too much, methinks
on 13/05/2025
A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM [...]
See full content
insecure deserilize object leads to RCE On Sitecore (CVE--27218)
on 12/05/2025
Mars disclosed a bug submitted by reinhardtthe: https://hackerone.com/reports/3090123 [...]
See full content
Users Data Exposure via Insecure Endpoint
on 12/05/2025
Mars disclosed a bug submitted by bughunter0x7: https://hackerone.com/reports/2828608 [...]
See full content
debug.log leaked []
on 12/05/2025
Mars disclosed a bug submitted by imeng: https://hackerone.com/reports/3063026 [...]
See full content
massive PII leakage for
on 12/05/2025
Mars disclosed a bug submitted by thpless: https://hackerone.com/reports/2887506 [...]
See full content
change part of personal information all users
on 12/05/2025
Mars disclosed a bug submitted by bughunter0x7: https://hackerone.com/reports/2828693 [...]
See full content
Status update
on 12/05/2025
See full content
The Ongoing Risks of Hardcoded JWT Keys
by Sergei Okhotin on 12/05/2025
In early May 2025, Cisco released software fixes to address a flaw in its IOS XE Software for Wireless LAN Controllers (WLCs). The vulnerability, tracked as CVE-2025-20188, has a CVSS score of 10.0 and could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system – but the real story is that this vulnerability drives home the persistent risks associated with h [...]
See full content
This Tiny Chrome Behavior Leads to an Account Takeover
on 12/05/2025
See full content
The Gremlin Stealer Malware
on 12/05/2025
See full content
Florida Backdoor Bill Fails
on 12/05/2025
A Florida bill requiring encryption backdoors failed to pass.
[...]
See full content
The link between security maturity and bug bounty success
by Eleanor Barlow on 12/05/2025
What defines a security maturity posture?
A security maturity posture refers to an organization’s ability to detect, manage, and mitigate security vulnerabilities and risks. It reflects how well the organization applies programs, processes, and controls to protect its assets and data. Generally, a higher security maturity posture indicates a stronger capability to identify an… [...]
See full content
Team Shellphish AIxCC Interview
on 11/05/2025
See full content
Memory Leak
on 10/05/2025
curl disclosed a bug submitted by antypanty: https://hackerone.com/reports/3137657 [...]
See full content
Artificial Intelligence x Cyber Challenge (DARPA Interview)
on 10/05/2025
See full content
Friday Squid Blogging: Japanese Divers Video Giant Squid
on 09/05/2025
The video is really amazing.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
[...]
See full content
How APTs Steal Your Secrets
on 09/05/2025
See full content
Race condition on add 1 free domain
on 09/05/2025
Automattic disclosed a bug submitted by root_geek280: https://hackerone.com/reports/2616045 [...]
See full content
How Hackers Steal Passwords
on 09/05/2025
See full content
Enable 2FA without verifying the email
on 09/05/2025
XVIDEOS disclosed a bug submitted by samtime: https://hackerone.com/reports/3016540 [...]
See full content
Free Cybersecurity & IT Training From TCM Security!
on 08/05/2025
See full content
Using AI to stop tech support scams in Chrome
on 08/05/2025
Posted by Jasika Bawa, Andy Lim, and Xinghui Lu, Google Chrome Security
Tech support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data. In a tech support scam, the goal of the scammer is to trick you into believing your computer has a serious problem, such as a virus or malware infe [...]
See full content
Ability to access policy and updates for unauthorized program
on 08/05/2025
HackerOne disclosed a bug submitted by light3r: https://hackerone.com/reports/2965723 [...]
See full content
CRLF Injection in `--proxy-header` allows extra HTTP headers (CWE-93)
on 08/05/2025
curl disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3133379 [...]
See full content
API Threat Trends: How Attackers Are Exploiting Business Logic
by Tim Erlin on 08/05/2025
As businesses rely more on APIs, attackers are quick to turn that trust into opportunity. Among the most dangerous and difficult-to-detect threats are business logic exploits, which let cybercriminals manipulate legitimate functionality to gain unauthorized access, exfiltrate data, or disrupt operations. These attacks often slip past traditional defenses unnoticed, making them a growing concern f [...]
See full content
Unauthorized Account Access via Leaked Credentials in URL Format (Account Takeover )
on 07/05/2025
Khan Academy disclosed a bug submitted by firec4t: https://hackerone.com/reports/3080597 [...]
See full content
Pakistani Firm Shipped Fentanyl Analogs, Scams to US
by BrianKrebs on 07/05/2025
A Texas firm recently charged with conspiring to distribute synthetic opioids in the United States is at the center of a vast network of companies in the U.S. and Pakistan whose employees are accused of using online ads to scam westerners seeking help with trademarks, book writing, mobile app development and logo designs, a new investigation reveals.
In an indictment (PDF) unsealed last month, the [...]
See full content
Path Traversal Vulnerability found on IBM Cloud
on 07/05/2025
IBM disclosed a bug submitted by 0x4bdo: https://hackerone.com/reports/3060373 [...]
See full content
LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA
on 07/05/2025
See full content
cybersecurity expert gets hacked
on 07/05/2025
See full content
HTML Injection in LinkedIn Premium Support Chat
on 07/05/2025
LinkedIn disclosed a bug submitted by nagu123: https://hackerone.com/reports/3079966 [...]
See full content
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale
on 07/05/2025
Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. [...]
See full content
Hacking My Dog's Microchip With a Flipper Zero!
on 06/05/2025
See full content
BAC Bypass chatbot restrictions via unauthorized mention injection
on 06/05/2025
Dust disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3112106 [...]
See full content
Blocking EVERYTHING with Windows Firewall
on 06/05/2025
See full content
How I Got an AI Chatbot to Spill Its Secrets Using Just a Prompt
on 05/05/2025
See full content
HTTP/3 Stream Dependency Cycle Exploit
on 04/05/2025
curl disclosed a bug submitted by evilginx: https://hackerone.com/reports/3125832 [...]
See full content
CAPIE - Certified API hacking Expert [FULL 8 HOUR COURSE]
on 03/05/2025
See full content
Boys are a waste of time 🥹🙊
on 03/05/2025
See full content
`/names.nsf` and all `/names*` files route to public API on rubygems.org
on 03/05/2025
RubyGems disclosed a bug submitted by jagat-singh: https://hackerone.com/reports/3097900 [...]
See full content
Open Redirect on https://api.fastly.com/
on 02/05/2025
Fastly VDP disclosed a bug submitted by hasn0x: https://hackerone.com/reports/2265413 [...]
See full content
Learn Next Level OSINT!
on 02/05/2025
See full content
How to Pass the PNPT: From Zero to Hero!
on 02/05/2025
See full content
Middleware Authentication Bypass on IBM Portal
on 02/05/2025
IBM disclosed a bug submitted by muhammadwaseem3: https://hackerone.com/reports/3088290 [...]
See full content
Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover
on 02/05/2025
Dust disclosed a bug submitted by sjalu: https://hackerone.com/reports/3115705 [...]
See full content
Datasig: Fingerprinting AI/ML datasets to stop data-borne attacks
on 02/05/2025
Datasig generates compact, unique fingerprints for AI/ML datasets that let you compare training data with high accuracy—without needing access to the raw data itself.
This critical capability helps AIBOM (AI bill of materials) tools detect data-borne vulnerabilities that traditional security tools completely miss. [...]
See full content