InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Friday Squid Blogging: Squid Washing Up on Cape Cod Beach on 17/07/2026
Lots of articles about this. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Happy hacking on 17/07/2026
Burp's new Ambassadors: learn from the people who use Burp Suite everyday on 17/07/2026
Growing our Burp Ambassador community Meet our newest Burp Ambassadors Katie Paxton-Fear Malek Mohammad Yogesh Tantak James Lester Looking ahead Interested in getting involved? Growing our Burp Ambass [...]
Details of Alan Turing’s Voice Encryption System on 17/07/2026
Really interesting piece of cryptographic history: In November 2023, a large cache of his wartime papers—nicknamed the “Bayley papers”—was auctioned in London for almost half a million U.S. dollars. The previously unknown cache contains many sheets in Turing’s own handwriting, telling of his top-secret “Delilah” engineering project from 1943 to 1945. Delil [...]
Your Scanners Were Not Thinking About This. on 17/07/2026
Evil Token Marketplace on 16/07/2026
Protecting Privacy in an AI Era on 16/07/2026
Daniel Solove argues in the Wall Street Journal (alternate link) that giving people control of their personal data is not an effective way to regulate privacy in this era. Instead, we need to hold companies accountable for their actions, similar to what we do with food and drug companies. Measures such as rigorous data minimization, fiduciary duties, liability for negligent or reckless technologic [...]
Bug Bounty Is Your Safety Parachute. on 16/07/2026
Payload Podcast 009 - Steven Flores on 16/07/2026
Stored XSS in Rocket.Chat HTML File Export Unauthenticated Entry via LiveChat on 16/07/2026
Rocket.Chat disclosed a bug submitted by olidayw: https://hackerone.com/reports/3779690 [...]
Able to bypass authorization logic and gain more access then intended on 15/07/2026
GitHub disclosed a bug submitted by vaib25vicky: https://hackerone.com/reports/3713965 [...]
Q and A: RATS Q1 - How Do You Develop A Tinkering Mindset on 15/07/2026
Bedrock AgentCore Starter Toolkit Creates Gateway IAM Roles Without Confused Deputy Protections on 15/07/2026
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3632577 [...]
A Video Screen That Is Also a Camera on 15/07/2026
Amazing: Researchers from ETH Zurich in Switzerland, however, managed to create a new type of pixel that can simultaneously do both. This hypercharged pixel, called a Fourier pixel, can generate and sense arbitrary light fields and tap into a pixel’s full potential for carrying information by manipulating light’s intensity, oscillation phases, and polarization. The team reported its fi [...]
Your Weekly Test Is Already Too Late. on 15/07/2026
Q and A: RATS Q2 What Is A Good Web App Hacking Workflow on 14/07/2026
Stored XSS on Trix Editor version latest (2.1.16) - Sanitizer Bypass on 14/07/2026
Basecamp disclosed a bug submitted by newbiefromcoma: https://hackerone.com/reports/3581911 - Bounty: $337 [...]
Microsoft Patches a Record 570 Security Flaws by BrianKrebs on 14/07/2026
Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs qu [...]
bedrock-mantle.api.aws accepts Bedrock API keys outside the IAM Deny, CloudTrail signal, and invocation logging AWS publishes for Bedrock keys on 14/07/2026
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3702072 [...]
Backdoored TortoiseSVN Installer on 14/07/2026
Upcoming Speaking Engagements on 14/07/2026
This is a current list of where and when I am scheduled to speak: I’m speaking (virtually) at the Policy-Relevant Privacy Research Workshop in Calgary, Canada, on Monday, July 20, 2026. I’m speaking at Boston Leadership Exchange in Boston, Massachusetts, USA, on Wednesday, July 22, 2026. I’m speaking at Cognitive Security Conference in Las Vegas, Nevada, USA. The conference runs August 6-7, 2026; [...]
Vulnerability in FIFA’s Network on 14/07/2026
FIFA’s network was vulnerable to anyone with even minimal access. [...]
More Scans Are Not Continuous Security. on 14/07/2026
Is Your Continuous Threat Exposure Management Actually Continuous with Michiel Prins on 14/07/2026
Compromised AsyncAPI npm packages: inside a CI supply-chain attack on 14/07/2026
On July 14, 2026, four npm packages in the @asyncapi namespace, totaling over 3 million weekly downloads, were compromised to deliver credential-stealing malware. We investigate how the attack unfolded and how to know if you're affected. [...]
AI Control Platform vs. AI Firewall vs. AI Gateway: Clearing Up The Terminology by Tim Erlin on 13/07/2026
Editor's note: This article was originally published by Tim Erlin on LinkedIn. It has been republished here with the author's permission. https://www.linkedin.com/pulse/ai-control-platform-vs-firewall-gateway-clearing-up-tim-erlin-ypodc It seems like every security vendor now sells "AI security." The WAF companies, the API gateway companies, the cloud platforms, the proxy startups: all of them [...]
SELECT ... INTO OUTFILE does not enforce the FILE WRITE privilege unprivileged arbitrary file write on the server on 13/07/2026
SingleStore disclosed a bug submitted by bisht-ji: https://hackerone.com/reports/3780695 [...]
Lessons Learned from CISA’s Recent GitHub Leak by BrianKrebs on 13/07/2026
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important [...]
This Hacker Made $8,000 Hacking a Major Retailer's AI Chatbot Over DNS (Live Demo!) on 13/07/2026
AI Data Centers and the Concentration of Wealth on 13/07/2026
This essay was written with Nathan E. Sanders, and originally appeared in The Guardian. Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data center [...]
Rust-proof your code with our new Testing Handbook chapter on 13/07/2026
We’ve added a new chapter to our Testing Handbook: a comprehensive guide to security testing Rust programs. This chapter covers the tools and techniques we use at Trail of Bits to validate the security of Rust programs and systems. fn main() {(|f:&dyn Fn(u128)->Box< dyn Iterator<Item= char>+'static>|f(*[&( 0x7B736D70683F73u128<<64| 0x7A6A6D7C3F7A667D),&(0x7B73 [...]
NEW AI Hacking Challenges with Andrew Bellini! on 11/07/2026
Friday Squid Blogging: “Squidbleed” Vulnerability on 10/07/2026
In a rare combined cybersecurity/squid post, a twenty-nine-year-old squid proxy bug can leak HTTP requests. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Soft Skills for the Job Market: Applying for Jobs on 10/07/2026
The most severe exposure lives in the quiet overlap between tech, people, and process. ♾️ on 10/07/2026
Fake Microsoft Installer on 10/07/2026
AI Surveillance and Social Progress on 10/07/2026
In the near future, AI-powered surveillance systems will be able to track everything we do in public, and much of what we do in private. And if we do something wrong—shoplift, litter, jaywalk, you name it—the system will notice, retain it, tie it to your official government record, communicate that fact to you, and provide real-time alerts to any relevant authorities… and maybe a [...]
See you at Black Hat USA 2026! on 09/07/2026
Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644) on 09/07/2026
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3630605 [...]
The Language of AI Could Change How Humans Speak on 09/07/2026
Because of the way they are trained, large language models capture only a slice of human language. They’re trained on the written word, from textbooks to social media posts, and our speech as captured in movies and on television. These models have minimal access to the unscripted conversations we have face to face or voice to voice. This is the vast majority of speech, and a vital component [...]
Heading to Vegas? Meet PortSwigger at Black Hat, BSides, and DEF CON 34. on 09/07/2026
First hand of the week: Find us at BSides Workshop: Burp But Yours, with Hannah and Tib3rius Center stage: Visit us at Black Hat USA - Booth 5342 Lightning talks at the booth Catch our researchers' br [...]
Not-so-anonymous telemetry: The @injectivelabs/sdk-ts backdoor on 09/07/2026
A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys. [...]
LIVE: 1 Million Subscribers | DEF CON/Summer Camp Giveaway on 08/07/2026
TeamPCP Attention on 08/07/2026
Welcome to the best security page ever. on 08/07/2026
Felons, Fraudsters Flog Offensive Cybersecurity Startup by BrianKrebs on 08/07/2026
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 [...]
Mutation testing comes to DAML on 08/07/2026
In April we released Mewt, our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many [...]
Coordinated GitHub API enumeration and access token abuse on 08/07/2026
Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories. [...]
OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE) on 06/07/2026
AWS VDP disclosed a bug submitted by kaporia: https://hackerone.com/reports/3637898 [...]
Stop what you're doing on 06/07/2026
Open Source Malware on 06/07/2026
I Made an AI Agent That Reverses CVEs While I Sleep on 06/07/2026
THE MOD WORKS! lets improve it on 06/07/2026
Entra Agent ID: Protect, detect, respond on 06/07/2026
This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant. [...]
the vibe continues on 05/07/2026
Any installed app can force immediate logout and persistent DOS of authenticated Basecamp sessions via unprotected exported StartActivity on 04/07/2026
Basecamp disclosed a bug submitted by zerodaysec_xyz: https://hackerone.com/reports/3764217 - Bounty: $287 [...]
let's vibe on 04/07/2026
admin.shopify.com: Shopify Flow continues sending internal emails to a configured recipient after the staff author is removed on 03/07/2026
Shopify disclosed a bug submitted by abahack: https://hackerone.com/reports/3628961 [...]
Are your employees using AI? on 03/07/2026
FBI Seizes NetNut Proxy Platform, Popa Botnet by BrianKrebs on 02/07/2026
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]
Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration on 02/07/2026
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]
We get this question a lot on 02/07/2026
jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing on 02/07/2026
8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]
jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze` on 02/07/2026
8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]
Yelp for Business: locked Email field silently editable via API on 02/07/2026
Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]
Celebrating 1 Million Subscribers on July 8th! on 02/07/2026
GPT-5.5-Cyber built a zlib fuzzing lab in a day on 02/07/2026
We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]
Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission on 02/07/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]
[Splatoon 3] Kick other players with NplnLogin message on 02/07/2026
Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]
Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]
Insecure Direct Object Reference (IDOR) allows creating folders. on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]
Delete any folder for any user within the organization on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]
Privilege Escalation Access to the Alert Subscribers page for users with low privileges on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]
Improper Input Validation HTTP Response Parser Unconditionally Accepts Bare CR in Status Line on 01/07/2026
Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]
Beyond Usernames on 01/07/2026
Backdoors & Breaches: New scenarios and adaptations on 01/07/2026
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]
Beyond CTF Labs on 30/06/2026
heap-use-after-free in curl_easy_cleanup() called from callback on 30/06/2026
curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]
setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse on 30/06/2026
curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]
Shipping post-quantum cryptography to Python on 30/06/2026
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography. On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]
ssh_config_matches is dead code: unauthorized SSH key reuse on 30/06/2026
curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]
CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer on 30/06/2026
curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]
libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF on 30/06/2026
curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]
Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint on 30/06/2026
Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]
Annual testing starts to look a little dusty when... on 29/06/2026
Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports on 29/06/2026
Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]
Remote node DOS on 29/06/2026
Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]
ConsentFix Exposed on 29/06/2026
Inside H1-813 Live Hacking Event with Salesforce in Tokyo on 29/06/2026
Reconnaissance for exposure management: why context matters in the AI era by Radu Voloaga on 29/06/2026
Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]
UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback on 28/06/2026
curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]
Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080) on 28/06/2026
curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]
How to pentest - 101 [CNWPP] deliverables + basic network hacking on 27/06/2026
Exploiting insecure cookie policies by Aurélien on 27/06/2026
Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely. In this article, we'll explore what cookies are, how they work and [...]
Security debt has a nasty interest rate. on 26/06/2026
Facebook Phishing Fails on 26/06/2026
Real Folks of Cyber | Pearce Barry | Day in the Life on 26/06/2026
mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0 on 26/06/2026
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection on 26/06/2026
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]