InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

This Windows File Steals Passwords

on 24/04/2024

See full content

Dan Solove on Privacy Regulation

on 24/04/2024

Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract: In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction t [...]

See full content

Nation-State Threat Actors Renew Publications to npm

by Phylum Research Team on 24/04/2024

Back in November of 2023, we published a blog post highlighting the technical details of a sophisticated attack in npm attributed to North Korea. We subsequently published a follow-up in January of 2024 detailing the history of the attack and highlighting the broader context of North Korean APTs operating in open-source ecosystems. Since then, it’s been relatively quiet—until today. [...]

See full content

3 Ways to Avoid Burnout

on 23/04/2024

See full content

Human-Powered Security: The Value of Ethical Hackers & Bug Bounty

by HackerOne on 23/04/2024

Who is an ethical hacker, what is a bug bounty program, and why is human-powered security the best method for strengthening your security posture? [...]

See full content

RXSS in hidden parameter

on 23/04/2024

IBM disclosed a bug submitted by hassan_sheet: https://hackerone.com/reports/2090964 [...]

See full content

Hackers Use Github For Malware

on 23/04/2024

See full content

Jira Credential Disclosure within Mozilla Slack

on 23/04/2024

Mozilla disclosed a bug submitted by griffinf: https://hackerone.com/reports/2467999 [...]

See full content

Microsoft and Security Incentives

on 23/04/2024

Former senior White House cyber policy director A. J. Grotto talks about the economic incentives for companies to improve their security—in particular, Microsoft: Grotto told us Microsoft had to be “dragged kicking and screaming” to provide logging capabilities to the government by default, and given the fact the mega-corp banked around $20 billion in revenue from security servic [...]

See full content

HTTP Multiline headers #bugbounty #bugbountytips #bugbountyhunter

on 23/04/2024

See full content

Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme

by BrianKrebs on 22/04/2024

The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, [...]

See full content

CVE-2024-2398: HTTP/2 push headers memory-leak

on 22/04/2024

Internet Bug Bounty disclosed a bug submitted by w0x42: https://hackerone.com/reports/2442613 - Bounty: $2580 [...]

See full content

Denial of Service caused by HTTP/2 CONTINUATION Flood

on 22/04/2024

Internet Bug Bounty disclosed a bug submitted by bart: https://hackerone.com/reports/2334401 - Bounty: $4860 [...]

See full content

Capital One Teams Up With Top-Tier Ethical Hackers at H1-305

by HackerOne on 22/04/2024

Capital One and 52 highly skilled global ethical hackers came together for the organization's second live hacking event with HackerOne. [...]

See full content

How transport and logistics businesses can strengthen their cyber defenses

by Georgie Walsh on 22/04/2024

The transport and logistics (T&L) industry is a crucial player in today’s interconnected world, enabling the seamless movement of goods across long distances with exceptional efficiency.   However, this very efficiency has also made the industry a prime target for cyber attacks. As T&L companies rely increasingly on digital technologies to optimize operations, they become v [...]

See full content

Hack Active Directory with LLMNR

on 22/04/2024

See full content

Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting on cbconnection-stage.adobe.com

on 22/04/2024

Adobe disclosed a bug submitted by renzi: https://hackerone.com/reports/1842800 [...]

See full content

Turning a $500 bounty into $30,000+

on 22/04/2024

See full content

Using Legitimate GitHub URLs for Malware

on 22/04/2024

Interesting social-engineering attack vector: McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg. The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associate [...]

See full content

Finding WEIRD Devices on the Public Internet

on 22/04/2024

See full content

Wallarm’s Open Source API Firewall debuts at Blackhat Asia 2024 – Introduces Key New Features & Functionalities

by wlrmblog on 22/04/2024

Wallarm introduced its ongoing Open Source API Firewall project to the world at the recently concluded Blackhat Asia 2024 conference in Singapore. The open-source API Firewall by Wallarm is a free, lightweight API Firewall designed to protect REST and GraphQL API endpoints across cloud-native environments using API schema validation. By relying on a positive security model, our API Firewall only a [...]

See full content

Browser-powered desync #bugbounty #bugbountytips #bugbountyhunter

on 22/04/2024

See full content

Cleartext Transmission of password via Email

on 22/04/2024

Sheer disclosed a bug submitted by tuannq_gg: https://hackerone.com/reports/2337938 - Bounty: $200 [...]

See full content

Docker Secret Disclosure via GitHub Actions Cache Poisoning

on 20/04/2024

Hyperledger disclosed a bug submitted by adnanthekhan: https://hackerone.com/reports/2410111 - Bounty: $2000 [...]

See full content

Trailer - HTTP feature you did not know about #bugbounty #bugbountytips #bugbountyhunter

on 20/04/2024

See full content

Friday Squid Blogging: Squid Trackers

on 19/04/2024

A new bioadhesive makes it easier to attach trackers to squid. Note: the article does not discuss squid privacy rights. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. [...]

See full content

Start Hacking for FREE

on 19/04/2024

See full content

Login page password-guessing attack

on 19/04/2024

Revive Adserver disclosed a bug submitted by karan: https://hackerone.com/reports/96115 [...]

See full content

Government Unveils Malware Analysis Tool, But...

on 19/04/2024

See full content

Node.js’ strange behaviour leads to request smuggling #bugbounty #bugbountytips #bugbountyhunter

on 19/04/2024

See full content

How Golden Ticket Attacks Work

on 18/04/2024

See full content

Code Reviews, Small Moments, Big Impacts

by Rafael de Carvalho on 18/04/2024

Rafael de Carvalho shares tips for code reviews, how to optimize delivery, and providing effective feedback. [...]

See full content

AI Interaction Hacks: Tips and Tricks for Crafting Effective Prompts

by Zahra Putri Fitrianti on 18/04/2024

AI prompting is more of an art than a science. Zahra Putri Fitrianti shares tips and tricks for creating effective prompts. [...]

See full content

FAQ: Everything Hackers Need to Know About the 2024 Ambassador World Cup

by Ariel Garcia on 18/04/2024

Answer all your questions about how to get involved in HackerOne's Ambassador World Cup! [...]

See full content

Getting Started on Personal Development

by Rafael de Carvalho on 18/04/2024

Have you ever found yourself feeling stuck? Rafael de Carvalho shares critical steps toward moving in the right direction. [...]

See full content

Prevent Generative AI Data Leaks with Chrome Enterprise DLP

on 18/04/2024

Posted Kaleigh Rosenblat, Chrome Enterprise Senior Staff Software Engineer, Security Lead Generative AI has emerged as a powerful and popular tool to automate content creation and simple tasks. From customized content creation to source code generation, it can increase both our productivity and creative potential. Businesses want to leverage the power of LLMs, like Gemini, but many may have s [...]

See full content

Request smuggling - do more than running tools! HTTP Request smuggling bug bounty case study

on 18/04/2024

See full content

Introducing DAST scanning in the Cloud, with Burp Suite Enterprise Edition

on 18/04/2024

We’re excited to announce that Burp Suite Enterprise Edition is now available in PortSwigger’s secure cloud. You can now free up testing time with scalable, automated DAST scanning, without the burden [...]

See full content

Bypassing SmartScreen on Web Browsers

on 18/04/2024

See full content

Other Attempts to Take Over Open Source Projects

on 18/04/2024

After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique: The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to [...]

See full content

Hacking Active Directory | AD | Pentesting | Live

on 17/04/2024

See full content

4 bug bounty mistakes and how to avoid them

by travisintigriti on 17/04/2024

Getting into bug bounties is no easy task, we know. There’s so much to consider and your path to becoming a bug bounty hunter can vary in so many ways. Bug bounty hunting can be fraught with challenges, and even the most skilled individuals can fall victim to common mistakes,  1. Striking the wrong balance: […] The post 4 bug bounty mistakes and how to avoid them appeared first on Intig [...]

See full content

Introducing read-only user roles

by Intigriti on 17/04/2024

We’re excited to introduce the new read-only user roles to our platform, available under the roles “Program reader” and “Group reader“. This update is part of our commitment to enhance your experience and improve your productivity by offering more control over user access levels. Let’s get started! Why Introduce read-only user roles? The read-only user […] The p [...]

See full content

Using AI-Generated Legislative Amendments as a Delaying Technique

on 17/04/2024

Canadian legislators proposed 19,600 amendments—almost certainly AI-generated—to a bill in an attempt to delay its adoption. I wrote about many different legislative delaying tactics in A Hacker’s Mind, but this is a new one. [...]

See full content

Stored XSS in messages

on 17/04/2024

SideFX disclosed a bug submitted by itriedallthenamess: https://hackerone.com/reports/1669764 - Bounty: $500 [...]

See full content

Enterprise Strategy Group Report: The Growing Complexity of Securing the Software Supply Chain

by Mikala Vidal on 16/04/2024

Tech Target’s Enterprise Strategy Group (ESG) recently published a report called “The Growing Complexity of Securing the Software Supply Chain,” based on survey results from 368 security professionals in North America, specifically in the developer sector.The survey results validate that open-source software usage is growing, along with a rise in security incidents. It provide [...]

See full content

Should You Learn Programming for Cybersecurity?

on 16/04/2024

See full content

Pre-Pentest Checklist Part 2: Essential Questions to Answer Before Your Next Pentest

by Piyush Verma on 16/04/2024

Part 2 of our pre-pentest checklist answers 9 questions about the "when," "who," and "how" of pentest preparation. [...]

See full content

Telegram Has Been Hacked

on 16/04/2024

See full content

Who Stole 3.6M Tax Records from South Carolina?

by BrianKrebs on 16/04/2024

For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the [...]

See full content

X.com Automatically Changing Link Text but Not URLs

on 16/04/2024

Brian Krebs reported that X (formerly known as Twitter) started automatically changing twitter.com links to x.com links. The problem is: (1) it changed any domain name that ended with “twitter.com,” and (2) it only changed the link’s appearance (anchortext), not the underlying URL. So if you were a clever phisher and registered fedetwitter.com, people would see the link as fedex. [...]

See full content

Incorrect logic when buy one more license which may lead to extend the expire date of existing license

on 16/04/2024

PortSwigger Web Security disclosed a bug submitted by john_cai11111111: https://hackerone.com/reports/2461737 [...]

See full content

Start Your Cybersecurity Career with TryHackMe

on 15/04/2024

See full content

Self XSS in Tag name pattern field /<username>/<reponame>/settings/tag_protection/new

on 15/04/2024

GitHub disclosed a bug submitted by sudi: https://hackerone.com/reports/2246576 - Bounty: $7500 [...]

See full content

Q1 2024 Evolution of Software Supply Chain Security Report

by Phylum Research Team on 15/04/2024

Open source makes up a considerable part of modern-day software projects. CVEs abound for open-source libraries and software packages; however, according to Kenna Security, only 2-5% of these CVEs are ever exploited in the wild. By contrast, 82% of the malicious packages identified by Phylum never receive a CVE or end up in any known vulnerability database. Without a robust solution for monitoring [...]

See full content

Making Sense of the Sisense News

by Blake Entrekin on 15/04/2024

CISA issued a warning to CISOs that it was investigating a breach of Sisense. Let's make sense of this breach and what it means for organizations. [...]

See full content

What do you think makes the best hackers? I think passiona & creativity are key! What do you think?

on 15/04/2024

See full content

How to Pick a Company to Hack On

on 15/04/2024

See full content

Crickets from Chirp Systems in Smart Lock Key Leak

by BrianKrebs on 15/04/2024

The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is [...]

See full content

5 reasons to strive for better disclosure processes

by Trail of Bits on 15/04/2024

By Max Ammann This blog showcases five examples of real-world vulnerabilities that we’ve disclosed in the past year (but have not publicly disclosed before). We also share the frustrations we faced in disclosing them to illustrate the need for effective disclosure processes. Here are the five bugs: Undefined behavior in the borsh-rs Rust library Denial-of-service (DoS) vector in Rust libraries fo [...]

See full content

New Lattice Cryptanalytic Technique

on 15/04/2024

A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems. A few things to note. One, this paper has not yet been peer reviewed. As this comment points out: “We had already some cases where efficient quantum algorithms f [...]

See full content

Upcoming Speaking Engagements

on 14/04/2024

This is a current list of where and when I am scheduled to speak: I’m speaking twice at RSA Conference 2024 in San Francisco. I’ll be on a panel on software liability on May 6, 2024 at 8:30 AM, and I’m giving a keynote on AI and democracy on May 7, 2024 at 2:25 PM. The list is maintained on this page. [...]

See full content

How to track and stop CVE-2024-3400: Palo Alto Networks API Exploit Causing Critical Infrastructure and Enterprise Epidemics

by wlrmblog on 13/04/2024

On Friday April 12, Palo Alto disclosed that some versions of PAN-OS are not only vulnerable to remote code execution, but that the vulnerability has been actively exploited to install backdoors on Palo Alto firewalls. A patch is expected to be available on April 14th. The advisory from Palo Alto is here. The CISA advisory is here. Palo Alto has marked this vulnerability as critical and NVD has sc [...]

See full content

Friday Squid Blogging: The Awfulness of Squid Fishing Boats

on 12/04/2024

It’s a pretty awful story. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. [...]

See full content

HackerOne Company Values Matter: Default to Disclosure

by Debbie Cotton on 12/04/2024

See full content

Bug bounty ROI: Can investing in crowdsourced security help mitigate costly security breaches? 

by Intigriti on 12/04/2024

Factoring in whether to allocate resources for a bug bounty program in your annual cybersecurity budget can be a challenging decision. In comparison to alternative strategies, bug bounty programs offer a proactive approach to bolstering digital defenses. However, assessing the true return on investment (ROI) of such programs requires a thorough examination of their benefits […] The post Bug [...]

See full content

Why CISA is Warning CISOs About a Breach at Sisense

by BrianKrebs on 11/04/2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is t [...]

See full content

Why You Need to Know Active Directory

on 11/04/2024

See full content

How a Race Condition Vulnerability Could Cast Multiple Votes

by Dane Sherrets on 11/04/2024

Hacker and Senior Solutions Architect Dane Sherrets tells the story of how a race condition vulnerability could cast multiple votes. [...]

See full content

Rust crate shipping xz backdoor

by Phylum Research Team on 11/04/2024

By now, news of the malicious backdoor in the XZ Utils compression library has been widely circulated. Though the potential damage appears to have been largely mitigated by the heroic work of a single engineer, aftershocks of this attack remain. Today’s brief offering concerns one such that Phylum found in the Rust ecosystem, the quick action taken by the Rust crate maintainer, and what dan [...]

See full content

I Hacked The Cloud: Azure Managed Identities

on 11/04/2024

See full content

#1 XSS on watchdocs.indriverapp.com

on 11/04/2024

inDrive disclosed a bug submitted by maxdha: https://hackerone.com/reports/2014955 - Bounty: $100 [...]

See full content

#2 XSS on watchdocs.indriverapp.com

on 11/04/2024

inDrive disclosed a bug submitted by maxdha: https://hackerone.com/reports/2015074 - Bounty: $100 [...]

See full content

#3 XSS on watchdocs.indriverapp.com

on 11/04/2024

inDrive disclosed a bug submitted by maxdha: https://hackerone.com/reports/2028265 - Bounty: $234 [...]

See full content

Unprotected Atlantis Server at https://152.70..

on 11/04/2024

8x8 disclosed a bug submitted by fo00x: https://hackerone.com/reports/2223041 [...]

See full content

LIVE Blue Team with MalwareCube | SOC | Malware | AMA

on 10/04/2024

See full content

Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers

by BrianKrebs on 10/04/2024

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets. The message di [...]

See full content

HackerOne Celebrates Global Work from Home Day

by Marina Briones on 10/04/2024

See full content

April’s Patch Tuesday Brings Record Number of Fixes

by BrianKrebs on 09/04/2024

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software. Yes, you read that right. Microsoft toda [...]

See full content

What We Love About HackerOne

on 09/04/2024

See full content

Why HackerOne Embraces a Digital First Work Model

on 09/04/2024

See full content

HackerOne Company Values: What is our favorite value?

on 09/04/2024

See full content

Common Job Application Mistakes and How to Fix Them

on 09/04/2024

See full content

Decoding the Characteristics of Modern Pentesting: Value

by Naz Bozdemir on 09/04/2024

Let's explore the "Value" factor of different pentesting methodologies and see how each one measures up. [...]

See full content

HackerOne Company Values Matter: Lead with Integrity

by Debbie Cotton on 09/04/2024

See full content

Digital Detritus: Unintended Consequences of Open Source Sustainability Platforms

by Phylum Research Team on 09/04/2024

Perverse incentives - a situation made worse by incentivizing the wrong behavior. Real-world examples abound, like the Cobra effect or the Great Hanoi Rat Massacre, and now it has come to open source software. Right now, open source repositories are being polluted with thousands of dubious packages published by opportunistic actors exploiting a protocol having the noble intent of compensating open [...]

See full content

Scraping Dark Web Sites with Python

on 09/04/2024

See full content

"Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

on 08/04/2024

Node.js disclosed a bug submitted by bart: https://hackerone.com/reports/2319584 [...]

See full content

HackerOne’s Digital First Workplace

by Debbie Cotton on 08/04/2024

See full content

How we built the new Find My Device network with user security and privacy in mind

on 08/04/2024

Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy Keeping people safe and their data secure and private is a top priority for Android. That is why we took our time when designing the new Find My Device, which uses a crowdsourced device-locating network to help you find your lost or misplaced devices and belongings quickly – even when they’re offline. We gave careful co [...]

See full content

$20,000. OAUTH Bounty with Nagli!

on 08/04/2024

See full content

Top 3 API Leaks Identified by Cybersecurity & InfoSec Experts

by wlrmblog on 08/04/2024

APIs (Application Programming Interfaces) have proliferated widely, which increases their susceptibility to various vulnerabilities. In the realm of web applications, prime examples that stand out are SOAP (Simple Object Access Protocol) and Representational State Transfer (REST) APIs. Due to their inherent complexity and the dynamic nature of software ecosystems, common vulnerabilities include in [...]

See full content

The Truth About Bug Bounties

on 08/04/2024

See full content

Business Logic Vulnerabilities - Lab #8 Insufficient workflow validation | Short Version

on 08/04/2024

See full content

Business Logic Vulnerabilities - Lab #8 Insufficient workflow validation | Long Version

on 08/04/2024

See full content

How to Keep Up with Cybersecurity News

on 05/04/2024

See full content

Intent Leads To Unauthorised Video Call Initiation Leaking Surrounding Informations Of Victim

on 05/04/2024

Snapchat disclosed a bug submitted by hulkvision_: https://hackerone.com/reports/2139260 [...]

See full content

The Importance of Credential Rotations: Best Practices for Security and Data Protection

by Martzen Haagsma on 05/04/2024

Learn the importance of credential rotations and best practices for managing them effectively from HackerOne's experts. [...]

See full content

How Hackers Can Hide PowerShell in Environment Variables

on 05/04/2024

See full content

Reflected XSS on Pangle Endpoint

on 05/04/2024

TikTok disclosed a bug submitted by m7x: https://hackerone.com/reports/2352968 - Bounty: $5000 [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Trail of Bits Blog
  2. Phylum
  3. Schneier on Security
  4. Krebs on Security
  5. Google Online Security Blog
  6. $BLOG_TITLE
  7. Agarri : Sécurité informatique offensive
  8. Alex Chapman's Blog
  9. www.alphabot.com
  10. Victoria Drake's Blog
  11. Brett Buerhaus
  12. Bug Bounty Reports Explained
  13. Bugcrowd
  14. cat ~/footstep.ninja/blog.txt
  15. Daniel Miessler
  16. EdOverflow
  17. Ezequiel Pereira
  18. HackerOne
  19. HackerOne
  20. hakluke
  21. Home
  22. InsiderPhD
  23. Intigriti
  24. John Hammond
  25. LiveOverflow
  26. NahamSec
  27. PortSwigger Blog
  28. Rana Khalil
  29. Richard’s Infosec blog
  30. Ron Chan
  31. ropnop blog
  32. STÖK
  33. Sun Knudsen
  34. The Cyber Mentor
  35. The unofficial HackerOne disclosure timeline
  36. The XSS rat
  37. TomNomNom
  38. Wallarm