InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Minor security issue with Hackerone Invitations from sandbox program

on 22/07/2024

HackerOne disclosed a bug submitted by iam_srpk: https://hackerone.com/reports/2430179 [...]

See full content

The Best and Worst of Hack The Box

on 22/07/2024

See full content

Who Hacked Who? PsExec Forensic Artifacts

on 22/07/2024

See full content

This is The Fastest Hacking & Recon Tool

on 22/07/2024

See full content

Snake Mimics a Spider

on 22/07/2024

This is a fantastic video. It’s an Iranian spider-tailed horned viper (Pseudocerastes urarachnoides). Its tail looks like a spider, which the snake uses to fool passing birds looking for a meal. [...]

See full content

Arbitrary code execution in TSEC Heavy Secure, return-oriented programming in TSEC Secure ROM, and recovery of TSEC-derived cryptographic secrets

on 22/07/2024

Nintendo disclosed a bug submitted by lnchan: https://hackerone.com/reports/924418 [...]

See full content

Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products

on 19/07/2024

TikTok disclosed a bug submitted by 696e746c6f6c: https://hackerone.com/reports/2295958 - Bounty: $1000 [...]

See full content

Friday Squid Blogging: Peru Trying to Protect its Squid Fisheries

on 19/07/2024

Peru is trying to protect its territorial waters from Chinese squid-fishing boats. Blog moderation policy. [...]

See full content

CrowdStrike Outage Recovery with BitLocker

on 19/07/2024

See full content

Brett Solomon on Digital Rights

on 19/07/2024

Brett Solomon is retiring from AccessNow after fifteen years as its Executive Director. He’s written a blog post about what he’s learned and what comes next. [...]

See full content

Exploit Failed. Now What?

on 19/07/2024

See full content

Authentication Bypass on https:///

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by bulldawg: https://hackerone.com/reports/2414707 [...]

See full content

IDOR leads to PII Leak

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/2586584 [...]

See full content

IDOR leads to view other user Biographical details (Possible PII LEAK)

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/2586641 [...]

See full content

IDOR : Modify other users demographic details

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/2586662 [...]

See full content

Automatic Admin Access

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by bulldawg: https://hackerone.com/reports/1991214 [...]

See full content

Endpoint Redirects to Admin Page and Provides Admin role

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by bulldawg: https://hackerone.com/reports/1991290 [...]

See full content

Local File Inclusion in download.php

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by tokyoenigma: https://hackerone.com/reports/1639364 [...]

See full content

XML External Entity (XXE) Injection

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by maskedpersian: https://hackerone.com/reports/2573567 [...]

See full content

Email Takeover leads to permanent account deletion

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/2587953 [...]

See full content

Restrict any user from Login to their account

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by prakhar0x01: https://hackerone.com/reports/2586616 [...]

See full content

Missing Access Control Allows for User Creation and Privilege Escalation

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by bulldawg: https://hackerone.com/reports/2442229 [...]

See full content

Unauthenticated arbitrary file upload on the https:/// (.mil)

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/698793 [...]

See full content

Unauthenticated access to internal API at..edu [HtUS]

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by matrixsoftsec: https://hackerone.com/reports/1627980 [...]

See full content

XXE with RCE potential on the https:// (CVE-2017-3548)

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/710654 [...]

See full content

Authentication bypass and potential RCE on the https:// due to exposed Cisco TelePresence SX80 with default credentials

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/684758 [...]

See full content

Unauth IDOR to mass account takeover without user interaction on the (https://.edu/)

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/685338 [...]

See full content

Self XSS

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by 0xtrav: https://hackerone.com/reports/2521186 [...]

See full content

[CVE-2018-0296] Cisco VPN path traversal on the https:// ()

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/695427 - Bounty: $750 [...]

See full content

[CVE-2018-0296] Cisco VPN path traversal on the https:/// (no hostname)

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/695780 - Bounty: $750 [...]

See full content

Global Microsoft Meltdown Tied to Bad Crowdstrike Update

by BrianKrebs on 19/07/2024

A faulty software update from cybersecurity vendor Crowdstrike crippled countless Microsoft Windows computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike’s solution needs to be applied [...]

See full content

[CVE-2018-0296] Cisco VPN path traversal on the https:/// ()

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/695776 - Bounty: $750 [...]

See full content

[CVE-2018-0296] Cisco VPN path traversal on the https://1 (https://../)

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by sp1d3rs: https://hackerone.com/reports/694861 - Bounty: $750 [...]

See full content

HTML Injection into https://www..mil

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by thpless: https://hackerone.com/reports/2554003 [...]

See full content

CVE-2023-26347 in https://.mil/hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true

on 19/07/2024

U.S. Dept Of Defense disclosed a bug submitted by traveler5260: https://hackerone.com/reports/2518407 [...]

See full content

Two of Wallarm’s Open-source Tools Have Been Accepted into Black Hat Arsenal 2024

by Nikhil Menon on 19/07/2024

We're gearing up with some seriously cool stuff for Black Hat! But first, a little sneak peek - not just one, but TWO of Wallarm's open-source tools will be featured in the Arsenal showcase at Black Hat USA this year. Black Hat Arsenal unites researchers and the open-source community to display their newest open-source tools and products, allowing presenters to engage directly with attendees. [...]

See full content

CrowdStrike Blew Up The Internet

on 19/07/2024

See full content

How to Upgrade a Shell on Meterpreter

on 18/07/2024

See full content

Criminal Gang Physically Assaulting People for Their Cryptocurrency

on 18/07/2024

This is pretty horrific: …a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elderly North Carolina couple, whose home St. Felix and one of his accomplices broke into before physi [...]

See full content

LIVE Hacking with TryHackMe | Cyber Security | Pentesting | AppSec

on 17/07/2024

See full content

Security@: Connect, Network, Share Ideas, and Collaborate

on 17/07/2024

See full content

Retail Under Attack: HackerOne Customer Insights on Outsmarting Cybercriminals

on 17/07/2024

See full content

How HackerOne Organizes a Remote Hack Week

by Debbie Cotton on 17/07/2024

See full content

Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious

on 17/07/2024

6.8%, to be precise. From ZDNet: However, Distributed Denial of Service (DDoS) attacks continue to be cybercriminals’ weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous ye [...]

See full content

XSS in IBM InfoCenter

on 17/07/2024

IBM disclosed a bug submitted by redyetihacks: https://hackerone.com/reports/2343548 [...]

See full content

Multiple XSS and open HTTP redirection

on 16/07/2024

ExpressionEngine disclosed a bug submitted by maggick: https://hackerone.com/reports/2372332 [...]

See full content

He Sent Me Minecraft Malware (Java Deobfuscation)

on 16/07/2024

See full content

10 Years of the GitHub Security Bug Bounty Program

by HackerOne on 15/07/2024

Celebrating 10 years of GitHub's bug bounty program! Learn insights into bug bounty growth from a top program. [...]

See full content

Hacking Scientific Citations

on 15/07/2024

Some scholars are inflating their reference counts by sneaking them into metadata: Citations of scientific work abide by a standardized referencing system: Each reference explicitly mentions at least the title, authors’ names, publication year, journal or conference name, and page numbers of the cited publication. These details are stored as metadata, not visible in the article’s text [...]

See full content

AI is Taking Our Jobs

on 15/07/2024

See full content

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

by BrianKrebs on 15/07/2024

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying a [...]

See full content

Hacking Windows TrustedInstaller (GOD MODE)

on 15/07/2024

See full content

Permission model improperly processes UNC paths

on 15/07/2024

Node.js disclosed a bug submitted by tniessen: https://hackerone.com/reports/2079103 [...]

See full content

Upcoming Speaking Engagements

on 14/07/2024

This is a current list of where and when I am scheduled to speak: I’m speaking—along with John Bruce, the CEO and Co-founder of Inrupt—at the 18th Annual CDOIQ Symposium in Cambridge, Massachusetts, USA. The symposium runs from July 16 through 18, 2024, and my session is on Tuesday, July 16 at 3:15 PM. The symposium will also be livestreamed through the Whova platform. I’m [...]

See full content

ID4ME does not validate signature or expiration

on 14/07/2024

Nextcloud disclosed a bug submitted by mikaelgundersen: https://hackerone.com/reports/1878391 - Bounty: $750 [...]

See full content

Re-emergence of Security Vulnerability in Nextcloud Version 28 Previously Fixed in 25.0.4

on 14/07/2024

Nextcloud disclosed a bug submitted by flood78: https://hackerone.com/reports/2290680 - Bounty: $500 [...]

See full content

Can reshare read&share only folder with more permissions

on 14/07/2024

Nextcloud disclosed a bug submitted by fernandoenzo: https://hackerone.com/reports/2289425 - Bounty: $750 [...]

See full content

Event create can create attachments that link to other websites

on 14/07/2024

Nextcloud disclosed a bug submitted by simcard: https://hackerone.com/reports/2457588 - Bounty: $250 [...]

See full content

Missing permission check when removing a photo from an album

on 14/07/2024

Nextcloud disclosed a bug submitted by juliushaertl: https://hackerone.com/reports/1946298 [...]

See full content

Ability to by-pass second factor

on 14/07/2024

Nextcloud disclosed a bug submitted by everysinglusernametaken: https://hackerone.com/reports/2419776 - Bounty: $1000 [...]

See full content

Fake AWS Packages Ship Command and Control Malware In JPEG Files

by Phylum Research Team on 14/07/2024

On July 13, 2024, the Phylum platform alerted us to a series of odd packages published to the npm package registry. At first glance, these packages appear entirely legitimate; however, as our system automatically noted, they contained sophisticated command and control functionality hidden in image files that would be executed during package installation.--cta--A Clone of Legitimate ProjectsHiding [...]

See full content

important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474)

on 13/07/2024

Internet Bug Bounty disclosed a bug submitted by orange: https://hackerone.com/reports/2585381 - Bounty: $4920 [...]

See full content

important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472)

on 13/07/2024

Internet Bug Bounty disclosed a bug submitted by orange: https://hackerone.com/reports/2585385 - Bounty: $4920 [...]

See full content

important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475)

on 13/07/2024

Internet Bug Bounty disclosed a bug submitted by orange: https://hackerone.com/reports/2585378 - Bounty: $4920 [...]

See full content

important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)

on 13/07/2024

Internet Bug Bounty disclosed a bug submitted by orange: https://hackerone.com/reports/2585376 - Bounty: $4920 [...]

See full content

important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)

on 13/07/2024

Internet Bug Bounty disclosed a bug submitted by orange: https://hackerone.com/reports/2585375 - Bounty: $4920 [...]

See full content

moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)

on 13/07/2024

Internet Bug Bounty disclosed a bug submitted by orange: https://hackerone.com/reports/2585373 - Bounty: $2600 [...]

See full content

moderate: Apache HTTP Server proxy encoding problem (CVE-2024-38473)

on 13/07/2024

Internet Bug Bounty disclosed a bug submitted by orange: https://hackerone.com/reports/2585384 - Bounty: $2600 [...]

See full content

Account Takeover via Authentication Bypass in TikTok Account Recovery

on 13/07/2024

TikTok disclosed a bug submitted by xtt0k: https://hackerone.com/reports/2443228 - Bounty: $12000 [...]

See full content

Friday Squid Blogging: 1994 Lair of Squid Game

on 12/07/2024

I didn’t know: In 1994, Hewlett-Packard released a miracle machine: the HP 200LX pocket-size PC. In the depths of the device, among the MS-DOS productivity apps built into its fixed memory, there lurked a first-person maze game called Lair of Squid. […] In Lair of Squid, you’re trapped in an underwater labyrinth, seeking a way out while avoiding squid roaming the corridors. A col [...]

See full content

CVE-2024-3416: MTU of 4096 or greater without fragmentation may cause NGINX worker processes to leak previously freed memory

on 12/07/2024

Internet Bug Bounty disclosed a bug submitted by noentry: https://hackerone.com/reports/2599391 - Bounty: $2600 [...]

See full content

Crooks Steal Phone, SMS Records for Nearly All AT&T Customers

by BrianKrebs on 12/07/2024

AT&T Corp. disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or tex [...]

See full content

You're Too Old For Cybersecurity

on 12/07/2024

See full content

Announcing AES-GEM (AES with Galois Extended Mode)

by Trail of Bits on 12/07/2024

By Scott Arciszewski Today, AES-GCM is one of two cipher modes used by TLS 1.3 (the other being ChaCha20-Poly1305) and the preferred method for encrypting data in FIPS-validated modules. But despite its overwhelming success, AES-GCM has been the root cause of some catastrophic failures: for example, Hanno Böck and Sean Devlin exploited nonce misuse to inject their Black Hat USA slide deck into the [...]

See full content

The NSA Has a Long-Lost Lecture by Adm. Grace Hopper

on 12/07/2024

The NSA has a video recording of a 1982 lecture by Adm. Grace Hopper titled “Future Possibilities: Data, Hardware, Software, and People.” The agency is (so far) refusing to release it. Basically, the recording is in an obscure video format. People at the NSA can’t easily watch it, so they can’t redact it. So they won’t do anything. With digital obsolescence threatenin [...]

See full content

NoSQL injection leaks visitor token and livechat messages

on 11/07/2024

Rocket.Chat disclosed a bug submitted by gronke: https://hackerone.com/reports/2580062 [...]

See full content

Feedback-Driven Interviewing at HackerOne

by Debbie Cotton on 11/07/2024

See full content

0 Click account takeover via timed requests to forgot-password (single-packet attack)

on 11/07/2024

Mars disclosed a bug submitted by 0x999: https://hackerone.com/reports/2142109 [...]

See full content

What HackerOne Customers Say About the Problems Hackers Solve

by HackerOne on 11/07/2024

Learn why organizations work with ethical hackers, like preventing breaches, meeting regulatory compliance, and helping the security budget. [...]

See full content

Reports submitted by a non 2fa setupped user account can be transferred to a 2fa require submission program

on 11/07/2024

HackerOne disclosed a bug submitted by aloneh1: https://hackerone.com/reports/2569993 [...]

See full content

2fa can't be activated on app.pullrequest.com

on 11/07/2024

HackerOne disclosed a bug submitted by iam_srpk: https://hackerone.com/reports/2463069 [...]

See full content

Two factor authentication bypass

on 11/07/2024

HackerOne disclosed a bug submitted by pranshux0x_: https://hackerone.com/reports/2463279 [...]

See full content

Session Not Expire / 2FA Bypass

on 11/07/2024

HackerOne disclosed a bug submitted by blakfly: https://hackerone.com/reports/2469706 [...]

See full content

2FA Bypass via Leaked Cookies

on 11/07/2024

HackerOne disclosed a bug submitted by deepmarketer: https://hackerone.com/reports/2479622 [...]

See full content

Two-factor authentication bypass lead to information disclosure about the program and all hackers participate

on 11/07/2024

HackerOne disclosed a bug submitted by bob004x: https://hackerone.com/reports/2486086 [...]

See full content

Reset the 2FA of the user which can lead to Account Takeover

on 11/07/2024

HackerOne disclosed a bug submitted by 5zdob13: https://hackerone.com/reports/2492631 [...]

See full content

Apple Is Alerting iPhone Users of Spyware Attacks

on 11/07/2024

Not a lot of details: Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It’s the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April. [...]

See full content

Bypassing the victim's phone number OTP in the account recovery process on the https://hackerone.com/settings/auth/setup_account_recovery

on 11/07/2024

HackerOne disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2501984 [...]

See full content

2FA requirement bypass when claiming bounty

on 11/07/2024

HackerOne disclosed a bug submitted by raymatp: https://hackerone.com/reports/2528919 [...]

See full content

Improper Authentication - 2FA OTP Reusable

on 11/07/2024

HackerOne disclosed a bug submitted by xklepxn: https://hackerone.com/reports/2529780 [...]

See full content

Bypassing Two-Factor Authentication via Account Deactivation and Password Reset

on 11/07/2024

HackerOne disclosed a bug submitted by 011alsanosi: https://hackerone.com/reports/2543342 [...]

See full content

Business Logic error leads to bypass 2FA requirement

on 11/07/2024

HackerOne disclosed a bug submitted by abdulprkr: https://hackerone.com/reports/2571981 [...]

See full content

Hackers can Invite Collaborators Without 2FA on Programs Requiring 2FA

on 11/07/2024

HackerOne disclosed a bug submitted by a_kos: https://hackerone.com/reports/2575079 [...]

See full content

TOTP Authenticator implementation Accepts Expired Codes

on 11/07/2024

HackerOne disclosed a bug submitted by noob_but_cut3: https://hackerone.com/reports/2588810 [...]

See full content

Rocket.Chat Desktop client fails to open browser on 3rd party external actions from PDF documents

on 11/07/2024

Rocket.Chat disclosed a bug submitted by itssixtynein: https://hackerone.com/reports/1967109 [...]

See full content

LIVE Hacking with TryHackMe | Cyber Security | Pentesting | AppSec

on 10/07/2024

See full content

The Stark Truth Behind the Resurgence of Russia’s Fin7

by BrianKrebs on 10/07/2024

The Russia-based cybercrime group dubbed “Fin7,” known for phishing and malware attacks that have cost victim organizations an estimated $3 billion in losses since 2013, was declared dead last year by U.S. authorities. But experts say Fin7 has roared back to life in 2024 — setting up thousands of websites mimicking a range of media and technology companies — with the help o [...]

See full content

Pentesting for Web Applications

by HackerOne Pentest Delivery Team on 10/07/2024

Learn testing methodologies, common vulnerabilities, and best practices for pentesting web applications with PTaaS. [...]

See full content

File sizes may be manipulated into negative numbers when uploading

on 10/07/2024

LY Corporation disclosed a bug submitted by yinmo: https://hackerone.com/reports/1068301 - Bounty: $500 [...]

See full content

XSS on LINE CAREERS

on 10/07/2024

LY Corporation disclosed a bug submitted by nightm4re: https://hackerone.com/reports/2403554 [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. Trail of Bits Blog
  3. Phylum
  4. Schneier on Security
  5. Krebs on Security
  6. Google Online Security Blog
  7. $BLOG_TITLE
  8. Agarri : Sécurité informatique offensive
  9. Alex Chapman's Blog
  10. www.alphabot.com
  11. Victoria Drake's Blog
  12. Brett Buerhaus
  13. Bug Bounty Reports Explained
  14. Bugcrowd
  15. cat ~/footstep.ninja/blog.txt
  16. Ezequiel Pereira
  17. HackerOne
  18. HackerOne
  19. Home
  20. InsiderPhD
  21. Intigriti
  22. John Hammond
  23. LiveOverflow
  24. NahamSec
  25. PortSwigger Blog
  26. Rana Khalil
  27. Richard’s Infosec blog
  28. Ron Chan
  29. ropnop blog
  30. STÖK
  31. Sun Knudsen
  32. The Cyber Mentor
  33. The unofficial HackerOne disclosure timeline
  34. The XSS rat
  35. TomNomNom
  36. Wallarm