In 2023, advertisements are STILL a vector for malware. An ad-blocker is essential for security.

Google did things like this and they ask why people use ad blockers

It’s close to a full year since the first news broke about malware in Google ads, and it’s for Free software again! At what point do we call this lack of action to fix the problem malicious on its own? I think now is a good time.

Great... Just after I get my first iPhone in 10 years. 😂

To be fair, I read the paper, the practical application of such an exploit is incredibly difficult, it takes forever to steal strings, and it took years to a research team to obtain something, I'd say we good, majority of threat actors nowadays are kids that make DDos attacks or RaaS to make a quick buck

Good news: Lockdown Mode can mitigated this kind of Safari attack. 🎉

Apple have been battered with CVE’s in the last 1-2 months. Time have changed

With regards to the keepass thing, the reason why that special K would get around that domain check might be quite simple - it boils down to how you deal with string comparisons. Different languages function differently, and I'm not going to pretend that i know what Google is doing, but here's what I think is going on. In a lot of cases you don't want to consider all the weird ways in which people might mess with text, so you get the option to ignore certain things when doing a string comparison. As a quick example, here's some Romanian letters: Aa Ăă Ââ. The first pair is just a normal A, but the other ones are slightly different. When you do a string comparison, you don't really want a strict comparison. Keyboards don't come with those letters out of the box, and most people will never even bother knowing how to type them (i copied them from Wikipedia). To deal with situations like this, you get a not so strict comparison going. In this case, my guess is that Google is using that not-so-string comparison when checking the domain name, leading to that issue. There's a lot of conference talks about text encoding, and they go into a bit of detail on how things work, how things are broken, and depending on what you look at how it can break things further. A lot of them are fun to watch, so if anyone's interested give it a search.

Bu...but Apple products can't be hacked or get viruses, the cool hip guy in the commercial said so, only those PC nerds can get those! XD

I spent all morning learning about WGPU and WASM and then immediately learn WASM is being used for hacking, because of course it is.

I wonder if anyone with an amplified Bluetooth signal would sit near Apple HQ till they fix the bug?

To be fair, a router with "Free Apple WiFi" would allegedly net a shitload of apple ID creds :/

Let's wait until ChatGPT reads the paper... lol

The media is already blowing this out of proportion. I am already imagining all of the tiktoks people will make.

This hack is not new. This has been around since 2017 or 2018. It was found on Intel CPU’s. It is the same method though. The CPU does what it think you’re about to do before you do it by your habits. It memorizes your habits over time and try’s to save small amounts of time for you.

Another good reason to never allow auto password fill by password manager s. On my ios device, I specifically have to press a login for it to be autofilled.

3:19 I can hear people in the reversing community say, “challenge accepted”

Awesome video, I like that you’ve gone back to the multiple topic videos. It’s great to be able to watch one video and get an overview of important cybersecurity issues. As always, keep up the great work.

It's been a year without a patch, doesn't mean Apple isn't working on a fix. As pointed out it's a CPU issue so they're probably working on a balanced solution that doesn't completely eliminate the benefits of speculative execution but still try and mitigate the exploit. 🤔

Techryptic isn't the guy who found the bluetooth DoS. He stole the work of the Flipper Zero Xtreme dev team. Please, credit the right people. If you wan't, I could link you a blog post from the Xtreme team proving it all

Google owns KZbin? KZbin doesn't want me to use an ad blocker lol.

Shoutouts to cars where their stereo/speaker system only accepts Bluetooth pairing, no headphone cable for you, pisses me off. I can't wait for modern-day manufacturers to regret that choice due to Flipper0 nonsense & general security holes. Never liked Bluetooth, both as a consumer (pairing annoyances, battery-life to deal with, etc.) & as a security-minded fella. The only way you can disrupt wires is by wear & tear, and/or the chord being cut in two. AUX4Life, & oh yeah, same goes for modern smartphones too, courage my ass.

finally... i really need these videos to be more frequent, even if you're covering dumb things

The more apple works with governments, the more hacks seem to be getting through. Funny how that works.

1:23 - I didn't knew `speculative execution` was a thing and CPUs jumped into the if statement just to later evaluate it's value: this is massive security issue imho

Bye bye iCloud Keychain?

We tried the ddos bluetooth attach at work, it doesnt seem to work against samsung devices, and only the HP laptop in the office got the notifications. The Apple branded devices were hosed by this.

This is why we can’t have nice things

Looks like there is a fix inplace for iLeakage at least on my MacOS the feature flag for "Swap Processes on Cross-Site Window Open" was enabled for me. now checking if iOS Safari has this

Why does this exploit with apple kinda sounds like specter. Both exploit the specular execution and then read data from memory, even though the languages normally don't have features for this.

Finally, I can tell everyone who swears by the security of apple's products that they can suck it. At least till they find a patch.

How on Earth can JS access something that low-level?????

Looks like I am save with my iPhone 8.😅

Thanks, I needed another dose of doom to cure my happiness 😮

My work only uses Apple cause the owner and IT guy says that Apple has no vulnerabilities 😅 glad I'm the only one on PC

Duh, don't use a tab that YOU didn't open YOURSELF - either by using a saved bookmark or typing the URL. The only exception is if your browser is set up to open previously open tabs or certain tabs at startup. Popups are NEVER to be trusted unless it's spawned by the website you are using; for example, you click sign-in on your bank's page and a popup opens. That's pretty much internet safety 101. The weak link in internet security is almost ALWAYS the loose nut behind the keyboard.

9:34 I find hilarious combined with KZbin's war on Ad Blockers

Amazing video as always, Mr. Hedgehog

Speculative execution introduced in 1:40 is bat shxt crazy and shocking! Who invented this crap? A backdoor for govt?

lol @ anyone who thinks any computer system is secure.

Pegasus like 🤤

Didn't intel have to deal w this stuff back i 15?

Wait so intel based macs are safe?

That annoying flipper zero packet looks like it would be hilarious to use against people in public

I guess I'm never getting berated again for disabling JavaScript..

Scaremongering There’s potential but the point is, there is no hacking software using this, so storm in a glass of water.

I find it baffling that apple has its own specter vulnerability.

Can’t Chat GPT just read that paper and tell a script kiddy what’s going on?

every single CPU out there does speculative execution. This is not special to Apple.

Isnt it similar to spectre attack on intel cpus? Also for android fans, you can steal data much easier from android and you don’t need those exploits.. 2:05

Dude I love your video.its amazing

The need to reverse the decision to allow other characters than a-z

Someone literally used that Bluetooth attack on me today and crashed my phone too

kinda ironic that the example password is: thinkdifferent

0:13 I misheard Malaysia's😅

Okay so I’ll just blacklist it from my router. 🎉

Is it detected on the Android OS? ;*[} Oh well, probably will be soon enough...

indian aadhar card leaked in dark web tell about that??

Classic Apple L

... The percentage of people that can understand the hack, is very small. The actual number of people is in the tens of thousands if not more. So it is likely this hack is being exploited in the wild. Just not on a scale that is a threat to the average person.

Linode got bought by Akamai?

YESSS THE WEEK WEB IS BACK

So the I leakage hack is just a nothing burger so far. A hacker could get a few bits of information, maybe put together a couple of letters or numbers. Got it.

If all the NK money is sent back for missiles...shouldn't they have a way larger arms program by now..?

you lost me at “it uses Javascript” 😂😂😂 under that same context, all devices are always vulnerable when a dumb user click a link

Interesting that the FBI recommends using an ad blocker while youtube is at all out war with ad blockers.

Speaking of "understanding research papers" - most people will simply discard it as too long to read. But don't underestimate those who are determined. Determination is a powerful drive, and while it may take a longer time (a bit risky as it may be patched during this time), somebody might as well be able to piece it all together and start exploiting it.

umm dont you know this is literally just some Social Engineering thing like it's nothing new that is soo old honestly and people dont fell in this scam often unless they are really really dumb

Any way you can do a video on KZbin/Google stimulus scam ads. I get 5-10 a day, using a Ai celebrity voice and stolen footage from random other things to create an ad about getting a stimulus or free healthcare card. They keep getting worse and worse, my grandfather didn’t know they were fake for months till I told him about it. He signed up multiple times, I had to spend a few days checking all of his stuff and changing his information

I remember the spectre and meltdown Intel 'bug'. I disabled the patch and my computer felt like I upgraded.

Ironic, cannot even open KZbin with ad blocker installed but ads turn on

the flipper zero thing sends a packet that is the same as the apple tv packet with the last few characters randomized

I recently purchased a MacBook then saw this video 😂

intel used to struggle with the same vulnerability, but they appearantly fixed it and it appearantly doesnt really cost measurable cpu performance. I tested it

Bowser is taking over

Speculative execution is starting to be a seriously challenger to buffer over- and underflows as "the most common security vulnerability".

Why is KZbin recommending me garbage like this

freak I'm on iphone

I'm glad I never use Safari.

Ok I’m screwed then

is it wrong that I clicked on this video to steal my sisters password?

@4:12 Who hires people who refuse to show their face for an interview?

ugh, nice clickbait title? The problem is that although your video is quite good, and informative if I may say, the clickbait tittle is what puts a shadow to your credibility. All these titles of new exploit shares your passwords etc, do more damage than good

and ppl STILL will say that iOS is safer than android lol

this means nothing to me because i dont use apple, isnt good enough to use

DAMN. i gotta warn my mum

A graduate of Clickbait Academy.

Like how? This just so fucking basic and it is just now going into global conscious awareness? 😬👀😬 I literally discovered the same thing as iLeakage around 2003-2004... But in Firefox back then of course 😬🤪🤨

All devices have an exploit for passwords bt design: Looking at someone typing.

Ad blockers, aka, scam blockers.

Yeah I always felt uneasy about Apple’s rendering engine forced use. The irony here does not escape. Also get real with posting NY Times headlines like they have anything to do with reality.

Yo I spotted the flipper zero thing in the wild😂

L iPhone users

lol I'm glad to have android (and not use sketchy sites)

FBI recommending adblock? take that youtube.

Spectre for Apple wtf

Cyrillic lettering on the flipper case, why am I not surprised... 😂

i find it strange you're crediting techryptic not furiousmac, salmq, ecto-1a, willyjl et al?

so just turn off auto fill and watch for redirects?...

Wow. Never thought I’d be effected by malware but yup... I fell for it. 😢