In 2023, advertisements are STILL a vector for malware. An ad-blocker is essential for security.
@Seytonic11 ай бұрын
The FBI approves this message
@kenosabi10 ай бұрын
Google knocking your door in ..in 5 ..4...3... GIVE US THE AD REVENUE
@UKsystems6 ай бұрын
Reader has the one you use as some can contain malware
@benchy576911 ай бұрын
Google did things like this and they ask why people use ad blockers
@OcteractSG11 ай бұрын
It’s close to a full year since the first news broke about malware in Google ads, and it’s for Free software again! At what point do we call this lack of action to fix the problem malicious on its own? I think now is a good time.
@SpaceshipOperations11 ай бұрын
>At what point do we call this lack of action to fix the problem malicious on its own It has been the case for decades. There are many verified leaked documents about how the NSA stalks, harasses and threatens software engineers (including, for example, those in committees responsible for shaping networking standards) in order to force them to make their software/standards vulnerable, so that governments can hack you whenever they want.
@notaplic815811 ай бұрын
Malware ads have been around since pretty much the invention of Internet advertising
@ILoveTinfoilHats11 ай бұрын
Frauds and scams are the bread and butter of advertising. Ad pay is directly correlated to gullibility. Why do you think "adult content" pays so much...
@c1ph3rpunk11 ай бұрын
It’s been close to 2 decades since this concept has existed, deal with it.
@RadikAlice11 ай бұрын
Man, I feel bad for you. Pretty much all replies are missing your point or dismissing it outright
@velociraptor596211 ай бұрын
Great... Just after I get my first iPhone in 10 years. 😂
@pootispiker286611 ай бұрын
What happens on your iPhone, stays on my iPhone
@jimmypatton498211 ай бұрын
Just don’t visit malicious websites and don’t hang out with prankers. Though I would give the same advice to android users, so nothing new just annoying.
@jhonwickmex11 ай бұрын
Should have stayed with what you had
@NeoNyaa11 ай бұрын
Your fault for going apple
@mayorplayz11 ай бұрын
@@jhonwickmex Even androids have exploits lol
@matteovalentino489011 ай бұрын
To be fair, I read the paper, the practical application of such an exploit is incredibly difficult, it takes forever to steal strings, and it took years to a research team to obtain something, I'd say we good, majority of threat actors nowadays are kids that make DDos attacks or RaaS to make a quick buck
@inthefade11 ай бұрын
Even if it is incredibly difficult, that is barely a hindrance to state actors; They have the best talent and infinite resources.
@prcvl11 ай бұрын
perfect for country funded hacking teams
@varram348811 ай бұрын
hahahhaha so true about the majority of the threat actors part
@MVPMTKING11 ай бұрын
@@inthefadeno such resource on earth is infinite, water, time, food, electricity, people. But they do have a helluva lot in terms of CySec.
@matteovalentino489011 ай бұрын
@@inthefade I mean on that level let's be honest, state level threat actors probably have a huge supply of zero days and surely they don't need a year old exploit, let's remember that counties are the main customers of the NSO group
@khoanguyen000111 ай бұрын
Good news: Lockdown Mode can mitigated this kind of Safari attack. 🎉
@tech123811 ай бұрын
Apple have been battered with CVE’s in the last 1-2 months. Time have changed
@jimmypatton498211 ай бұрын
iOS is probably the most common operating system if you look at single code stack. Android while having more phones has more code stacks and hardware stacks, so exploits can be limited in scope.
@redbakery894311 ай бұрын
That's nothing new, they have been for years now. Look at the iOS security patch notes.
@tech123811 ай бұрын
@@redbakery8943 Whilst that is true, If you look specifically at macOS, there has been a large amount of patch releases for macOS Monterey and Ventura, plus the additional Safari patches.
@somnia342311 ай бұрын
@@jimmypatton4982yeah android phones are much safer
@camelotenglishtuition639411 ай бұрын
1-2 years
@klaudyw311 ай бұрын
With regards to the keepass thing, the reason why that special K would get around that domain check might be quite simple - it boils down to how you deal with string comparisons. Different languages function differently, and I'm not going to pretend that i know what Google is doing, but here's what I think is going on. In a lot of cases you don't want to consider all the weird ways in which people might mess with text, so you get the option to ignore certain things when doing a string comparison. As a quick example, here's some Romanian letters: Aa Ăă Ââ. The first pair is just a normal A, but the other ones are slightly different. When you do a string comparison, you don't really want a strict comparison. Keyboards don't come with those letters out of the box, and most people will never even bother knowing how to type them (i copied them from Wikipedia). To deal with situations like this, you get a not so strict comparison going. In this case, my guess is that Google is using that not-so-string comparison when checking the domain name, leading to that issue. There's a lot of conference talks about text encoding, and they go into a bit of detail on how things work, how things are broken, and depending on what you look at how it can break things further. A lot of them are fun to watch, so if anyone's interested give it a search.
@SaHaRaSquad11 ай бұрын
Not to mention there are many letters/symbols which even look exactly identical but are actually different. For example A and А are not the same letter: the second one is from the cyrillic alphabet and looks different in binary.
@ivanv75411 ай бұрын
So it’s like the tilde in Spanish. It’s supposed to be there but people don’t type it a lot of the time. You don’t want to tell Simón that Simon is not his name. Simon will be the name in his ID in fact, but his school diploma will say Simón.
@mastermach5011 ай бұрын
Like matching Pokémon and Pokemon for easier searchability?
@williamchamberlain226311 ай бұрын
Is this the unicode thing again? That the visible glyph isn't the same as the encoding
@gershommaes90211 ай бұрын
A nice word you might be looking for is "homoglyph"
@free4fire11 ай бұрын
Bu...but Apple products can't be hacked or get viruses, the cool hip guy in the commercial said so, only those PC nerds can get those! XD
@everyhandletaken11 ай бұрын
😂
@shadyheadstash11 ай бұрын
I spent all morning learning about WGPU and WASM and then immediately learn WASM is being used for hacking, because of course it is.
@Oliver_Atkinson11 ай бұрын
Tbf AFAIK all code gets used for hacking at some point
@mythicXD11 ай бұрын
I wonder if anyone with an amplified Bluetooth signal would sit near Apple HQ till they fix the bug?
@chri-k11 ай бұрын
it's not really fixable
@MelaninMagdalene11 ай бұрын
@@chri-k What’s the reason for that?
@chri-k11 ай бұрын
@@MelaninMagdalene This exploit via WebKit may possibly be fixed, but the underlying bug is in the hardware.
@stayblueee11 ай бұрын
@@SpookySkeleton738 the original comment was not about the speculative execution part of the video
@SpookySkeleton73811 ай бұрын
@@stayblueee 💀
@twistedsaltypretzel772711 ай бұрын
To be fair, a router with "Free Apple WiFi" would allegedly net a shitload of apple ID creds :/
@NeuroNinjaX11 ай бұрын
Let's wait until ChatGPT reads the paper... lol
@UKsystems6 ай бұрын
It refuses harmful tasks
@coolhandle57211 ай бұрын
The media is already blowing this out of proportion. I am already imagining all of the tiktoks people will make.
@mo450311 ай бұрын
This hack is not new. This has been around since 2017 or 2018. It was found on Intel CPU’s. It is the same method though. The CPU does what it think you’re about to do before you do it by your habits. It memorizes your habits over time and try’s to save small amounts of time for you.
@GrishTech11 ай бұрын
Another good reason to never allow auto password fill by password manager s. On my ios device, I specifically have to press a login for it to be autofilled.
@schwingedeshaehers10 ай бұрын
Does that solve the problem?
@auto11766611 ай бұрын
3:19 I can hear people in the reversing community say, “challenge accepted”
@edsmith305211 ай бұрын
Awesome video, I like that you’ve gone back to the multiple topic videos. It’s great to be able to watch one video and get an overview of important cybersecurity issues. As always, keep up the great work.
@Seytonic11 ай бұрын
Thanks :)
@cwaldrip11 ай бұрын
It's been a year without a patch, doesn't mean Apple isn't working on a fix. As pointed out it's a CPU issue so they're probably working on a balanced solution that doesn't completely eliminate the benefits of speculative execution but still try and mitigate the exploit. 🤔
@Jaxx759411 ай бұрын
Techryptic isn't the guy who found the bluetooth DoS. He stole the work of the Flipper Zero Xtreme dev team. Please, credit the right people. If you wan't, I could link you a blog post from the Xtreme team proving it all
@dil73611 ай бұрын
Google owns KZbin? KZbin doesn't want me to use an ad blocker lol.
@bsdims11 ай бұрын
Shoutouts to cars where their stereo/speaker system only accepts Bluetooth pairing, no headphone cable for you, pisses me off. I can't wait for modern-day manufacturers to regret that choice due to Flipper0 nonsense & general security holes. Never liked Bluetooth, both as a consumer (pairing annoyances, battery-life to deal with, etc.) & as a security-minded fella. The only way you can disrupt wires is by wear & tear, and/or the chord being cut in two. AUX4Life, & oh yeah, same goes for modern smartphones too, courage my ass.
@skywizard331911 ай бұрын
finally... i really need these videos to be more frequent, even if you're covering dumb things
@Chuck854111 ай бұрын
The more apple works with governments, the more hacks seem to be getting through. Funny how that works.
@programateiro11 ай бұрын
1:23 - I didn't knew `speculative execution` was a thing and CPUs jumped into the if statement just to later evaluate it's value: this is massive security issue imho
@Aizemiyo11 ай бұрын
Just another name for prefetching, it is originally employed to improve cpu performance, security wasnt really a big thing back then.
@ifur11 ай бұрын
Bye bye iCloud Keychain?
@jimmypatton498211 ай бұрын
It doesn’t matter if keychain or manually typing. As far as I could tell they are putting in long to execute statement to have as much data pre-gussed generated. Grabbing the data and then repeating if possible or just giving up. I think what matters is adding code to prevent the exploit from leaking one source of data to previous site.
@bazzeil11 ай бұрын
We tried the ddos bluetooth attach at work, it doesnt seem to work against samsung devices, and only the HP laptop in the office got the notifications. The Apple branded devices were hosed by this.
@AWriterWandering11 ай бұрын
This is why we can’t have nice things
@FellowGEEK-mi4tw11 ай бұрын
Looks like there is a fix inplace for iLeakage at least on my MacOS the feature flag for "Swap Processes on Cross-Site Window Open" was enabled for me. now checking if iOS Safari has this
@FellowGEEK-mi4tw11 ай бұрын
Yep enabled in iOS too, so they fixed this when?
@ardwetha11 ай бұрын
Why does this exploit with apple kinda sounds like specter. Both exploit the specular execution and then read data from memory, even though the languages normally don't have features for this.
@QuantariousBitsoniTalvanen11 ай бұрын
Finally, I can tell everyone who swears by the security of apple's products that they can suck it. At least till they find a patch.
@atirutwattanamongkol880611 ай бұрын
How on Earth can JS access something that low-level?????
@LetrixAR11 ай бұрын
It doesn't. WASM was used.
@atirutwattanamongkol880611 ай бұрын
@@LetrixAR WASM is a simulated stack machine in a nutshell, so there should still be no way for it to access something so low-level.
@GizziXZ11 ай бұрын
@@atirutwattanamongkol8806What's WASM?
@TMinusRecords11 ай бұрын
It's a timing based attack
@samando52411 ай бұрын
@@atirutwattanamongkol8806 If you watch the video it includes an explanation. Hope this helps :)
@johanlugthart778211 ай бұрын
Looks like I am save with my iPhone 8.😅
@ZoombalaGC11 ай бұрын
Thanks, I needed another dose of doom to cure my happiness 😮
@Krzys_D11 ай бұрын
My work only uses Apple cause the owner and IT guy says that Apple has no vulnerabilities 😅 glad I'm the only one on PC
@brainstem202311 ай бұрын
Duh, don't use a tab that YOU didn't open YOURSELF - either by using a saved bookmark or typing the URL. The only exception is if your browser is set up to open previously open tabs or certain tabs at startup. Popups are NEVER to be trusted unless it's spawned by the website you are using; for example, you click sign-in on your bank's page and a popup opens. That's pretty much internet safety 101. The weak link in internet security is almost ALWAYS the loose nut behind the keyboard.
@mgord951811 ай бұрын
The pop up is spawned by the website you're using... the attack looks exactly like OAuth, which is required to sign into tons of legitimate websites and your password is never supposed to be readable from it, which is the security vulnerability that's being talked about.
@SirFancy11 ай бұрын
I cannot believe Apple is being defended already. It is not "internet safety 101" to not trust a website that has the green lock icon, is HTTPS, you've verified certs for, and has the correct URL. It is not uncommon for a site to open a popup to complete OAuth. This is Apple's fault, plain and simple. Under no circumstances should another tab have access to the contents of another when the site is completely different and not under their control. By design, this is supposed to be impossible with how the WWW operates, and it should be fixed by Apple, and not just be a "well now this is how it is so be more cafeful". If this is how it is now, then literally nothing can be trusted. So yeah. Apple needs to fix, end of story. Source: CASP+ certified
@DanielQwerty11 ай бұрын
Ever used sign in with google?
@OGNord11 ай бұрын
@@DanielQwertynot even remotely the same thing
@samando52411 ай бұрын
@@OGNord To the average person who has no idea about internet security it would sure seem like it.
@luketurner31411 ай бұрын
9:34 I find hilarious combined with KZbin's war on Ad Blockers
@Hasblock11 ай бұрын
Amazing video as always, Mr. Hedgehog
@warehousing295311 ай бұрын
Speculative execution introduced in 1:40 is bat shxt crazy and shocking! Who invented this crap? A backdoor for govt?
@urbanws123411 ай бұрын
lol @ anyone who thinks any computer system is secure.
@Sound_.-Safari11 ай бұрын
Pegasus like 🤤
@aliabdallah10211 ай бұрын
Didn't intel have to deal w this stuff back i 15?
@Andreasepicgamingr11 ай бұрын
Wait so intel based macs are safe?
@btarg111 ай бұрын
That annoying flipper zero packet looks like it would be hilarious to use against people in public
@PartlyXenon11 ай бұрын
I guess I'm never getting berated again for disabling JavaScript..
@JustBadMeAndI11 ай бұрын
Scaremongering There’s potential but the point is, there is no hacking software using this, so storm in a glass of water.
@MorningStarChrist11 ай бұрын
I find it baffling that apple has its own specter vulnerability.
@martinlutherkingjr.558211 ай бұрын
Can’t Chat GPT just read that paper and tell a script kiddy what’s going on?
@iluvpandas275511 ай бұрын
It can
@iluvpandas275511 ай бұрын
But it will most likely not tell the script kiddy how to do it
@WiluckGD11 ай бұрын
@@iluvpandas2755 (thankfully)
@whtiequillBj11 ай бұрын
every single CPU out there does speculative execution. This is not special to Apple.
@rimilien11 ай бұрын
Yes as explicitly stated in the video
@prophoenix21211 ай бұрын
Isnt it similar to spectre attack on intel cpus? Also for android fans, you can steal data much easier from android and you don’t need those exploits.. 2:05
@lbgstzockt849311 ай бұрын
Sure sounds like it, which is probably why there is no fix for it yet. Didn’t the spectre fix cause a performance drop in some cases?
@dealloc11 ай бұрын
Yes. In fact I think it would fall under Spectre (also noted by the iLeakage paper) which affected all major CPUs; Intel, AMD and ARM. However, it also seems Safari is a big piece in this in how it apparently shares some memory between tabs when it shouldn't-both Chrome and Safari employs tab isolation, where each tab is assigned its own process-but it seems Safari may still leak some memory, or it could be the OS as well, given that processes should never be able to share resources as they should be in their own memory space.
@mgord951811 ай бұрын
If it's so easy then how do you do it?
@LetrixAR11 ай бұрын
@dealloc but this seems to be tied to webkit. How does a rendering technology affects a policy of tab isolation?
@dealloc11 ай бұрын
@@LetrixAR Was it exploited on other WebKit-based browsers that didn't use tab isolation? So far I've only seen reports on Safari specifically (on macOS). On iOS you can't use WebKit directly,. You use a wrapper API like UIWebView (or rather, the newer WKWebView). It's also not possible for browsers on iOS to spin up additional processes So these restrictions could make it possible for browsers on iOS to be affected by this too due to these limitations.
@skkskk11 ай бұрын
Dude I love your video.its amazing
@iamagi11 ай бұрын
The need to reverse the decision to allow other characters than a-z
@reoccurcat11 ай бұрын
Someone literally used that Bluetooth attack on me today and crashed my phone too
@alejandroalzatesanchez11 ай бұрын
kinda ironic that the example password is: thinkdifferent
@ong111 ай бұрын
0:13 I misheard Malaysia's😅
@robeagleR11 ай бұрын
Okay so I’ll just blacklist it from my router. 🎉
@stevengill173610 ай бұрын
Is it detected on the Android OS? ;*[} Oh well, probably will be soon enough...
@Bobby_0_11 ай бұрын
indian aadhar card leaked in dark web tell about that??
@rocstar300011 ай бұрын
Classic Apple L
@trthambi185711 ай бұрын
... The percentage of people that can understand the hack, is very small. The actual number of people is in the tens of thousands if not more. So it is likely this hack is being exploited in the wild. Just not on a scale that is a threat to the average person.
@BPTtech11 ай бұрын
Linode got bought by Akamai?
@Get_yotted11 ай бұрын
You didn’t know, it’s been a while already
@Biggerman15911 ай бұрын
YESSS THE WEEK WEB IS BACK
@mendodsoregonbackroads66327 ай бұрын
So the I leakage hack is just a nothing burger so far. A hacker could get a few bits of information, maybe put together a couple of letters or numbers. Got it.
@kenosabi10 ай бұрын
If all the NK money is sent back for missiles...shouldn't they have a way larger arms program by now..?
@JuniorSantiago3x10 ай бұрын
you lost me at “it uses Javascript” 😂😂😂 under that same context, all devices are always vulnerable when a dumb user click a link
@InsideOfMyOwnMind10 ай бұрын
Interesting that the FBI recommends using an ad blocker while youtube is at all out war with ad blockers.
@CZghost11 ай бұрын
Speaking of "understanding research papers" - most people will simply discard it as too long to read. But don't underestimate those who are determined. Determination is a powerful drive, and while it may take a longer time (a bit risky as it may be patched during this time), somebody might as well be able to piece it all together and start exploiting it.
@schwingedeshaehers10 ай бұрын
It looks like Apple doesn't want to fix it.
@Kingupon11 ай бұрын
umm dont you know this is literally just some Social Engineering thing like it's nothing new that is soo old honestly and people dont fell in this scam often unless they are really really dumb
@hung896911 ай бұрын
Any way you can do a video on KZbin/Google stimulus scam ads. I get 5-10 a day, using a Ai celebrity voice and stolen footage from random other things to create an ad about getting a stimulus or free healthcare card. They keep getting worse and worse, my grandfather didn’t know they were fake for months till I told him about it. He signed up multiple times, I had to spend a few days checking all of his stuff and changing his information
@Sashazur11 ай бұрын
All the ads I see on KZbin and Instagram are sleazy.
@H0mework11 ай бұрын
I remember the spectre and meltdown Intel 'bug'. I disabled the patch and my computer felt like I upgraded.
@mollthecoder11 ай бұрын
And now a script kiddie can have full access to your computer memory
@fordprefect85911 ай бұрын
that is a bad idea. Modern CPUs are actually optimized to run those patches, and the security implications of turning them off are.... apocalyptic.
@tezcanaslan287711 ай бұрын
I would only recommend doing this in aging systems with no critical data as you have just left your probably critical computer open to pretty much all remote attacks Turn that on or refrain from angering anybody on the internet.
@TheOfficialOriginalChad11 ай бұрын
@@mollthecoderyou clearly haven’t read the PoCs for them 😂
@mollthecoder11 ай бұрын
@@TheOfficialOriginalChad I have, what are you referring to in particular?
@Nas_Allie11 ай бұрын
Ironic, cannot even open KZbin with ad blocker installed but ads turn on
@mylesisshort10 ай бұрын
the flipper zero thing sends a packet that is the same as the apple tv packet with the last few characters randomized
@tsukipuppy11 ай бұрын
I recently purchased a MacBook then saw this video 😂
@asdprogram11 ай бұрын
intel used to struggle with the same vulnerability, but they appearantly fixed it and it appearantly doesnt really cost measurable cpu performance. I tested it
@aronm532911 ай бұрын
New cpu are built against meltdown so it's not an issue anymore. The update windows did in 2018 did lower CPUs vulnerable performance by a measurable amount however. Most people might not tell, but it wasn't insignificant
@asdprogram11 ай бұрын
@@aronm5329 I haven't seen any performance difference with my haswell cpu with or without spectre and meltdown mitigation.
@Irwin.00911 ай бұрын
Bowser is taking over
@christopherg234711 ай бұрын
Speculative execution is starting to be a seriously challenger to buffer over- and underflows as "the most common security vulnerability".
@Salt0011 ай бұрын
Why is KZbin recommending me garbage like this
@xpower712511 ай бұрын
freak I'm on iphone
@ninjanerdstudent693711 ай бұрын
I'm glad I never use Safari.
@WiluckGD11 ай бұрын
Ok I’m screwed then
@awesome_billy_bob10 ай бұрын
is it wrong that I clicked on this video to steal my sisters password?
@joshm33424 ай бұрын
@4:12 Who hires people who refuse to show their face for an interview?
@John7No11 ай бұрын
ugh, nice clickbait title? The problem is that although your video is quite good, and informative if I may say, the clickbait tittle is what puts a shadow to your credibility. All these titles of new exploit shares your passwords etc, do more damage than good
@camelotenglishtuition63949 ай бұрын
and ppl STILL will say that iOS is safer than android lol
@crimsonkarma1311 ай бұрын
this means nothing to me because i dont use apple, isnt good enough to use
@aussiemadlad11 ай бұрын
DAMN. i gotta warn my mum
@feuerherz00711 ай бұрын
don't worry, i told her already
@AlanTheBeast10011 ай бұрын
A graduate of Clickbait Academy.
@savagesarethebest725111 ай бұрын
Like how? This just so fucking basic and it is just now going into global conscious awareness? 😬👀😬 I literally discovered the same thing as iLeakage around 2003-2004... But in Firefox back then of course 😬🤪🤨
@savagesarethebest725111 ай бұрын
Also, you can also see what other Web pages you have been using by Cascading Style Sheets.. I don't use Firefox at the moment of writing but they said that they would disable ":visited" entirely and I hated it. It is more important to me to know how deep into the Wikipedia rabbit hole I am than if someone knows that I've been watching porn. I am a fucking human and I can't fucking expect that my gf is here and awake when I feel like it. So ofc I have to suit myself sometimes.. 🤔 😆
@everypizza11 ай бұрын
All devices have an exploit for passwords bt design: Looking at someone typing.
@FusionDeveloper11 ай бұрын
Ad blockers, aka, scam blockers.
@AleksLazar11 ай бұрын
Yeah I always felt uneasy about Apple’s rendering engine forced use. The irony here does not escape. Also get real with posting NY Times headlines like they have anything to do with reality.
@redslashed11 ай бұрын
Yo I spotted the flipper zero thing in the wild😂
@j.r.m.s.11 ай бұрын
L iPhone users
@slavakid533611 ай бұрын
bro
@MiserablePizza11 ай бұрын
as a ios user i am Killing myself,,,,,,,
@mozzapple11 ай бұрын
lol I'm glad to have android (and not use sketchy sites)
@1.414211 ай бұрын
FBI recommending adblock? take that youtube.
@xproot011 ай бұрын
Spectre for Apple wtf
@dsfs1798711 ай бұрын
Cyrillic lettering on the flipper case, why am I not surprised... 😂
@iblackfeathers11 ай бұрын
i find it strange you're crediting techryptic not furiousmac, salmq, ecto-1a, willyjl et al?
@Australia_QLD11 ай бұрын
so just turn off auto fill and watch for redirects?...
@SaHaRaSquad11 ай бұрын
Or just don't use Safari
@Aviancorporation11 ай бұрын
Wow. Never thought I’d be effected by malware but yup... I fell for it. 😢