Welcome to the comment section! First, thanks for watching! Make sure you are subscribed if you liked the video! kzbin.info Follow me on twitter: twitter.com/gregxsunday ✉️ Sign up for the mailing list ✉️ mailing.bugbountyexplained.com/ ☕️ Support my channel ☕️ www.buymeacoffee.com/bountyexplained 🖥 Get $100 in credits for Digital Ocean 🖥 m.do.co/c/cc700f81d215
@techchannel31073 жыл бұрын
hey bro are you from us? because your speaking is not same with us
@BugBountyReportsExplained3 жыл бұрын
@@techchannel3107 nope, Im from Poland
@techchannel31073 жыл бұрын
@@BugBountyReportsExplained ok my guess is right
@iplaynone18702 жыл бұрын
thanks for welcoming me🤣
@MrREALball3 жыл бұрын
Imagine having SQL INJECTION vulnerability in 2020 in your app
@BugBountyReportsExplained3 жыл бұрын
There are many of those, but somehow undetected yet
@user-fd4pv2rb8u3 жыл бұрын
The two main attacks on how things get hacked is SQL & XSS
@femmeNikita273 жыл бұрын
@@asanokatana Well, Zoom can wait for its corporate clients to watch this video after using Zoom for internal meetings on sensitive corporate financial issues or partents and school directors who use it for education and the public outcry coming from this might be the end of Zoom. But yes, safety-wise it is interesting content. Although if this issue doesn't not get resolved asap and if such corner cutting wil become a common place within any provider of on-line conferencing platform it can bring entire companies down. In more than one way.
@teknastyk3 жыл бұрын
now imagine half a country using it professionally and semi professionally like schools, and the gov openly brags about it how they opnely support this... :D 2020 is just epic - never thought i'd live to see all this
@user-fd4pv2rb8u3 жыл бұрын
@@teknastyk yeah that sucks and probably many more exploits out there just waiting to be found
@NeseComedy3 жыл бұрын
"Why do you cover up your camera? Are you paranoid?" yes
@BenREDCZ3 жыл бұрын
better to watch my ugly face than my expensive files :)))))
@satansatan99933 жыл бұрын
@@BenREDCZ if they can turn ur camera on, trust me they are doing way more than just watching u lol
@abofhad43783 жыл бұрын
Thanks a lot Mister
@soham21063 жыл бұрын
Me who doesn't even plug in the usb that connects the webcam: interesting
@channelbtech64973 жыл бұрын
Same here 😆
@StunXPlayz3 жыл бұрын
Same XD
@NStripleseven3 жыл бұрын
Lol same
@fitmotheyap3 жыл бұрын
when i don't use webcam i always unplug it.
@soham21063 жыл бұрын
@@fitmotheyap same here. I just plug in for a few minutes when I am required to switch on the video
@yashithabanu71733 жыл бұрын
Hats off for the Researcher who found this !!!! Totally out of the box 🔥🔥
@BugBountyReportsExplained3 жыл бұрын
yeah, this is very cool indeed
@dargy3 жыл бұрын
these type of encoding mangling problems are p common when it comes to web app stuff, p cool to see it translating well in an actual desktop app
@narasimhaswamy54643 жыл бұрын
Never expected this type of vulnerability.
@BugBountyReportsExplained3 жыл бұрын
yeah, that's a definitely a nice one
@kruemmelbande50783 жыл бұрын
*laughs in virtual machine*
@BugBountyReportsExplained3 жыл бұрын
😂
@teknastyk3 жыл бұрын
i hope you run thru a decen hypervisor and not leave your ram exposed just like that. its 2020. vms are so 2009 xD
@kruemmelbande50783 жыл бұрын
@@teknastyk Well, i dont think zoom is gonna jump a vm
@TheJinx643 жыл бұрын
@@teknastyk ok ms i love gen z lol ok boomer
@jofx40513 жыл бұрын
Wait wat
@viczav3 жыл бұрын
That accent makes it x1000 better
@BugBountyReportsExplained3 жыл бұрын
As a non-native speaker Im very glad to hear that😎
@void83703 жыл бұрын
@@BugBountyReportsExplained wiedziałem odrazu :d
@void83703 жыл бұрын
@@user-yv6ed3io4d sprawdziłem w informacjach o kanale
@Michtar3 жыл бұрын
@@void8370 w tym debuggerze bylo napisane gNIEDZIELA + akcent to się domyśliłem :D
@InfiniteLogins3 жыл бұрын
This is the first video I've watched on your channel, you do an amazing job at breaking this down and making it easy to understand. I've read blog post that explain these type of write-ups, but the way you explain them make it so much easier to follow
@BugBountyReportsExplained3 жыл бұрын
Awesome mate! I believe that using videos it's possible to explain vulns better and quicker.
@mr.kn0w1t4ll23 жыл бұрын
Your channel is so educative and amazing!! You should definitely upload more!
@BugBountyReportsExplained3 жыл бұрын
thanks mate, but I put a lot of work into each video and uploading them more often would be hard
@RatherPleasent3 жыл бұрын
Lol I used to think the SQL injection portion of OWASP was irrelevant. Good to see Zoom is keeping it alive.
@naimas81202 жыл бұрын
Lmao this comment 😭
@GalacticTG3 жыл бұрын
all the proffesors on my school will now use this xD
@BugBountyReportsExplained3 жыл бұрын
keep your zoom updated and they will not 😏
@MrREALball3 жыл бұрын
@@BugBountyReportsExplained who cares, chineese ai will still see and hear everything
@rizkyadiyanto79223 жыл бұрын
@@MrREALball american ai can read your mind
@willinton063 жыл бұрын
5:50 beautiful, simply beautiful
@BugBountyReportsExplained3 жыл бұрын
oh yes it is!
@xii13 жыл бұрын
these are the kinds of clever exploits that i live for
@greatguy80293 жыл бұрын
U saying this reminds me of people looking at a painting 🖼 in a museum and discussing it for hours, and I come shouting “Wtf it’s a tree”?
@NogCube3 жыл бұрын
$2000 is not much. Honestly, I would not report this problem for such a small amount of money. I'm sorry Zoom. 😅
@BugBountyReportsExplained3 жыл бұрын
well, if the researcher just wanted to make sure that his zoom calls are secure, then $2000 is a good bonus
@FireWyvern8703 жыл бұрын
@@BugBountyReportsExplained looking at all the past vulnerabilities, I wouldn't use zoom at all
@kamilo11753 жыл бұрын
@@FireWyvern870 Hahah well guess what. My college and my parents' firm both use Zoom as their main medium for video conferences. I love this country.
@SamehMustafa0073 жыл бұрын
@@BugBountyReportsExplained really it is should more than 2000$ 😠 them are stingy
@hariesch_80153 жыл бұрын
You might spend time learning and do efforts that worth more than $2000 dollars, I agree.
@khire54333 жыл бұрын
Hacker : I can see you. Le me : I don't even have a cam.😏
@andreymx3 жыл бұрын
Wow. Thank you for the video! I thought UTF-8 does protect you in case of this kind of mistreatment of multibyte-encoded strings, exactly because all the bytes in extended characters MUST have top bit set, so it makes it impossible to hide an ASCII character in an extended UTF-8 character. Some other older multibyte encodings (like GBK) actually allow ASCII to be part of extended character set. But what do you know, turns out some extremely popular databases do help attackers in this regard...
@BugBountyReportsExplained3 жыл бұрын
Yeah, it seems that UTF-8 was well-designed with that in mind, but the same can't be said about UTF8 implementation in Sqlite.
@wellsilver39723 жыл бұрын
UTF-8 is literally just a version of text for example, unicode, or acci
@jmsanchez56313 жыл бұрын
$2000 is not enough for this bug. Very well done
@relaehtube12253 жыл бұрын
Finally I found something intresting in attending zoom classes (opening others camera😁)
@mrdavidrees3 жыл бұрын
Great video. Makes me a little concerned about my code bases.
@BugBountyReportsExplained3 жыл бұрын
yeah mate, check if you use prepared statements
@epicindiancomments94383 жыл бұрын
This is great, please create a full course, on KZbin or Udemy.
@BugBountyReportsExplained3 жыл бұрын
maybe one day
@joshuabudiarto50363 жыл бұрын
zoom employee: Write that down, Write that down!!!
@HK-sw3vi3 жыл бұрын
I'm glad my laptop came with an inbuilt physical shutter for the cam.
@k42p3r3 жыл бұрын
Great walk through. That is worth testing for when writing integration tests. Thanks for sharing.
@BugBountyReportsExplained3 жыл бұрын
Good idea, but I think SQLi is easiest to detect using SAST tool or even a linter, because it's very easy spottable in the source code. The tool just looks at how did you execute the sql query.
@penguin22513 жыл бұрын
Thank you for your video, it was very informative and well done! Seems like Zoom developer team has made some bad decisions while on development. I assume they've tried to make their own SQL string escape function. That problem has been solved before many times, not sure why they didn't use a library.
@BugBountyReportsExplained3 жыл бұрын
Yes, writing your own security instead of using well-tested frameworks proves being a bad idea over and over again.
@hammer23023 жыл бұрын
Just studied sql injection in my last semester. Never thought it was used nowadays.
@kahirankarasinghe79303 жыл бұрын
dude, u no longer need to imagine a russian hacker, the legend is already here
@diegogomes71792 жыл бұрын
first time here and yet to learn bb in depth... but you did an amazing job explaining!
@user15121lIlIIll3 жыл бұрын
jokes on you, i dont have a webcam on my monitor
@BugBountyReportsExplained3 жыл бұрын
BULLETPROOF
@Nerwesta3 жыл бұрын
Me reading that video while my professor introduced me to Zoom and taught me about SQL vulnerabilities on my app years ago : I see why you're telling me that now 🤔
@user-kc2eb1ib7e3 жыл бұрын
Mr author, that's very cool!!! How long and what type of programming an ordinary person need to study to do such things? I will be very grateful for the answer.
@Zawadmunshi3 жыл бұрын
C, ASM
@dominicgraham61013 жыл бұрын
Understanding the basics of hacking/cybersecurity is a good start, and from there I'd just try and learn as many vulnerabilities as you can, or learn about the systems you use, like Windows, iOS, etc.
@BugBountyReportsExplained3 жыл бұрын
There are a lot of areas in cybersecurity: web security, mobile security (iOS, Android), desktop client security (Windows, Mac, Linux). You need to choose one and then you can ask about languages. I reckon after about 1000 hours of learning you can get a job if have no experience right now.
@SulavParajuli3 жыл бұрын
Good presentation 😊 Subscribed
@BugBountyReportsExplained3 жыл бұрын
awesome!
@t3xtm0d33 жыл бұрын
Single quote bypass is superb!
@RAZREXE3 жыл бұрын
This is a great video! Loved it man❤️
@BugBountyReportsExplained3 жыл бұрын
Glad you enjoyed it!!
@vikaskumar-pc1xd3 жыл бұрын
Thanks this video is so knowledgeable. Waiting more videos like this.
@BugBountyReportsExplained3 жыл бұрын
😊
@jq103 жыл бұрын
me who never actually been away from the keyboard waiting for the attacker to spy on me: *interesting*
@aakarshanraj11763 жыл бұрын
you explained it great, i am shocked they don't have any function to filter the sql query
@BugBountyReportsExplained3 жыл бұрын
they relied on doubling quotes as a protection against SQLi
@MrDjluis953 жыл бұрын
Dope info thanks Bre
@BugBountyReportsExplained3 жыл бұрын
thanks for watching bre
@MrDjluis953 жыл бұрын
🔥
@ludologian3 жыл бұрын
Only 2K .. I know it needs offline exploit but he deserves more
@BugBountyReportsExplained3 жыл бұрын
it does
@AurelianoTorquatoBrandao6 ай бұрын
Much complexity and receive only 2,000 is very insane
@vinceontheweb3 жыл бұрын
What size needle do you use for an SQL injection?
@L_a_p_s_k_y3 жыл бұрын
2000$ is a joke for such a big vulnerability
@jonathanhoyos81913 жыл бұрын
Very nice explanation, keep up buddy !!!! 👨🏻💻
@BugBountyReportsExplained3 жыл бұрын
thanks mate!
@SrRunsis3 жыл бұрын
Definitely subscribed and Adblock disabled for your channel man! Keep up the great work 😁😁
@SrRunsis3 жыл бұрын
Also, maybe you should add more ads to your videos, like perhaps one at the beginning, one in the middle depending on the length and content of the video and the last ad at the end!
@BugBountyReportsExplained3 жыл бұрын
Thanks a lot mate, but so far Im not even eligible to join YT's partner progam. But I appreciate your attitude 😉
@dennismunyaka65372 жыл бұрын
well articulated man you going to be a million dollarhacker soon haha
@puppalaanusha13332 жыл бұрын
Loved the video ,Loved to hear in your accent bro
@connected.3 жыл бұрын
There is a LED next to my camera which lights on with the camera.....Such a cool security feature
@MARTIN-1013 жыл бұрын
it can be turned off 🤣🤣
@connected.3 жыл бұрын
@@MARTIN-101 no it cant be turned off
@andrewm48353 жыл бұрын
Me who always unplugs my camera after using it: Ah yes, very interesting
@demb00963 жыл бұрын
Dobrze byczku!
@BugBountyReportsExplained3 жыл бұрын
dzięki byniu!
@NOoBGamer-yq1yk3 жыл бұрын
Me Chilling with my Pop up Camera :)
@DeltaTony3 жыл бұрын
*laughs in cover camera with tape*
@inevitablecatto80903 жыл бұрын
So, earlier last month my science computer class teach me pretty much what SQL does, that is to create or manage or some stuff with database. But they never told me that SQL could be used to hack?! Btw I just understand like 20% of the video but I actually enjoyed it. Thx.
@BugBountyReportsExplained3 жыл бұрын
On my university, they taught me doing SQL queries from Java by just string concatenation, so it was vulnerable to SQL injection. When I talked about it with the teacher, he told me it's not security class🙃 The security class never came in my syllabus😂
@daniulchowdhury71103 жыл бұрын
BROOOOO Thank you for illuminating videos!
@vexxafk3 жыл бұрын
I have tape stuck on my webcam....so goodluck spying one me 😂
@RYANTHORNTONCALL3 жыл бұрын
This is just another reason why you don't need SQL for storing data. Why isn't this stored in json?
@AjayKumar-xl4jc3 жыл бұрын
Great work bro 😉
@BugBountyReportsExplained3 жыл бұрын
thanks bro
@rainonedavid35643 жыл бұрын
My camera doesn't show video until I type sudo killall VDCAssistant in terminal. Kind of glad that exists now.
@markjimenez63543 жыл бұрын
can understand some of it but not all of it.. what are the resources that i can see and study to understand this? lol ty
@BugBountyReportsExplained3 жыл бұрын
First of all, Id like to tell you that I really think that you have a great attitude to learning, based on how did you ask the question. About resources, rather than "what's X". For basics of SQL injection, go to: portswigger.net/web-security/sql-injection For the things about binaries, it's not advanced knowledge, just general stuff. I find it hard to find and give you one link.
@shubhamshah84153 жыл бұрын
please add captions too . It would make understanding more better
@BugBountyReportsExplained3 жыл бұрын
I thing there are english automatically generated subtitles
@BugBountyReportsExplained3 жыл бұрын
Ive added subtitles, so you can now translate them into whatever language you want.
@timothybelton96043 жыл бұрын
Wow that's awesome! Great video bru
@BugBountyReportsExplained3 жыл бұрын
thanks bru
@ariad74523 жыл бұрын
*So that physical shutter that I stick on my camera wasn't such a waste of money after all*
@yareyaredaze94503 жыл бұрын
Just found your channel. Notifications immediately on! I am trying to learn sql and php through w3schools website. I think you explain things very well and with the important details, the vulnerability becomes easy to understand. Thank you!
@BugBountyReportsExplained3 жыл бұрын
Best of luck!
@saimkhalifa3 жыл бұрын
I don't know why but I need to subscribe this channel.
@BugBountyReportsExplained3 жыл бұрын
Everyone needs to😏
@mat_name_whatever3 жыл бұрын
Why not do \' straight away to escape the first quote, using the added second quote to close the string?
@BugBountyReportsExplained3 жыл бұрын
quote from the article: Common sanitization bypasses, like including a backslash character, also fail.
@mat_name_whatever3 жыл бұрын
@@BugBountyReportsExplained ah I see, guess that was to be expected if they handle quotes like that. Thanks! :)
@faruky91973 жыл бұрын
lucky my country is using the old version of zoom :))))))))))
@BugBountyReportsExplained3 жыл бұрын
what does it mean? they block the updates?
@GuRuGeorge033 жыл бұрын
Basically all webapps have SQLi (and other) invulnerabilities. But of course people only go to the length of detecting them when it is a big company like zoom.
@KokoroKatsura3 жыл бұрын
zoom is directly developed by chinese military (PLA)
@TheDiscusserOriginal3 жыл бұрын
At the end of the day, a few simple rules to follow by solves these issues. Firstly, never click a link unless trusted (and not just trusted as in from a trusted person cause they could be hacked) Secondly, never give your information to people who ask, regardless if they say their employees for the company of the software. Thirdly, always have your laptop/computer camera away, or with tape, over it unless you're using it.
@BugBountyReportsExplained3 жыл бұрын
I fully agree, but also remember, that clicking does not always mean that the hacker sends you it via chat or an email. Clicking link might also mean that you visit a malicious website (eg. cause it popped up in Google search) and this website opens a link using JavaScript.
@seyedalihashemi23303 жыл бұрын
Thanks, dude. keep up!
@BugBountyReportsExplained3 жыл бұрын
👌
@adityagupta78813 жыл бұрын
You got a new subscriber bro... Congo......
@BugBountyReportsExplained3 жыл бұрын
welcome!
@myth__un3 жыл бұрын
Hi , In the Next video , Can you explain how we can report a bug bounty in a correct way ? Thanks in Advance
@BugBountyReportsExplained3 жыл бұрын
not really, as I focus more on the technical aspect, but there are a few of my videos where I show how well the report is written. See this for example: kzbin.info/www/bejne/n3OymXxjjZufeas
@ahmetsaric53645 ай бұрын
Hello, thank You for Your work.
@pastel_dreams81723 жыл бұрын
The teacher is proud
@princepatwari3653 жыл бұрын
Great explanation and POC.
@BugBountyReportsExplained3 жыл бұрын
thanks, the credit for POC goes to Keegan
@ManpreetRiar3 жыл бұрын
Hello Bug Bounty Hunters !
@BugBountyReportsExplained3 жыл бұрын
Hello!
@xE92vD3 жыл бұрын
Zooms ceo comes and kills this man after he posted this video
@BugBountyReportsExplained3 жыл бұрын
zoom security team must have agreed to disclose the writeup in a blogpost
@xE92vD3 жыл бұрын
@@BugBountyReportsExplained Do you even get this is a joke no need to explain it bro.
3 жыл бұрын
Awesome! 👏👏
@rbt-00073 жыл бұрын
I expected such vulnerability
@BugBountyReportsExplained3 жыл бұрын
nice!
@sipinthatbub3 жыл бұрын
This is why I cover my camera with electrical tape.
@ripplerxeon3 жыл бұрын
lol stop spreading my idea ... i was about to get Nobel prize for it
@rikkasatrio22853 жыл бұрын
Ok don't let my teacher see this
@Stone_6243 жыл бұрын
I'll never understand how/why Zoom became the pandemic's go to software over Skype, A 15+ year old, professional and legitimate software maintained by Microsoft (That I grew up with) . All of the sudden Zoom comes along and "Hey everyone, Lets use this brand new untested software riddled with cybersecurity issues instead." What's wrong with people?
@BugBountyReportsExplained3 жыл бұрын
Unfortunately, people in general don't give a shit about security, they just want the nicest software. But I think Zoom was banned in US at the beginning of the pandemic, so someone made a good decision there
@abofhad43783 жыл бұрын
Thank you
@fredhair3 жыл бұрын
When people ask me why I wont use Zoom. I ask them why they don't use a secure matrix client.
@BugBountyReportsExplained3 жыл бұрын
I hope Zoom is better now
@awekeningbro12073 жыл бұрын
This. This is why i put duct tapes on my laptops cam.
@BugBountyReportsExplained3 жыл бұрын
I once had a Lenovo or Dell laptop that had built-in, swippable camera cover
@Kitulous3 жыл бұрын
lol i have an Asus Rog Strix G which does not have a webcam at all😂
@baadrqaaba95293 жыл бұрын
Oh , my chat-app that i have developed is vulnerable then .
@BugBountyReportsExplained3 жыл бұрын
fix it soon!
@xasmaniusvolk84163 жыл бұрын
That's why every piece of sh*t program I don't trust is inside a vm - no way I'd let such pieces of sh* run on my main sys
@renganathanofficial3 жыл бұрын
what if the victim turned off his camera in the application ?
@BugBountyReportsExplained3 жыл бұрын
this setting would change the setting just after joining a new meeting. You could turn it off after you realised it's on
@renganathanofficial3 жыл бұрын
@@BugBountyReportsExplained oh okay got it 😀
@HowToEverything13 жыл бұрын
Is it still possible to exploit this vulnerability or has it been patched?
@BugBountyReportsExplained3 жыл бұрын
it's been patched
@HowToEverything13 жыл бұрын
@@BugBountyReportsExplained oh :(
@bluestonecreepr3 жыл бұрын
looks at my none existent webcam. Huh.
@goodboy88333 жыл бұрын
Good Explaiation
@BugBountyReportsExplained3 жыл бұрын
😎
@videocommenter3 жыл бұрын
Have you tried this on Google Meet, Microsoft Teams and others that allow you to join via a link?
@BugBountyReportsExplained3 жыл бұрын
nope
@priyangshunath29103 жыл бұрын
Me before watching the video:- huh, this must be fake. *Listened Russian accent* Me:- This is real shit
@subtoitskiblu76843 жыл бұрын
Laughs in google meets
@advaymayank14103 жыл бұрын
FBI AGENT INTENSIFIES
@stanleyguo71643 жыл бұрын
Laughs in virtual camera that’s turned off by default
@BugBountyReportsExplained3 жыл бұрын
👌
@99bits463 жыл бұрын
damn professors ya'll dirty
@ujjwaldeep51753 жыл бұрын
I don't understand what is all this! How to learn this thing 'sqli'?
@BugBountyReportsExplained3 жыл бұрын
just google it
@thekatyperrymemechannel21223 жыл бұрын
Didn't know John Cena was into computers
@BugBountyReportsExplained3 жыл бұрын
haha you are not the first person in the comment section to tell me that😂
@krimmy84593 жыл бұрын
I don't understand anything but I have a feeling this is some kind of joke for people who do.
@BugBountyReportsExplained3 жыл бұрын
no, it's not
@AhmedAymanM3 жыл бұрын
Okay Now please, As a programmer ,Someone tell me how to find out and do what that "researcher" did ?
@user-so3eg1rw8l3 жыл бұрын
Cool channel, just found it, thanks for the interesting vid