THANKS FOR WATCHING ❤ JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm ** UPDATE ** A few commenters have been confused weather or not Teams was using the deprecated AngularJS, or the new Angular. The answer is that it was indeed using the deprecated AngularJS. I even referenced the exact line of code in my description, within the old AngularJS: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still... The only part that I messed up on was @ 5:53 - I used the wrong README. This should have been the old AngularJS. I stand corrected. Thanks to those who pointed this out! ** UPDATE 2 ** Thanks to @Possible1985 for pointing out that the sentence @ 7:52 should have read "even if nodeIntegration is DISABLED", not enabled. 👇 Let me know what type of bug bounty reports you would like to see next! 👇 Thank you for all of the support, I love all of you
@Pr0toPoTaT07 ай бұрын
I love people too 💓 💗 ❤️ 💕 💛 ♥️ 💓 💗
@SLAYERSARCH7 ай бұрын
this the shocker that they made such a big deal about using this malware over c-19
@sharonfox7 ай бұрын
Angugar?
@CatFish1077 ай бұрын
When you started the section on xss with "but first", I thought you were about to do an ad read for a VPN. Thank you for not doing sponsored ad reads. That was a relief.
@renakunisaki7 ай бұрын
Someone really decided to make it possible to embed JavaScript in a CSS class name
@jfbeam7 ай бұрын
YES. Would you expect anything less stupid from Google?
@seeibe7 ай бұрын
The issue is more to do with the fact that Teams is injecting dynamic, user generated HTML that then gets picked up by Angular. Basically what they're doing is akin to using "eval" on a user input string, and then running some sanitizer over that input to ensure the code contains nothing bad. That's extremely bad practice, for exactly the reasons outlined in the video.
@xmine087 ай бұрын
That's as smart as it would be allowing to download and run arbitrary java code by passing a string to a logging library, right? Oh, dang, that happened as well...
@pianowhizz6 ай бұрын
And that’s why everyone stopped using Angular in 2015! One of React’s main advantages has always been its protection against XSS :)
@xapk_6 ай бұрын
How the HELL?😊
@Code_Capital7 ай бұрын
I'm surprised by how uncomplicated each singular step is but how much persistence is needed to pull the entire attack off...
@omanshsharma67967 ай бұрын
Uncomplicated is a subjective term
@DensityMatrix17 ай бұрын
@@omanshsharma6796They really are uncomplicated. This attack is more like a mathematical proof, each statement is understandable but having the insight about how to link them together is the clever bit.
@Bialy_17 ай бұрын
@@DensityMatrix1 Working as intended... how hard is to block code injection via text chat? Crazy easy as you need specific and exact comands to do anything...
@MygenteTV7 ай бұрын
Uncomplicated? Not at all. Everything is easy and Uncomplicated once you know it. For you to pull a RCE, you really need to know what you are doing, you need to know the many different technologies and tricks to pull this off. This guy built a 0 day from scratch, step by step. That's talent, I'm not surprised he is Chinese. Those guys are built different.
@jfbeam7 ай бұрын
It's only "uncomplicated" once you've seen it done. This is a pretty novel and slick chain of events, requiring locating some pretty tiny needles in a very big haystack.
@NightMX_7 ай бұрын
I could not pull this off if my life depended on it
@RayScheelhaase-nd9rw7 ай бұрын
Sounds like something a hacker would say
@diaahanna88827 ай бұрын
No one could that is why it is valued at 150k $
@humanbeing27307 ай бұрын
for real I could have a thousand years and not figure it out
@cc-dtv7 ай бұрын
git gud
@cc-dtv7 ай бұрын
@@diaahanna8882 just a matter of time spent
@denisel7 ай бұрын
Wow 150k for this is embarrassing. 270 MILLION high-quality targets with a zero click. 3 TRILLION company btw. No wonder people turn to crime, good thing dudes compass points north. Finding exploits is a thankless job...
@DanielBoctor7 ай бұрын
I agree with you on this. The bounty definitely should have been far higher for the impact of the exploit 🤷
@schwingedeshaehers7 ай бұрын
around 0.5 dollar per 1000 users
@commander34947 ай бұрын
@@schwingedeshaehers wow i think an ad would make more money than that
@savire.ergheiz7 ай бұрын
Shame on M$ 😅 They should pay $1m at least.
@kkamau54797 ай бұрын
If he sold this to any government he would've had a major pay day
@kevinvoiceactor96947 ай бұрын
This was an incredible video. Animations are fire, going back to the high-level steps of the exploit, and coloring the relevant code snippets were all incredibly helpful for me to follow along. Liked, subbed, did all the things. Hoping to see more from you.
@DanielBoctor7 ай бұрын
Man this is one of my favourite comments ever, thank you ❤️. You're the first person so far to mention the semantic colour coding, which I pay a lot of attention to. I'm happy it helped, and glad to have you apart of the community!
@pizza-pi6 ай бұрын
@@DanielBoctor semantic colour coding is life, in work and in your vids. very nice touch.
@petar04026 ай бұрын
I work in IT and I hate Teams app with great passion. Actually, ANY app or a script that auto-launches itself in window mode by default.
@yash11523 ай бұрын
what does that mean? what is window mode? > _"I hate .... ANY app or a script that auto-launches itself in window mode by default"_
@petar04023 ай бұрын
@@yash1152 Any app/script that opens it's window that is not minimized or in system tray.
@yash11523 ай бұрын
@@petar0402 why do you hate them? do you want your browser, editor (notepad, intellij, eclipse, etc), office suite, preferences app to NOT OPEN as windows? [1/n]
@yash11523 ай бұрын
i mean, i agree - there are some apps where openining minimized makes sense, sharex screenshot app, media players, overlay tools etc... but majority of apps don't fall in this category. [2/n]
@yash11523 ай бұрын
> _"Any app/script that opens it's window that is not minimized or in system tray."_ [3/3]
@itsthesteve7 ай бұрын
AngularJs in teams? Lordy.
@ayecab7 ай бұрын
Just the right amount of technical details while providing a great overall narrative. Nice work.
@DanielBoctor7 ай бұрын
Thanks for the support! Means a lot
@Megamanthemachine7 ай бұрын
Dead ass this is better than straight up bashing Microsoft and saying go to Linux go to Linux as it’s the underlying that matters
@SylvainPOLLETVILLARD7 ай бұрын
Masato Kinugawa is a legend, with Gareth Heyes those are the best XSS hunters i know. 150k$ well deserved !
@randomperson92827 ай бұрын
It’s actually quite simple but man you gotta really understand the know how’s to get in and get out. Genius to find this minuscule window from such a huge company. btw thank you for the simple explanation you made it easy to understand and amazing visuals.
@DanielBoctor7 ай бұрын
glad it was helpful
@LatteCannon7 ай бұрын
These videos are so informative and well made, I can’t believe you only have 15k subs. You’re gonna make it big
@DanielBoctor7 ай бұрын
Thank you for the support! I appreciate it ❤️
@zugly19997 ай бұрын
6:38 love how you use Lemino's music for bgm ❤
@DanielBoctor7 ай бұрын
hes an inspiration to me
@ryangrogan68397 ай бұрын
It's so baffling to me that developers decided to beat JS into a bloody pulp until it does what you want it to do, instead of just admitting that we should probably just use a different technology. Now, we have wild exploit chains like this that are possible because we keep adding crap to make HTML do things it was never meant to do. This is what happens when you combine two completely separate and highly open ended technologies together. Of course you can do some really wacky stuff, especially when the combination of the two technologies was not expected, intended, or standardized. But we loved them so much that we forced them together into unholy matrimony. And we just can't get enough. We just have to keep coming up with newer, hotter and wilder ways to get some JS all up in our HTML.
@SianaGearz7 ай бұрын
And on the other side we have C++, which sort of looks like it was developed for the purpose of making complex and robust applications, as were the common frameworks, but which is good for spectacularly dangerous exploits, probably more so than dynamic HTML land.
@ryangrogan68397 ай бұрын
I still feel that JS vulnerabilities are more worrisome because they are usually due to bad config and build tools/frameworks with bugs. These vulnerabilities would then affect all projects that use them. C++ doesn't become vulnerable until you write or use bad code.
@SianaGearz7 ай бұрын
@@ryangrogan6839 Oh but where there's code, there's bugs, it's inevitable. There's memory safety bugs in every C and C++ framework that you're sitting atop right now, this can be guaranteed. It's not like buggy code necessarily smells, bad code routinely passes reviews and gets examined hundreds of times without something being noticed wrong, because in other possible contexts the same code is correct. My two favourite cases have been both caused by iterator invalidationm, both caused month of hunting because the outcome was wrong logic which wasn't legible in debugger, because at the point of invocation it was "correct", it was just dealing with data that could no longer exist but looked valid, and occasional malloc crashes elsewhere in the program.
@CoreyKearney7 ай бұрын
Eletron is an opensource program with it's own org and framework. The code is hosted on github, it is not a github project. That matters.
@DanielBoctor7 ай бұрын
You are right, however it was originally developed by GitHub. They transferred Electron's ownership from GitHub to the OpenJS Foundation in ~2019.
@gridlocdev20237 ай бұрын
Hey, just a heads-up the way the sponsor was mentioned in this video may have violated KZbin sponsoring disclosement guidelines since there wasn't a verbal disclosure and/or paid promotion notification. (See the "Add paid product placements, sponsorships & endorsements" KZbin Help page) I'm not a creator myself, but the way to properly do it would probably be one or more of the below two things, I think: - In KZbin Studio, under "More", clicking the “My video contains paid promotion like a product placement, sponsorship, or endorsement.” box will display a "Includes paid promotion" disclaimer at the first 10 seconds of the video - In the KZbin video content or description, I believe there's some requirement to verbally disclose the nature of the relationship with the sponsor. E.g. by saying "You may want to check out this video's sponsor, SquareX", or "This video was sponsored by SquareX", etc.
@DanielBoctor7 ай бұрын
Thanks for bringing this up. The paid promotion option was always on, and the notification was always present at the start of the video. Are you sure you didn't see it? It shows up for me. In terms of the verbal disclosure though, can you find / link where it states that? I looked through the page that you referenced, and nowhere could I find any sort of verbal disclosure requirement. I genuinely appreciate your heads up, I just couldn't find the verbal requirement anywhere. Let me know if you can find this. Thank you
@adamhenriksson60073 ай бұрын
This exploit have every single front-end exploit stereotype. XSS enabled by templating (why are we still doing this?), prototype polution (js lmao), Electron (of course), and improper configuration (what even is security anymore?). 10/10 perfect specimen. French kiss 👌
@gravity00x6 ай бұрын
"accidentally" 😂😂😂 absolute commedian
@Sacrosaunt6 ай бұрын
bruh who is this guy dude came out of nowhere and is making this clutch content
@DanielBoctor6 ай бұрын
LOL, this is truly a great comment
@sangeetguha517 ай бұрын
as always, very good quality!
@DanielBoctor7 ай бұрын
Glad you think so! Thanks for the support 😊
@MaZe7417 ай бұрын
goddamn regex wildcard made this possible
@Selsato7 ай бұрын
Fucking love regex man. Terrible to write, worse to read. Has the security of swiss cheese. And we just CANNOT help ourselves.
@specy_7 ай бұрын
@@Selsatolet's use a LALR parser instead!
@sawxpatscelts7 ай бұрын
$150k ain’t much of a bounty for something that could topple your entire company.
@KristianKumpula6 ай бұрын
0:20 Why did you put slashes instead hyphens into that command?
@ehwiwh73587 ай бұрын
Hey, love these videos! Can you make one about the RCE exploit that shut down the servers of all Souls games developed by Fromsoftware?
@ehwiwh73587 ай бұрын
It's super interesting because if the exploit hadn't been reported responsibly, it could have been used on Elden Ring, one of the biggest games of all time, on hundreds of thousands of people simultaneously. It could have been one of the worst exploits in gaming
@ehwiwh73587 ай бұрын
It did not even require P2P connection, as it exploited the game's servers. Tremwil wrote a great explanation on gitthub
@ehwiwh73587 ай бұрын
Even players sitting on the main menu were affected! (sorry I had to type the comment like this, YT kept deleting it over and over again. Might need to "sort by new" to see it all)
@joshua_3376 ай бұрын
Great explanation, even with your pronunciation of JavaScript 😉. Your latest video on speculative execution was also amazing. Just discovered your channel today and subscribed. Looking forward to future videos as well as going through your previous ones.
@DanielBoctor6 ай бұрын
Thank you for the support! I appreciate it. Glad you're finding my content interesting
@mghemke7 ай бұрын
I'm surprised Microsoft only paid $150K for this bounty. I'm reasonably sure that there are more nefarious folks, maybe on the black web, maybe organized crime, maybe nation states, that would have paid much, much, much more.
@RealBenAnderson3 ай бұрын
“In the early days of the Internet, browsers used a single program instance that was shared by all browser tabs…” Bro some of us remember when tabs didn’t even exist yet 😂
@123norway7 ай бұрын
I wish you named your channel «Doctor Boctor»
@DanielBoctor7 ай бұрын
You have no idea how many people call me that irl lol. I might actually change the name of the channel one day.
@ByronShingo7 ай бұрын
Another amazing video, keep up the fantastic work!
@DanielBoctor7 ай бұрын
Will do! Thanks for the support!
@TrimeshSZ7 ай бұрын
This just makes me feel that my instinct to never use any desktop JS app was 100% correct.
@laztheripper7 ай бұрын
Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe file that has direct and complete access to all win APIs. This is pure regurgitating of popular slogans like "js bad".
@specy_7 ай бұрын
@@laztheripperexactly, I hear people complain all the time about this stuff, I preach for more low level access (like having a sandboxed file system) to websites installed as webapps (with permissions prompted to the user) and every time I'm answered with "but that's dangerous!!!" Yeah because let's just ignore the fact everyone just downloads random exe files that have complete access to your OS
@TrimeshSZ7 ай бұрын
The problem is that if you want to produce a desktop app that does anything useful then you have to provide access to the underlying system anyway - and that's an issue when dealing with a language that was designed with the underlying assumption that it was running in an ephemeral isolated context where nothing it does actually matters. It's also extremely hard to carry out static analysis on, and has led to the spread of the incredibly dangerous idea that code that passes the tests is "correct". @@laztheripper
@piotrc9667 ай бұрын
@@laztheripper "Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe " As you can see - yes. In a native application, you have no way for the displayed text in the control to call scripts. You don't need to sanitize anything.
@wolfeygamedev16887 ай бұрын
@@laztheripper actually yes, Js bad. You cant XSS a native app that doesnt have scripting…
@rogerdeutsch58837 ай бұрын
Was the patch to fix this problem done in node.js (or a package it depended on) or Teams? If node.js, which version had this problem? Thanks for a great video.
@chy4e4317 ай бұрын
this was *not* an issue with Nodejs itself If that was your conclusion I question if you actually followed along the video.
@GainingDespair7 ай бұрын
"accident" Feds accidentally left multiple bags of cash at an executives office as well
@justlisten64792 ай бұрын
What video editing program do you use?
@DanielBoctor2 ай бұрын
@@justlisten6479DaVinci Resolve
@justlisten64792 ай бұрын
@@DanielBoctor where can I find templates like these that you are using please?
@DanielBoctor2 ай бұрын
@@justlisten6479 I don't use any templates. I created everything myself.
@Darkregen95457 ай бұрын
I never understood the point of microsoft teams and microsoft forcing this program down my throat. I miss the days where we could uninstall and delete anything on our PC, but nah local administration means literally nothing even Super users.
@abcdefgh12797 ай бұрын
I don't understand most of these code lines, but I still enjoy watching this, because of clear graphics explaining what's going on... 😅
@sdwone7 ай бұрын
The more complex our apps get, the larger the attack surfaces becomes... And it's getting more and more complicated, each and every day!
@Jone9526 ай бұрын
Allowlist?
@derzsidaniel76566 ай бұрын
The multiprocess browser model was invented by Firefox through the e10s project, not Chrome
@Possible19857 ай бұрын
7:52 "even if nodeIntegration is DISABLED" not enabled
@DanielBoctor7 ай бұрын
AHHHHHHHHH I don't know how I didn't catch this! To be fair, you were the first to mention it out of 100k+ views. Good catch. I updated the pinned comment. Thanks!
@jesenialimited13857 ай бұрын
That was an awesome explanation
@DanielBoctor7 ай бұрын
not as awesome as you
@jonr66807 ай бұрын
Fascinating and terrifying, but this is 'just' talented humans discovering the exploit... Imagine AI explicitly tasked with taking down any software, any system. THIS is the future, and you can bet there are institutional players in certain countries doing exactly that.
@JSDudeca6 ай бұрын
If electron was built on Deno, could this have been possible?
@run00n05 ай бұрын
found this in my watch later, it blows my mind how the xz exploit which affected nobody became headlines over headlines despite never hitting prod/stable distros but windows has a exploit of this scale and not a soul is talking about it
@RandomGeometryDashStuff7 ай бұрын
06:29 is "malicious" separate class because there is space before?
@DanielBoctor7 ай бұрын
Just to be clear, there is only a single class here, "swift-*", as perceived by Teams. What we're doing is piggybacking the ng-init directive onto the swift-* class. The Teams sanitation library, sanitize-html, allows this, as it only sees a single class that conforms to the allow-list. The "ng-init: malicious" is NOT it's own class as perceived by Teams sanitation library sanitize-html, but WILL be recognized by Angular's own parsing engine. To answer your question, no, the space before the malicious expression is not needed. From Angular's perspective, the only thing required is the semicolon, as its RegEx uses a semicolon as a delimiter. In short, the space is not necessary, but the semi colon is. Hopefully this helps!
@MehranGhamaty7 ай бұрын
Perfect example of why I know have a dedicated language for the front-end and the server process is ideal. Why are people making this more complex than needed?
@Derekzparty7 ай бұрын
One of my first uses of psexec was remotely opening calculator on a coworker's desktop!
@i_am_dumb10707 ай бұрын
How can someone even find such a thing mann 🤯it sounds too difficult...but nice explanation ❤
@DanielBoctor7 ай бұрын
Some of these bug hunters are on another level. Thanks for watching ❤
@graxxon3 ай бұрын
In 2014, Microsoft fired its internal testing team, and since then this has been reflected in the quality, because we normal users do the testing. Windows has become quite a disaster, security holes everywhere.
@TibinThomas19937 ай бұрын
@5:55 the screenshot you are showing is wrong. Its of Angular but not of Angular JS.
@Luzgar7 ай бұрын
Some languages have the concept of raw strings, wouldn't that put a definitive end to all of this madness?
@tacticalassaultanteater96787 ай бұрын
I would simply not compile chat messages as an Angular template, because the template compiler is designed with trusted input in mind.
@mynameismynameis6667 ай бұрын
not an accident, a data sales.
@owlmostdead94927 ай бұрын
If you write any clientside app with its backend in javascript, you deserve every CVE you will inevitably suffer from
@YeloPartyHat7 ай бұрын
The price tag attached and knowing now that is one of the highest bounties is sad. I am very surprised how poorly this pays
@patrickprafke48945 ай бұрын
If you think for a second that every OS doesn't have back doors to the parent company or the government. Your special.
@ibnu79427 ай бұрын
i don't think whatsapp use electron anymore
@DanielBoctor7 ай бұрын
Good catch. It seems that they transitioned from Electron to native in mid 2023. I stand corrected. Thanks for pointing this out!
@larry18517 ай бұрын
Always a blessing to watch!
@DanielBoctor7 ай бұрын
Always a blessing to have you apart of the channel
@wapuvdvdv7 ай бұрын
such good videos but why mr robot always in the thumbnail 😭
@OrangeYTT7 ай бұрын
Classic Hackerman 😂
@SgtStarSlayer7 ай бұрын
Not surprised , Microsoft has been doing this since the earliest iteration of Windows.
@LiquidRazz7 ай бұрын
Oh regex... nobody remembers you have to account for characters outside of your application if they break out of it.
@yufgyug37357 ай бұрын
is allowlist the same as whitelist?
@DanielBoctor7 ай бұрын
yes, they both refer to the same thing
@ohmymndy84107 ай бұрын
It is almost as if all the layers of abstraction with electron applications, or anything frontend web related, are a bad idea...
@beepbop66977 ай бұрын
NodeJS, and it's accompanying NPM libraries feels like a repository of shitty stackoverflow code.
@pcartisan27216 ай бұрын
Very interesting. Maybe we should go back to simple tools like pencil and paper. As I watch from my iPhone. 😉 At what point do we say that too much of our personal data is taken from us? Way too many systems are being hacked - Gov’t, hospitals, etc., not to mention every website.
@rayanfernandes26317 ай бұрын
How in the world one learns about these exploits , the guy is truly a genius hacker 😮
@justdoityourself71347 ай бұрын
I'm not surprised that regex is a part of more than one of these exploit steps. Regex is awful and usually results in unintended or unacknowledged effects.
@GeneralPurposeVehicl5 ай бұрын
I want to see an RCE use to play DOOM now.
@Christobanistan5 ай бұрын
Ya'll have heard of the Linux root backdoor right? Wowser!
@4.0.47 ай бұрын
Angular is the PHP of JavaScript.
@jamess.24917 ай бұрын
The real question is WHY THE FUCK IS TEAMS BUILT WITH ELECTRON 🤦♂
@toms71147 ай бұрын
This is one of the reasons I say you should never use wildcards in any regex in code, and anyone who does or suggests it should be fired immediately.
@lazerpie1017 ай бұрын
every time I hear about exploits based around web development I become more shocked by just how stupidly designed it is.
@yash11523 ай бұрын
7:19 u got a sub (:
@ramandev_7 ай бұрын
Hacking is art. Holy ...
@elexbeats6 ай бұрын
How’s possible that a giant like microsoft with unlimited resources is using JS frameworks for their software ?
@supremebeme7 ай бұрын
incredible video. subbed
@DanielBoctor7 ай бұрын
Thanks!
@doktork34067 ай бұрын
Just 150K for this? Turn to crime people... the TRILLION dollar company paid literally nothing for this
@motoryzen7 ай бұрын
While I sincerely am playfully in a George Carlin manner. Agree an empathize with your overall point.... Using the forget that microcrap paid that amount of money long before they became a trillion dollar company. Thus, at first it did collestom, a decent chunk, but not business or life threatening chunk if that makes any sense.
@Fractal2277 ай бұрын
So what did get bug hunter get for this?
@MuscleTeamOfficial7 ай бұрын
My brain is telling me this is like the escaping v8 env clobbering... Reco that one too.
@sahin87807 ай бұрын
I am not surprised that teams has a vulnerability, it has lots of problems also.
@mixmashandtinker32667 ай бұрын
How the blazes does one come up with these vectors!!??
@TheSabaton16 ай бұрын
remote code execution vulnerability is worth 150k? damn thats low af
@rockNbrain7 ай бұрын
Nice job dude🎉
@tangentfox46776 ай бұрын
I have to immediately question why the hell the node API would have full system access. What the fuck. Only get access for what's needed ffs..
@YT2go4me3 ай бұрын
Great video
@VMiXEZ7 ай бұрын
Should we stop using web tech for building desktop/mobile app already?
@sdwone7 ай бұрын
Web tech is already a mess, thanks primarily to Javascript so.. JS on desktop and the backend too just sounds like a disaster waiting to happen!
@vintagewander7 ай бұрын
Imagine microsoft writing their own product using electron, meanwhile Apple engineers wrote their Apple TV app in native Windows api
@YourMom-rg5jk4 ай бұрын
why would we write only the logic needed to solve a problem? lets add a DOM and JIT and increase the attack surface ten fold sounds like a great plan to me guys
@kevin414207 ай бұрын
> used electron
@jaygay7 ай бұрын
I literally paused the video at this point 😅
@mgord95185 ай бұрын
The corporate obsession with JS will never cease to amaze me
@YourMom-rg5jk4 ай бұрын
@@mgord9518seriously.
@dafoex3 ай бұрын
Everyone it too busy trying to change things that most people don't think about instead of fixing bugs.
@2beJT7 ай бұрын
150k is among the largest bug bounties? Wow, so now I know nothing is secure.
@MaxJM7117 ай бұрын
I'm beginning to start my journey into cybersec and I couldn't have found this at a better time, amazing content my brother! As a side note, 150k seems stupidly low for the gravity of the exploit and how many people could've been affected by it
@4.0.47 ай бұрын
And yet one of the biggest payouts ever.
@stellviahohenheim7 ай бұрын
cybersex?
@MaxJM7117 ай бұрын
@@stellviahohenheim Amen homie
@dhootparm6 ай бұрын
Now this guy should have got paid like 10 million at least. That would have encouraged more people to pursue stuff like this and find vulnerabilities. This bounty will actively discourage people which is kind of sad. Good thing this guy had a good heart/head.
@OrangeYTT7 ай бұрын
00:30 you should cover the highest paid bug bounty on that list, about staying in Apple for 3 months. Seems incredibly interesting!
@DanielBoctor7 ай бұрын
The headline there is actually a bit misleading, lol. They didn't remain inside Apple for 3 months - they just assembled a team of pen testers to find bugs at Apple over a 3 month period. They found 55 total vulnerabilities over the time span. The reason why the bounty is listed so high is because it's a summation across the payouts for all 55 bugs. Here's the full report if you're interested: samcurry.net/hacking-apple/
@cexeodus7 ай бұрын
55 in only three months does seem highly eligible for an efficiency-to-haul ratio bonus tbh Alone I have found about 20 in a single month, but thats across multiple vendors/manufacturers. (never been paid for them so theres no record to cite here)
@gg-gn3re7 ай бұрын
@@komorebi8182 The URL has words in it, those words tell you what site it is. If you traverse to the main domain of a website they generally tell you what they are. In this case it's a guys blog.
@DanielBoctor7 ай бұрын
@@komorebi8182oops, didn't see this till now! It's called pentester.land - pretty awesome site.
@kRySt4LGaMeR7 ай бұрын
modern exploit chains are pure insanity. it really makes you wonder whether all those mitigations are helping or just delaying the inevitable.
@andytroo7 ай бұрын
it's both - in some ways it shows how 'secure' things are these days - no more drive-by from script kiddies dropping quotes into text boxes. But all steps in this chain were patched - so any new security break like this needs 4 new exploit steps. And there are prizes for discovering any 2 in a row (1 alone isn't worth that much). We're trying to setup an environment where the user can do whatever they want, without allowing them to do specific actions - the target is 'hard' to achieve :)
@tylerbreau45447 ай бұрын
A lock doesn't stop criminals. It just deters criminals. Patching exploits and improving security makes it harder to do malicious things in these apps. It's a deterrent.
@AIChameleonMusic6 ай бұрын
Grabify is a easy drive by phish used today to log your ip in a text box (just 1 of many examples) so there are still things people can do Phishing wise that just relies on social engineering A SINGLE CLICK. @@andytroo
@weir99963 ай бұрын
@@tylerbreau4544It's a very successful deterrent too. Outside of state-sponsored actors, people aren't going to bother finding these complicated exploits for malicious purposes because there's generally an easier way to make money.
@shapelessed7 ай бұрын
Amazing, isn't it? You find a critical, 0-click RCE in a company's product and they pay you out 150k... Go to a company like NSO, sign a simplr NDA and you've got yourself 1.5 million...
@serviteccompletojimenez89957 ай бұрын
Check the history, we're talking about Microsoft!
@joe-skeen7 ай бұрын
Your explanation of Angular's role in the exploit was confusing to me because it seemed that you conflated AngularJS, the ancient, deprecated framework with the modern versions of Angular. It is not clear which version they were using in the exploit. The screenshots showed version 1.8 which would be the old version, which in the year of that exploit would have been after end of life support. Feels very careless of Microsoft to continue using that of version so long...
@DanielBoctor7 ай бұрын
Good question. They were indeed using the old AngularJS. I even linked the exact line I referenced in the video in the description: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
@joe-skeen7 ай бұрын
Thanks for the clarification!
@DanielBoctor7 ай бұрын
of course
@Voltra_7 ай бұрын
The fact that they use AngularJS instead of Angular >=2 is baffling
@BlueEdgeTechno7 ай бұрын
You will be surprised by how degraded technologies these MNCs use. It requires them time to overhaul their system.
@anonymoususer68017 ай бұрын
They still use knockout js in azure it seems it takes quite a while for a service become in production and it seems like they move slow with replacing it.
@Voltra_7 ай бұрын
@@anonymoususer6801 I mean sure, but like AngularJS has been softly deprecated 10 years ago, fully deprecated not long after, and the last release was 4 years ago...
@mitchell66797 ай бұрын
And that they sanitize user input a little and then just treat it as dynamic markup, that’s the insane part to me
@haroldcruz85507 ай бұрын
It's all about profit margins, switching to a different code base is an additional cost. You'll be surprised how many legacy frameworks are still in use today even by large companies.
@TheTraveler337 ай бұрын
I don't even to watch the video to tell you how microsoft backdoored millions of users. They sold them windows. Backdoored has multiple meanings when it comes to microsoft. Lol!
@aaronv48027 ай бұрын
All because someone thought JS on the server side was a good idea.
@jacobjayme62807 ай бұрын
Awesome video Dan! Always delivering high quality content
@DanielBoctor7 ай бұрын
Thank you Jacob!!!
@Pr0toPoTaT07 ай бұрын
Thank you for taking the time to say and make all these graphics! Your hard work doesnt go unnoticed sir!
@DanielBoctor7 ай бұрын
Thank you so much! The support means a lot ❤️. Thank you for the recognition, and for being apart of the channel 😊