THANKS FOR WATCHING ❤ JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm ** UPDATE ** A few commenters have been confused weather or not Teams was using the deprecated AngularJS, or the new Angular. The answer is that it was indeed using the deprecated AngularJS. I even referenced the exact line of code in my description, within the old AngularJS: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still... The only part that I messed up on was @ 5:53 - I used the wrong README. This should have been the old AngularJS. I stand corrected. Thanks to those who pointed this out! ** UPDATE 2 ** Thanks to @Possible1985 for pointing out that the sentence @ 7:52 should have read "even if nodeIntegration is DISABLED", not enabled. 👇 Let me know what type of bug bounty reports you would like to see next! 👇 Thank you for all of the support, I love all of you

Someone really decided to make it possible to embed JavaScript in a CSS class name

I'm surprised by how uncomplicated each singular step is but how much persistence is needed to pull the entire attack off...

I could not pull this off if my life depended on it

Wow 150k for this is embarrassing. 270 MILLION high-quality targets with a zero click. 3 TRILLION company btw. No wonder people turn to crime, good thing dudes compass points north. Finding exploits is a thankless job...

This was an incredible video. Animations are fire, going back to the high-level steps of the exploit, and coloring the relevant code snippets were all incredibly helpful for me to follow along. Liked, subbed, did all the things. Hoping to see more from you.

I work in IT and I hate Teams app with great passion. Actually, ANY app or a script that auto-launches itself in window mode by default.

AngularJs in teams? Lordy.

Just the right amount of technical details while providing a great overall narrative. Nice work.

Masato Kinugawa is a legend, with Gareth Heyes those are the best XSS hunters i know. 150k$ well deserved !

It’s actually quite simple but man you gotta really understand the know how’s to get in and get out. Genius to find this minuscule window from such a huge company. btw thank you for the simple explanation you made it easy to understand and amazing visuals.

These videos are so informative and well made, I can’t believe you only have 15k subs. You’re gonna make it big

6:38 love how you use Lemino's music for bgm ❤

It's so baffling to me that developers decided to beat JS into a bloody pulp until it does what you want it to do, instead of just admitting that we should probably just use a different technology. Now, we have wild exploit chains like this that are possible because we keep adding crap to make HTML do things it was never meant to do. This is what happens when you combine two completely separate and highly open ended technologies together. Of course you can do some really wacky stuff, especially when the combination of the two technologies was not expected, intended, or standardized. But we loved them so much that we forced them together into unholy matrimony. And we just can't get enough. We just have to keep coming up with newer, hotter and wilder ways to get some JS all up in our HTML.

Eletron is an opensource program with it's own org and framework. The code is hosted on github, it is not a github project. That matters.

Hey, just a heads-up the way the sponsor was mentioned in this video may have violated KZbin sponsoring disclosement guidelines since there wasn't a verbal disclosure and/or paid promotion notification. (See the "Add paid product placements, sponsorships & endorsements" KZbin Help page) I'm not a creator myself, but the way to properly do it would probably be one or more of the below two things, I think: - In KZbin Studio, under "More", clicking the “My video contains paid promotion like a product placement, sponsorship, or endorsement.” box will display a "Includes paid promotion" disclaimer at the first 10 seconds of the video - In the KZbin video content or description, I believe there's some requirement to verbally disclose the nature of the relationship with the sponsor. E.g. by saying "You may want to check out this video's sponsor, SquareX", or "This video was sponsored by SquareX", etc.

This exploit have every single front-end exploit stereotype. XSS enabled by templating (why are we still doing this?), prototype polution (js lmao), Electron (of course), and improper configuration (what even is security anymore?). 10/10 perfect specimen. French kiss 👌

"accidentally" 😂😂😂 absolute commedian

bruh who is this guy dude came out of nowhere and is making this clutch content

as always, very good quality!

goddamn regex wildcard made this possible

$150k ain’t much of a bounty for something that could topple your entire company.

0:20 Why did you put slashes instead hyphens into that command?

Hey, love these videos! Can you make one about the RCE exploit that shut down the servers of all Souls games developed by Fromsoftware?

Great explanation, even with your pronunciation of JavaScript 😉. Your latest video on speculative execution was also amazing. Just discovered your channel today and subscribed. Looking forward to future videos as well as going through your previous ones.

I'm surprised Microsoft only paid $150K for this bounty. I'm reasonably sure that there are more nefarious folks, maybe on the black web, maybe organized crime, maybe nation states, that would have paid much, much, much more.

“In the early days of the Internet, browsers used a single program instance that was shared by all browser tabs…” Bro some of us remember when tabs didn’t even exist yet 😂

I wish you named your channel «Doctor Boctor»

Another amazing video, keep up the fantastic work!

This just makes me feel that my instinct to never use any desktop JS app was 100% correct.

Was the patch to fix this problem done in node.js (or a package it depended on) or Teams? If node.js, which version had this problem? Thanks for a great video.

"accident" Feds accidentally left multiple bags of cash at an executives office as well

What video editing program do you use?

I never understood the point of microsoft teams and microsoft forcing this program down my throat. I miss the days where we could uninstall and delete anything on our PC, but nah local administration means literally nothing even Super users.

I don't understand most of these code lines, but I still enjoy watching this, because of clear graphics explaining what's going on... 😅

The more complex our apps get, the larger the attack surfaces becomes... And it's getting more and more complicated, each and every day!

Allowlist?

The multiprocess browser model was invented by Firefox through the e10s project, not Chrome

7:52 "even if nodeIntegration is DISABLED" not enabled

That was an awesome explanation

Fascinating and terrifying, but this is 'just' talented humans discovering the exploit... Imagine AI explicitly tasked with taking down any software, any system. THIS is the future, and you can bet there are institutional players in certain countries doing exactly that.

If electron was built on Deno, could this have been possible?

found this in my watch later, it blows my mind how the xz exploit which affected nobody became headlines over headlines despite never hitting prod/stable distros but windows has a exploit of this scale and not a soul is talking about it

06:29 is "malicious" separate class because there is space before?

Perfect example of why I know have a dedicated language for the front-end and the server process is ideal. Why are people making this more complex than needed?

One of my first uses of psexec was remotely opening calculator on a coworker's desktop!

How can someone even find such a thing mann 🤯it sounds too difficult...but nice explanation ❤

In 2014, Microsoft fired its internal testing team, and since then this has been reflected in the quality, because we normal users do the testing. Windows has become quite a disaster, security holes everywhere.

@5:55 the screenshot you are showing is wrong. Its of Angular but not of Angular JS.

Some languages have the concept of raw strings, wouldn't that put a definitive end to all of this madness?

I would simply not compile chat messages as an Angular template, because the template compiler is designed with trusted input in mind.

not an accident, a data sales.

If you write any clientside app with its backend in javascript, you deserve every CVE you will inevitably suffer from

The price tag attached and knowing now that is one of the highest bounties is sad. I am very surprised how poorly this pays

If you think for a second that every OS doesn't have back doors to the parent company or the government. Your special.

i don't think whatsapp use electron anymore

Always a blessing to watch!

such good videos but why mr robot always in the thumbnail 😭

Not surprised , Microsoft has been doing this since the earliest iteration of Windows.

Oh regex... nobody remembers you have to account for characters outside of your application if they break out of it.

is allowlist the same as whitelist?

It is almost as if all the layers of abstraction with electron applications, or anything frontend web related, are a bad idea...

NodeJS, and it's accompanying NPM libraries feels like a repository of shitty stackoverflow code.

Very interesting. Maybe we should go back to simple tools like pencil and paper. As I watch from my iPhone. 😉 At what point do we say that too much of our personal data is taken from us? Way too many systems are being hacked - Gov’t, hospitals, etc., not to mention every website.

How in the world one learns about these exploits , the guy is truly a genius hacker 😮

I'm not surprised that regex is a part of more than one of these exploit steps. Regex is awful and usually results in unintended or unacknowledged effects.

I want to see an RCE use to play DOOM now.

Ya'll have heard of the Linux root backdoor right? Wowser!

Angular is the PHP of JavaScript.

The real question is WHY THE FUCK IS TEAMS BUILT WITH ELECTRON 🤦‍♂

This is one of the reasons I say you should never use wildcards in any regex in code, and anyone who does or suggests it should be fired immediately.

every time I hear about exploits based around web development I become more shocked by just how stupidly designed it is.

7:19 u got a sub (:

Hacking is art. Holy ...

How’s possible that a giant like microsoft with unlimited resources is using JS frameworks for their software ?

incredible video. subbed

Just 150K for this? Turn to crime people... the TRILLION dollar company paid literally nothing for this

So what did get bug hunter get for this?

My brain is telling me this is like the escaping v8 env clobbering... Reco that one too.

I am not surprised that teams has a vulnerability, it has lots of problems also.

How the blazes does one come up with these vectors!!??

remote code execution vulnerability is worth 150k? damn thats low af

Nice job dude🎉

I have to immediately question why the hell the node API would have full system access. What the fuck. Only get access for what's needed ffs..

Great video

Should we stop using web tech for building desktop/mobile app already?

Imagine microsoft writing their own product using electron, meanwhile Apple engineers wrote their Apple TV app in native Windows api

why would we write only the logic needed to solve a problem? lets add a DOM and JIT and increase the attack surface ten fold sounds like a great plan to me guys

> used electron

150k is among the largest bug bounties? Wow, so now I know nothing is secure.

I'm beginning to start my journey into cybersec and I couldn't have found this at a better time, amazing content my brother! As a side note, 150k seems stupidly low for the gravity of the exploit and how many people could've been affected by it

00:30 you should cover the highest paid bug bounty on that list, about staying in Apple for 3 months. Seems incredibly interesting!

modern exploit chains are pure insanity. it really makes you wonder whether all those mitigations are helping or just delaying the inevitable.

Amazing, isn't it? You find a critical, 0-click RCE in a company's product and they pay you out 150k... Go to a company like NSO, sign a simplr NDA and you've got yourself 1.5 million...

Your explanation of Angular's role in the exploit was confusing to me because it seemed that you conflated AngularJS, the ancient, deprecated framework with the modern versions of Angular. It is not clear which version they were using in the exploit. The screenshots showed version 1.8 which would be the old version, which in the year of that exploit would have been after end of life support. Feels very careless of Microsoft to continue using that of version so long...

The fact that they use AngularJS instead of Angular >=2 is baffling

I don't even to watch the video to tell you how microsoft backdoored millions of users. They sold them windows. Backdoored has multiple meanings when it comes to microsoft. Lol!

All because someone thought JS on the server side was a good idea.

Awesome video Dan! Always delivering high quality content

Thank you for taking the time to say and make all these graphics! Your hard work doesnt go unnoticed sir!