The Hacker who could turn on ANYONE'S Zoom Camera [Zero-Day]

  Рет қаралды 80,651

Daniel Boctor

Daniel Boctor

Күн бұрын

Пікірлер: 146
@DanielBoctor
@DanielBoctor Жыл бұрын
JOIN THE COMMUNITY ➤ discord.gg/WYqqp7DXbm ♥ thank you for all of the support ♥
@chriss3404
@chriss3404 Жыл бұрын
Classic SQL injection and a nice explanation to go with it! Text encoding was def not the first thing on my mind when thinking about possible escapes, and I guess it wasn't on the mind of the person that tried to manually sanitize SQL input either!
@mudi2000a
@mudi2000a 11 ай бұрын
They just should use parameters. Then you don’t need to sanitize anything because you can’t inject anything. Not using parameters is a classic beginners mistake. Also I think this should be caught by static code analysis tools which maybe they should have used at Zoom.
@eyephpmyadmin6988
@eyephpmyadmin6988 Жыл бұрын
"Cant read the source code" Ghidra has entered the chat
@DanielBoctor
@DanielBoctor Жыл бұрын
yep, that's actually what the researcher used to locate the SQLite functions 🤯
@MaxCE
@MaxCE 10 ай бұрын
ghidra still can't tell you the function names
@king_james_official
@king_james_official 9 ай бұрын
that's not source code
@amaankhan8436
@amaankhan8436 Жыл бұрын
Criminally underrated channel. Keep up the good work man you'll make it big
@DanielBoctor
@DanielBoctor Жыл бұрын
That's the dream 🚀 Thanks for the support
@capability-snob
@capability-snob Жыл бұрын
We tend not to ship debug symbols by default with open source programs either - they tend to be much larger than the compiled program itself.
@0xgordo350
@0xgordo350 Жыл бұрын
Great video! That explanation of unicode was perfect.
@DanielBoctor
@DanielBoctor Жыл бұрын
Thanks for the support! Glad you liked it 😊
@BillAnt
@BillAnt 10 ай бұрын
​@@DanielBoctor- Loved it with the great explanation. :)
@DanielBoctor
@DanielBoctor 10 ай бұрын
@@BillAnt Thank you!
@nournote
@nournote Жыл бұрын
Very well explained. Lots of small things to learn, not only a story telling content. Just keep up. Subscribed.
@DanielBoctor
@DanielBoctor Жыл бұрын
Thanks! Glad you have you aboard :)
@gh0stm0nst3r6
@gh0stm0nst3r6 Жыл бұрын
Oh my goodness. This is such fantastic knowledge. You explain things phenomenally. Thanks so much.
@DanielBoctor
@DanielBoctor Жыл бұрын
LOOOOOL I'm glad it was helpful! Glad you have you here! Thanks for the support ❤️
@junosoft
@junosoft Жыл бұрын
Seems very well explained. Still didn't finish the video, but so far so good. Keep it up
@DanielBoctor
@DanielBoctor Жыл бұрын
Will do! More is on the way 🚀. Thank you for the support
@m4rt_
@m4rt_ Жыл бұрын
4:33 and if you want it be more of a hell for people who want to reverse engineer your stuff, you can tell the compiler to generate a stripped binary. On Linux you can do this using the "strip" command. You could use it like this "strip binary -o stripped_binary" or you can do it with the "-s" flag if you are using GCC.
@mudi2000a
@mudi2000a 11 ай бұрын
Stripped binary is also much smaller and thus always a good thing.
@davikad-quirkies
@davikad-quirkies 9 ай бұрын
yup I love using Linux
@restoreleader
@restoreleader 6 ай бұрын
So whats the catch? Why is it not used by default by everyone?
@ByronShingo
@ByronShingo 10 ай бұрын
Another eloquent description of a fascinating piece of software security history, brilliant as always.
@DanielBoctor
@DanielBoctor 10 ай бұрын
glad you liked it!
@Isaac-se6ye
@Isaac-se6ye Жыл бұрын
great explanation and editing!
@DanielBoctor
@DanielBoctor Жыл бұрын
Thanks for the support, I appreciate it 😊
@b33thr33kay
@b33thr33kay Жыл бұрын
Wow! Very well explained, thank you! EDIT: my only complaint is the title. It's makes it look like a recent exploit, which is clickbaity and not very nice. I don't think you need to resort to that. 🙂
@cooldestroyer1
@cooldestroyer1 Жыл бұрын
A channel can only upload about this type of stuff when it gets patched.
@aurilly_
@aurilly_ Жыл бұрын
@@cooldestroyer1yea and it was patched in june 2020
@SlitheringDemon
@SlitheringDemon Жыл бұрын
​@@cooldestroyer1but still makes it look like it's recent
@B1ADE99
@B1ADE99 Жыл бұрын
Obviously worked on you
@cooldestroyer1
@cooldestroyer1 Жыл бұрын
@@B1ADE99 I stopped watching very early:/
@whoman0385
@whoman0385 Жыл бұрын
I honestly thought I was watching from a big channel, your so underrated, keep it going!
@DanielBoctor
@DanielBoctor Жыл бұрын
THANK YOU! I appreciate the support! More is on the way 🚀🚀🚀
@mbhv-ll9lq
@mbhv-ll9lq Жыл бұрын
How do you not have more than million subscribers? What. you deserve more. keep up the great work!
@DanielBoctor
@DanielBoctor Жыл бұрын
Thank you! You are a highly awesome fella keep on spreading that positivity
@cancerino666
@cancerino666 Жыл бұрын
Why a new company like Zoom decided to use SQL with all of it's string-based vulnerabilities baffles me.
@mattm7378
@mattm7378 Жыл бұрын
It wasn't a mistake. Zoom has been caught out working with gov agencies to essentially steal info from both individuals and organizations. Essentially is a gov tool for blackmail and info stealing (source twitter files)
@accountaccount3840
@accountaccount3840 Жыл бұрын
Great explanation. Thanks for these videos 😊😊😊
@DanielBoctor
@DanielBoctor Жыл бұрын
Glad you liked it! Thanks for watching 😊
@dcquence
@dcquence Жыл бұрын
Very interesting. I cannot get over the upward inflection on every sentence though
@DanielBoctor
@DanielBoctor Жыл бұрын
Ughhhhhhh I know, I do it while I'm filming without realizing it . I'm trying to fix it though.
@qps9380
@qps9380 8 ай бұрын
@@DanielBoctor Honestly man, wasn't an issue for me at all. Super interesting video!
@vanzylv
@vanzylv Жыл бұрын
Very interesting and technically informative. You have a elegant way of explaining things. Thanks!
@DanielBoctor
@DanielBoctor Жыл бұрын
Glad you found it helpful! Thanks for the support I appreciate it 😊
@SteveProjectX
@SteveProjectX 6 ай бұрын
Great content man. Thank you.
@vnc.t
@vnc.t Жыл бұрын
isn't it a sqlite bug as the utf-8 encoder assumes the 10xxxxxx instead of checking for it and raising an error if the first 2 bits weren't 1 and 0? why was it reported to zoom?
@DanielBoctor
@DanielBoctor Жыл бұрын
Yeah, that definitely shouldn't have happened, but it's technically up to SQLite how they want to treat their encodings ¯\_(ツ)_/¯ The deeper source of the vulnerability was the discrepancy in the way that Zoom and SQLite handled encodings. Zoom treated input as plaintext, while SQLite treated the backslash (\) as an escape, indicating that the following hexadecimal sequence was Unicode. Regardless how how SQLite handled those encodings, it was the discrepancy at the end of the day that enabled any of this to be possible, and the onus is on Zoom to deal with that.
@joseville
@joseville 4 ай бұрын
Another great video!!!
@AlexandreGTavares
@AlexandreGTavares Жыл бұрын
Happy this was on my recommended, nice one
@DanielBoctor
@DanielBoctor Жыл бұрын
Glad you enjoyed!
@altaccount648
@altaccount648 Жыл бұрын
jokes on you i don't have a camera
@Jango1989
@Jango1989 10 ай бұрын
Brilliant video
@DanielBoctor
@DanielBoctor 10 ай бұрын
❤️❤️
@VG-or1nu
@VG-or1nu Жыл бұрын
I typically find myself frustrated, or have little patience for videos that fail to delve deeply… (as in all the over-hyped/dumbed-down clickbait that plagues this site)… Luckily this video was a pleasant surprise with its depth and steady quality. 👍
@DanielBoctor
@DanielBoctor Жыл бұрын
Glad you liked it! Thanks for the support
@kodzisko-gd7fc
@kodzisko-gd7fc Жыл бұрын
great video
@DanielBoctor
@DanielBoctor Жыл бұрын
Thanks!!
@RoterFruchtZwerg
@RoterFruchtZwerg 10 ай бұрын
Nice 👍 I thought the whole reason why utf-8 subsequent bytes have to start with 1 is to prevent exactly this - a utf-8 start byte eating away ASCII characters. So the utf-8 decoder is also at fault here? It should have stopped decoding...
@thisismygascan4730
@thisismygascan4730 Жыл бұрын
is there any reason zoom would have decided to manually implement the input sanitization
@williamdrum9899
@williamdrum9899 17 күн бұрын
Skill issue
@flipflopsn
@flipflopsn 9 ай бұрын
Great video, directly subscribed to your channel. Keep on doing great videos like these! ---- EDIT: Maybe mention tools like IDA or BinaryNinja for reverse engineering. It's not about giving the "bad guys" more information (because we assume they already have them), it's about spreading knowledge across the good guys (White-Hats) to expand their knowledge and being faster/quicker in finding new vulns than the opposition. ---- Nevertheless you did a great job related to the reversing procedure (e.g. the short analysis of the sqlite lib)!
@happyjohn1656
@happyjohn1656 Жыл бұрын
This was a great vid
@Jiyoon02
@Jiyoon02 9 ай бұрын
Wow... Vulnerabilities like this one convince just how important it is to implement a web-cam cover and a physical mic on/off togle, just for a percussion. A simple step like that goes quite a long way, it seems.
@Impracticallypractical
@Impracticallypractical Жыл бұрын
Great video! Well explained! Only correction is that SQL doesn’t use `//` for comments. It uses `--`.
@przemeu1353
@przemeu1353 Жыл бұрын
Great job you getting my sub.
@pabloenriquegorga4222
@pabloenriquegorga4222 Жыл бұрын
Outstanding ! cool video !
@DanielBoctor
@DanielBoctor Жыл бұрын
Thank you! Glad you have you here
@Anthonyfromtheuk-g3j
@Anthonyfromtheuk-g3j Жыл бұрын
Internation man is Hereeer? 🎉
@Grinwa
@Grinwa Жыл бұрын
Absolutely wonderful ❤ And that was super genius method to trick sql once again
@DanielBoctor
@DanielBoctor Жыл бұрын
Glad you liked it ❤
@larry1851
@larry1851 Жыл бұрын
Such a great video. Glad i found you! Keep going and you shall succeed.
@DanielBoctor
@DanielBoctor Жыл бұрын
Thank you for the support! Glad you have you apart of the community
@larry1851
@larry1851 Жыл бұрын
@@DanielBoctor somehow evertime I ask myself something while you explain something somehow you clear it up right the next second. It’s a pleasure to watch and I learned a lot.
@DanielBoctor
@DanielBoctor Жыл бұрын
That's awesome LOL. I appreciate all of the support, and I'm glad you're able to learn from them! It's the reason why I make these videos
@ntrq
@ntrq Жыл бұрын
nice man
@HydratedBeans
@HydratedBeans 8 ай бұрын
I love your channel, but also hate realizing that there’s no real way to defend against these things proactively.
@spinniboi
@spinniboi Жыл бұрын
this is basically a Kevin Fang video
@DanielBoctor
@DanielBoctor Жыл бұрын
Never heard of him before, but you're definitely right - we even both use LEMMiNO's music LOL
@John-ix6iw
@John-ix6iw Жыл бұрын
kind of like that one darkweb movie when the charons joined the call 💀
@bigbilly29
@bigbilly29 Жыл бұрын
Great breakdown, thanks for the video!
@DanielBoctor
@DanielBoctor Жыл бұрын
Thanks! Glad you liked it 😊
@CheckmateRubik
@CheckmateRubik Жыл бұрын
Great Explanation!
@m4rt_
@m4rt_ Жыл бұрын
Damn that UTF-8 trick is clever.
@DanielBoctor
@DanielBoctor Жыл бұрын
ikr 🤯
@eyephpmyadmin6988
@eyephpmyadmin6988 Жыл бұрын
I have a self sqli on a android app for a bug bounty. Im not sure how to make it viable. It is using sqlite too. Trying to find any other vuln to chain with it. Been sitting on it for a month
@TheTankiPlayer
@TheTankiPlayer Жыл бұрын
Cool video, just wanted to add that debug symbols are not necessary for debugging
@ahndeux
@ahndeux Жыл бұрын
That is why I put electrical tape over all cameras on laptops. That will never be hacked.
@Hauketal
@Hauketal Жыл бұрын
Sometimes the camera is actually wanted. There are laptops providing a mechanical slider, or one can 3D-print a clamp to put over the lens. Easy to reverse and doesn't leave gooey residue.
@mudi2000a
@mudi2000a 11 ай бұрын
You can buy a Lenovo they have a built in mechanical cover for the webcam so you can easily cover it when not in use.
@everyhandletaken
@everyhandletaken 10 ай бұрын
You had better do the same for the microphone then too 😂
@hgbugalou
@hgbugalou 10 ай бұрын
I now understand unicode encoding.
@bigyoshi4555
@bigyoshi4555 Жыл бұрын
i do not know what most of the things are or mean but i still watch it anyway cuz it sounds interesting
@TheControlMastr
@TheControlMastr Жыл бұрын
Make a reverse engineering video tutorial, geniuenly interested!!!!
@jerichaux9219
@jerichaux9219 Жыл бұрын
I'd thought I'd recognized Lemmino's music there
@chengong388
@chengong388 9 ай бұрын
I don’t program but I know you can debug binary because I know how to do some basic binary editing with cheat engine.
@rebelape4257
@rebelape4257 2 ай бұрын
I like the part the funny man mention computer words
@RonaldTrumpOfficial
@RonaldTrumpOfficial Жыл бұрын
Well, to this hackers dismay I’m too poor to afford a webcam!
@NahImPro
@NahImPro Жыл бұрын
Find some verifiable sources to link on the next one
@Tavern_Talk
@Tavern_Talk Жыл бұрын
Fr
@DanielBoctor
@DanielBoctor Жыл бұрын
frfr
@gorg212
@gorg212 Жыл бұрын
You sound exactly like code with lewis lol
@DanielBoctor
@DanielBoctor Жыл бұрын
LOOOOOOOOOL I NEVER HEARD OF HIM BEFORE BUT I ACTUALLY DO
@WackoMcGoose
@WackoMcGoose Жыл бұрын
_taps forehead_ Can't turn on my camera if I never have it plugged in...
@s0kulite
@s0kulite Жыл бұрын
I can’t help to say that you’re pronouncing SQLite with an extra L, it’s “Ess-Queue-Lite”, without that extra L.
@DanielBoctor
@DanielBoctor Жыл бұрын
I didn't even think of it that way LOL
@ankk98
@ankk98 Жыл бұрын
Good explanation
@sekiro_19
@sekiro_19 Жыл бұрын
Lost to sql injection 😂
@BanglaBitTheAi
@BanglaBitTheAi Жыл бұрын
Well explained
@novelhawk
@novelhawk Жыл бұрын
This is full of inaccuracies
@dogedev12
@dogedev12 Жыл бұрын
bro April 7th is my birthday lol
@parthsahni8952
@parthsahni8952 Жыл бұрын
Very nice vid
@VVVutov
@VVVutov 10 ай бұрын
Shit. I watch it but suddenly i figured thats the guy with the "girl with a attitude voice" Dude, find somebody to do a voiceover for you
@DanielBoctor
@DanielBoctor 10 ай бұрын
this was actually my last video with this issue, if you check out my subsequent ones, they should be fine
@bigbilly29
@bigbilly29 Жыл бұрын
If you get a nebula account ill drop a sub to it
@DanielBoctor
@DanielBoctor Жыл бұрын
It's an honour to be considered nebula worthy LOL
@1st_ProCactus
@1st_ProCactus Жыл бұрын
This is not easy to listen too.. are you drunnnnnk ?
@matthewkeen6281
@matthewkeen6281 9 ай бұрын
nice
@mikee.
@mikee. Жыл бұрын
Great video, horrible clickbait.
@iseverynametakenwtf1
@iseverynametakenwtf1 Жыл бұрын
the way you are changing the way you talk is bad, just go with your natural tone, it will come off easier to listen to. I had to stop
@DanielBoctor
@DanielBoctor Жыл бұрын
I think I finally fixed my intonation in my most recent video
@iseverynametakenwtf1
@iseverynametakenwtf1 Жыл бұрын
will be checking it out, you are interesting @@DanielBoctor
@DanielBoctor
@DanielBoctor Жыл бұрын
thank you LOL you are one awesome fella
@aoe4_kachow
@aoe4_kachow 9 ай бұрын
Nice topic but boring because you explain too many noob details
@metalwellington
@metalwellington Жыл бұрын
upspeak. come on.
MAJOR EXPLOIT: GitLab was Hacked with an IMAGE??
15:20
Daniel Boctor
Рет қаралды 208 М.
When you Accidentally Compromise every CPU on Earth
15:59
Daniel Boctor
Рет қаралды 875 М.
It works #beatbox #tiktok
00:34
BeatboxJCOP
Рет қаралды 41 МЛН
99.9% IMPOSSIBLE
00:24
STORROR
Рет қаралды 31 МЛН
小丑教训坏蛋 #小丑 #天使 #shorts
00:49
好人小丑
Рет қаралды 54 МЛН
When you Accidentally leak 100 MILLION Medical Records
16:40
Daniel Boctor
Рет қаралды 100 М.
Your Logic is Flawed. Here's Why
4:00
Duzzenn
Рет қаралды 953
Dev Loses $440 Million in 28 minutes, Chaos Ensues
10:17
Daniel Boctor
Рет қаралды 347 М.
How Microsoft Accidentally Backdoored 270 MILLION Users
14:45
Daniel Boctor
Рет қаралды 254 М.
Breaking Bitlocker - Bypassing the Windows Disk Encryption
9:11
stacksmashing
Рет қаралды 1 МЛН
Who was REALLY behind the Microsoft Backdoor [PART 2]
18:53
Daniel Boctor
Рет қаралды 58 М.
Who was REALLY behind the Microsoft Backdoor...
19:56
Daniel Boctor
Рет қаралды 1 МЛН
How the Best Hackers Learn Their Craft
42:46
RSA Conference
Рет қаралды 2,6 МЛН
It works #beatbox #tiktok
00:34
BeatboxJCOP
Рет қаралды 41 МЛН