Like everyone else i am also hoping you will get the chance to create more videos for the Google VRP, LiveOverflow! Best wishes, @wtm_offensi

Google: Sponsors a KZbin video. KZbin, a Google company: Wait, can we demonetize this?

Google is like Italy, it switches sides when you least expect it.

I can't think of anyone better than you for this job! Glad to see you getting rewarded after all these years of effort here on KZbin. Congratulations !

Other companies, pay attention. This is the right way to talk about things like this. The more open we are about bugs and problems, the more secure these companies become. I love this model.

LiveOverflow to be the official bug reporter for Google? you got my vote!

I really enjoy how you also explained his thought process and how he was able to do the legwork to find the vulnerability. I know people in the cyber world that would just say "there was an issue where it would automatically execute gradle" and then call it a day, if I;m lucky, after giving more details about the vulnerability itself. People rarely talk about the thought process required.

I really appreciate you pausing to remind the viewer that this work is tedious, and takes time. The problem with KZbin educational videos these days, is that unless you remind yourself of this, they can make some people very discouraged... That's because their expectation is that when they sit down to code, or research, it will look similar to the video they watched... And instead of being smooth, and almost effortless, it's the complete opposite - difficult, slow, challenging.

This title sounds like clickbait but it's actually not.

I am very happy that this type of sponsorship is happening ! Way to go and best of luck with next productions.

Bro this is completely EPIC! Google sponsoring. It could get even nicer though, just imagine google asking you to talk about critical historic bug reports on android, drive, youtube, search engine. IT COULD BE AWESOME!

Great video! I would love to see more vulnerability disclosures explained like this in the channel. This also says a lot about what KZbin/Google was saying about demonetize hacking related videos. Even tho this is hacking related, it's clearly more educational than a step by step on how to damage someone by hacking their wifi or creating social engineering sites.

I really enjoyed the format of this video. I liked getting the explanation from the source as well as LiveOverview’s explanation. I would watch more like this in the future.

This is hands down the best security vulnerability related video in general I've ever watched. Talk with a full-time bug hunter and very professionally put together. Hard to believe that this is actually an advertisement, and as I can see, it's an advertisement for Google's bug bounty program. Google is rather unusual company. They propose open-source projects, they are very open about their products, even when it comes into the vulnerability of these products, and they actually care about people's opinions. Kind of like Discord as it seems.

Finding hacks is always the result of someone saying "What if...", playing around a bit and then getting an understanding of how things work. A potential question: Would you have invested the time and effort if Google didn't have a bug bounty program, just to learn something?

Awesome video! It's always cool to get the story behind a vulnerability. Would love to see more content like this!

You can really see how much work you put into this video compared to your usual videos. It's one of your best videos imo, keep it up!

That glorious man's hair flied away in around 19.00

Actually YES! This is the best sponsored video I have ever seen!

It is amazing that you show the effort this guy had to find this bug. I know people who think success is a one time try-get thing based on someone's "talents". This line of thought can lead to many disappoints in life. Your channel is amazing :)

Congratulations! I've been watching your videos for some time and it warms my heart to see secure these types of partnerships and grow your channel. Well deserved! And not to mention definitely an interesting video. Kudos for keeping everyone grounded and reminding that videos don't capture everything (on purpose, of course) :)

19:08 magically disapprearing hair? :D Very nice video

Love the new format! I think it is great for the largest developers like Google to be able to facilitate knowledge like this. It could mean that some smaller companies or freelance developers dont end up losing clients or getting into legal trouble over something that a company like Google can fix before it is used as an attack vector. Things like these need to be shared, and I am glad that you are the person sharing it with us!

Hope someday we'll see LiveOverflow talking about bugs on LastPass/Dashlane/NordVPN/PIA/Audible/etc. :3

15:03 did i just see the famous merkel raute?

If only all ads taught me this much. ps: Google, you should pay more for your bug bounty hunters...

The captions helped a lot because my speakers got water damage today! Thanks :)

you deserve it! all the sacrifice you've made for learning and working on your skills, keep up the good work!

nice for making this video, i know that finding bug can be frustrating unless you happen to find it accidentally, but this video showed me how even more frustrating it is. thanks!

Well done mate! I've been following you for a while now and you totally deserve the sponsorship!! Keep up the good work mate!

Man I love your videos even as a newb who knows nothing about programming or cybersecurity, you have a way in structuring and presenting and always make them so fascinating! :)

I am really happy for live overflow geting asked by google themselves to make a regular video with a bug they had. feelsgoodman

Only $5k for this? That is way underpay for his skill set

"We connect you with Hackers, just make a simple video.. blah blah" -Google Hmm.. does this mean you think i'm a Hacker, Google?!

Whoa, you've expanded my view on a lot of services I'm using in my professional life. I'm using docker on a daily base and I was not aware you can control the container (moreover, other containers) in such way using the docker socket file. Okay, everything isn't exactly the same with comparing GCP(Google Cloud Platform) vs OCP(Openshift Cloud Platform) but technically it seems pretty similar. Anyway, thanks for the video.

Wow.Michael cera really is knowledgeable in cyber security.

You need to do a video on the new iOS bootrom exploit!

Schönes Video! Echt cool, dass du solche Kooperationen realisieren kannst. Sehr sympathisch auch der Bounty hunter :)

I would say: Ehre an Google!

woah.. I kinda lost sight of this channel for some time (shifting interests and such) and now I come back and he has 374k subscribers? When and how did that happen?! I mean congratulations I'm really happy for him but damn ^^

I appreciated both efforts: describing and explaining. thumbs up.

Great video! I love the interview format.

19:08 he's having a bad hair day xD

Thumbs up if LiveOverflow should again make a live video recording!

Thank you Live Overflow and Google! Cool look into container technology and how the "bug" can be the result of bringing several technologies together.

Now I finally know why new JetBrains IDEs asks whether you trust the build system used by a project.

Awesome video ! I had a question though, why would google put host's docker daemon socket in the shell container ? One possible explanation would be, because the shell needs to communicate to the thea IDE, but I'm not sure because if that's the case then why not put thea and the shell in the same container ?

Beautiful idea 💡 thanks to everyone who was involved in this.

Wow, thanks for sharing this content and the interview. It was very insightful!

love how you emphasized how hard it was

5000$ seems pretty ridiculous for the amount of work achieved to report this bug. It's Google I doubt it would crumble for a 20k€ bounty

Great job LiveOverflow just one question what software do you use to make these cool paintings and writings ?

This is an awesome video. Loved the real life video shots, really made the vid easily digestible

$5000 seems little for such awesome and very high skilled work. He could easily get a senior position at Google and get paid much more in cash plus equity.

I don't usually like google, But paying you to make a video is probably one of their greatest ideas.

Nicely done, both of you! Congrats! And please keep reminding us how tedious work it is - I forget. Very good video!

Nice video! I would love more of this type of content. Let's hope Google sponsors you more often!

It was probably 20-40 hours of work. But his training and experience is 100's in this area.

Very, very interesting video. You guys are real genius. I wish I had half your talent.

Love it

Having earned an OSCP, I fully understand the long time and tedious work these things can take.

google sure took the best person to make this video, way to go pal !!!!

I had found a bug on KZbin allowing you to delete likes/dislikes one by one using their api. Nothing urgent, nothing fancy, so I contacted their VRP with how to reproduce it. They told me that they couldn't reproduce it, adding that if the bug was indeed live, their systems would have detected it. Less than 2 days after their response, it was fixed and never heard from them again.

wow i was like "i can barley understand that" and the subtitle hint comes up. perfect!

Ahh nice. So, I only need to be familiar with: -Docker, -Web protocols, -Kubernetes, -Git, - and TypeScript (for Theia) to help fight bugs for Google. EZ PZ (sarcasm) Entertaining video tho. Thumbs up.

Thanks Google for being progressive and forthcoming. You sponsoring this kind of video was totally amazing. Other companies need to take a look at your efforts. Also, great video mate!

The beginning of Google is the ray. I've already heard about this vulnerability, but your explanations are.

This is such an awesome video. Thank you!! :)

if you ask me, even seeing other containers you are not supposed to interact with *is a security vulnerability* - Even if nothing may come from it: They should stop the person as soon as possible, so they cannot even go deeper... - like this, they have to protect everything else behind it, rather than just that one gateway...

The automatic Java compilation is an issue, but no-one knew about it ; it's a legit mistake. However, giving the user permission to control docker is a grave mistake and they denied the issue. 5k? Really? That's not much to convince someone not to exploit the issue..

Congratulations, my friend! You are doing such a great job, I'm so glad Google recognized your work.

Great video! Learned a lot from the explanation, especially the docker escape trick.

hey @LiveOverflow when were u first employed as a security expert? i'm studying for a physics phd right now but i have always been into security and systems programming, and your videos are inspiring me to maybe try out some penetration testing competitions or some things like that. anyone else feel free to answer too!

Why are you standing bro, I feel like I shouldn't be sitting down

18:14 what i'm more curious about is how much *you* got paid :P

Kudos dude. But I mean, with your content quality, it pretty much makes sense!

Cool content and research. Thanks for sharing. BTW, I hope you get paid twice because there were 2 commercials in this video also.

Hallöchen Popöchen...

I find the easiest vulnerabilities to work on are client/server web apps with the logic carried out by some script on a server with the client side in Javascript. Found a few bugs in commercial products, the companies involved were happy to receive the bug reports for fixing, but no reward unfortunately (but I did receive a thank you). Only reward was from Facebook for quite a trivial privacy issue ($500 lowest tier bug bounty reward). I find live chat apps are usually the ones with flaws - best was a complete deletion of an app from a web page without admin privilege (with permission of the owners of the site it was hosted on), and a moderation bypass (done on the providers demo page). Another one is trying to insert HTML markup in a page when you shouldn't be able to (not enough user input sanitation that can lead to cross site scripting vulnerabilities), had a laugh on a Facebook game with that one (before letting the game developers know about the bug). While this is probably not legal to do, as long as you don't cause any damage and notify the providers so that the 'bug' can be fixed, I've never had anyone be upset about it - better than someone malicious coming along and causing untold havoc for anyone using whatever service has the bugs.

A video on securing containers and escaping them would be very interesting

And now you get an OP from Google.. What a carrier!

That horse playing guitar, drum and [that blow horn thing] 😅

Amazing video.. the only shame it's that hacker got low money reward...

Excellent find, love the concept of this video too.

Just $5000???

Really awesome, interesting and well presented video.I truly appreciate it :)

1:52 the real bug is the light theme

i really like it. liveOverflowxGoogle is a good combination. I also find the thoughts from the researcher very insightful.

Hey there #liveoverflow!! This was an awesome awesome video, loved it thoroughly!

now this is podracing

What an eye opener this is... Boy ou boy

Love your content, love the knowledge, love the way you transmit it :)

I have a question unrelated to this video but I've been thinking about this so much that I should ask you about it. How much time do you spend playing piano and what model of piano is behind you in this video?

@LiveOverflow Is it ethical or legal to test a system? If a tester broke a google server, there must be some consequences? May you make a video about the ethics and laws about it? I have tried to research. Basically, it is fine as long as you get permission. However, it is not likely for every tester to contact google for a permission. So, how does this whole process work out?

You've made it! Congratulations

It looked way to easy. Nice collaboration👍🏻

KZbin has a built-in "Includes paid promotion" banner that you can turn on, and it will show up for 5 seconds at the beginning of the video in the bottom left. So next time you don't necessarily have to put "advertisement" in the top right for the entirety of the video

Reverse engineering the architecture is quite a large portion of the effort. Wonder if it would be faster and more reliable for Google to have in-house researchers who see the source code and design docs of the system?

This vidéo was awesome. If you have the opportunity to do something like this again dont hésitate !

Assuming it took 250 hours. 5000 dollars is like 20 per hour. Which isn't bad wage. But if it took 500 hours it's only 10 per hour. So depending on how long it took. It's a decent wage. But you're not guaranteed to find a vulnerability. So it's gambling?