How Microsoft Accidentally Backdoored 270 MILLION Users
Рет қаралды 243,888
Күн бұрынTry SquareX for free today! 👉 sqrx.io/dbv2_yt
In this video, we take a deep dive into the Microsoft Teams RCE (remote code execution) exploit chain, discovered by bug hunter Masato Kinugawa. This exploit chain consists of cross-site scripting (XSS), prototype pollution, and a sandbox escape within the desktop application framework Electron. Whether you're a pen tester, security researcher, or cyber security expert, having a solid foundation in web and desktop technologies, as well as JavaScript, prototypes, and APIs are crucial.
JOIN THE DISCORD! 👉 / discord
0:00 - Overview
0:46 - Electron
2:30 - Entry Point + Chain Architecture
3:25 - Cross-site Scripting (XSS)
6:53 - Prototype Pollution
11:10 - Sandbox Escape
13:26 - SquareX
Masato Kinugawa's report:
speakerdeck.com/masatokinugaw...
AngularJS RegEx:
github.com/angular/angular.js...
SquareX socials:
Twitter: / getsquarex
LinkedIn: / getsquarex
Instagram: / getsquarex
Facebook: / getsquarex
Blog: labs.sqrx.com/
MUSIC CREDITS:
LEMMiNO - Cipher
• LEMMiNO - Cipher (BGM)
CC BY-SA 4.0
LEMMiNO - Firecracker
• LEMMiNO - Firecracker ...
CC BY-SA 4.0
LEMMiNO - Nocturnal
• LEMMiNO - Nocturnal (BGM)
CC BY-SA 4.0
LEMMiNO - Siberian
• LEMMiNO - Siberian (BGM)
CC BY-SA 4.0
LEMMiNO - Encounters
• LEMMiNO - Encounters (...
CC BY-SA 4.0
#programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #bugbounties #ethicalhacking #encoding #lowlevelsecurity #zeroday #zero-day #bugbounty #security #cybersecurity #breaches #databreaches #bug #bugbounty #pentesting #penetrationtesting #backdoor #javascript #XSS #crosssitescripting #web #webdev #electron #HTML #hacked #BeFearlessOnline #SquareX #Befearless&SecureOnline #Cybersecurity #Privacy #Security #Cybersec
@DanielBoctor 4 ай бұрын
THANKS FOR WATCHING ❤ JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm ** UPDATE ** A few commenters have been confused weather or not Teams was using the deprecated AngularJS, or the new Angular. The answer is that it was indeed using the deprecated AngularJS. I even referenced the exact line of code in my description, within the old AngularJS: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still... The only part that I messed up on was @ <a href="#" class="seekto" data-time="353">5:53</a> - I used the wrong README. This should have been the old AngularJS. I stand corrected. Thanks to those who pointed this out! ** UPDATE 2 ** Thanks to @Possible1985 for pointing out that the sentence @ <a href="#" class="seekto" data-time="472">7:52</a> should have read "even if nodeIntegration is DISABLED", not enabled. 👇 Let me know what type of bug bounty reports you would like to see next! 👇 Thank you for all of the support, I love all of you
@Pr0toPoTaT0 4 ай бұрын
I love people too 💓 💗 ❤️ 💕 💛 ♥️ 💓 💗
@emo666man122 4 ай бұрын
this the shocker that they made such a big deal about using this malware over c-19
@sharonfox 4 ай бұрын
Angugar?
@CatFish107 4 ай бұрын
When you started the section on xss with "but first", I thought you were about to do an ad read for a VPN. Thank you for not doing sponsored ad reads. That was a relief.
@renakunisaki 4 ай бұрын
Someone really decided to make it possible to embed JavaScript in a CSS class name
@jfbeam 4 ай бұрын
YES. Would you expect anything less stupid from Google?
@seeibe 4 ай бұрын
The issue is more to do with the fact that Teams is injecting dynamic, user generated HTML that then gets picked up by Angular. Basically what they're doing is akin to using "eval" on a user input string, and then running some sanitizer over that input to ensure the code contains nothing bad. That's extremely bad practice, for exactly the reasons outlined in the video.
@xmine08 4 ай бұрын
That's as smart as it would be allowing to download and run arbitrary java code by passing a string to a logging library, right? Oh, dang, that happened as well...
@pianowhizz 3 ай бұрын
And that’s why everyone stopped using Angular in 2015! One of React’s main advantages has always been its protection against XSS :)
@xapk_ 3 ай бұрын
How the HELL?😊
@Code_Capital 4 ай бұрын
I'm surprised by how uncomplicated each singular step is but how much persistence is needed to pull the entire attack off...
@omanshsharma6796 4 ай бұрын
Uncomplicated is a subjective term
@DensityMatrix1 4 ай бұрын
@@omanshsharma6796They really are uncomplicated. This attack is more like a mathematical proof, each statement is understandable but having the insight about how to link them together is the clever bit.
@Bialy_1 4 ай бұрын
@@DensityMatrix1 Working as intended... how hard is to block code injection via text chat? Crazy easy as you need specific and exact comands to do anything...
@MygenteTV 4 ай бұрын
Uncomplicated? Not at all. Everything is easy and Uncomplicated once you know it. For you to pull a RCE, you really need to know what you are doing, you need to know the many different technologies and tricks to pull this off. This guy built a 0 day from scratch, step by step. That's talent, I'm not surprised he is Chinese. Those guys are built different.
@jfbeam 4 ай бұрын
It's only "uncomplicated" once you've seen it done. This is a pretty novel and slick chain of events, requiring locating some pretty tiny needles in a very big haystack.
@kevin41420 4 ай бұрын
> used electron
@jaygay 4 ай бұрын
I literally paused the video at this point 😅
@mgord9518 2 ай бұрын
The corporate obsession with JS will never cease to amaze me
@YourMom-rg5jk Ай бұрын
@@mgord9518seriously.
@NightMX_ 4 ай бұрын
I could not pull this off if my life depended on it
@RayScheelhaase-nd9rw 4 ай бұрын
Sounds like something a hacker would say
@diaahanna8882 4 ай бұрын
No one could that is why it is valued at 150k $
@humanbeing2730 4 ай бұрын
for real I could have a thousand years and not figure it out
@cc-dtv 4 ай бұрын
git gud
@cc-dtv 4 ай бұрын
@@diaahanna8882 just a matter of time spent
@2beJT 4 ай бұрын
150k is among the largest bug bounties? Wow, so now I know nothing is secure.
@denisel 4 ай бұрын
Wow 150k for this is embarrassing. 270 MILLION high-quality targets with a zero click. 3 TRILLION company btw. No wonder people turn to crime, good thing dudes compass points north. Finding exploits is a thankless job...
@DanielBoctor 4 ай бұрын
I agree with you on this. The bounty definitely should have been far higher for the impact of the exploit 🤷
@schwingedeshaehers 4 ай бұрын
around 0.5 dollar per 1000 users
@commander3494 4 ай бұрын
@@schwingedeshaehers wow i think an ad would make more money than that
@savire.ergheiz 4 ай бұрын
Shame on M$ 😅 They should pay $1m at least.
@kkamau5479 4 ай бұрын
If he sold this to any government he would've had a major pay day
@kRySt4LGaMeR 4 ай бұрын
modern exploit chains are pure insanity. it really makes you wonder whether all those mitigations are helping or just delaying the inevitable.
@andytroo 4 ай бұрын
it's both - in some ways it shows how 'secure' things are these days - no more drive-by from script kiddies dropping quotes into text boxes. But all steps in this chain were patched - so any new security break like this needs 4 new exploit steps. And there are prizes for discovering any 2 in a row (1 alone isn't worth that much). We're trying to setup an environment where the user can do whatever they want, without allowing them to do specific actions - the target is 'hard' to achieve :)
@tylerbreau4544 4 ай бұрын
A lock doesn't stop criminals. It just deters criminals. Patching exploits and improving security makes it harder to do malicious things in these apps. It's a deterrent.
@TuxedoMaskMusic 3 ай бұрын
Grabify is a easy drive by phish used today to log your ip in a text box (just 1 of many examples) so there are still things people can do Phishing wise that just relies on social engineering A SINGLE CLICK. @@andytroo
@weir9996 17 күн бұрын
@@tylerbreau4544It's a very successful deterrent too. Outside of state-sponsored actors, people aren't going to bother finding these complicated exploits for malicious purposes because there's generally an easier way to make money.
@MaxJM711 4 ай бұрын
I'm beginning to start my journey into cybersec and I couldn't have found this at a better time, amazing content my brother! As a side note, 150k seems stupidly low for the gravity of the exploit and how many people could've been affected by it
@4.0.4 4 ай бұрын
And yet one of the biggest payouts ever.
@stellviahohenheim 4 ай бұрын
cybersex?
@MaxJM711 4 ай бұрын
@@stellviahohenheim Amen homie
@paramveerdhoot6415 3 ай бұрын
Now this guy should have got paid like 10 million at least. That would have encouraged more people to pursue stuff like this and find vulnerabilities. This bounty will actively discourage people which is kind of sad. Good thing this guy had a good heart/head.
@kevinvoiceactor9694 4 ай бұрын
This was an incredible video. Animations are fire, going back to the high-level steps of the exploit, and coloring the relevant code snippets were all incredibly helpful for me to follow along. Liked, subbed, did all the things. Hoping to see more from you.
@DanielBoctor 4 ай бұрын
Man this is one of my favourite comments ever, thank you ❤️. You're the first person so far to mention the semantic colour coding, which I pay a lot of attention to. I'm happy it helped, and glad to have you apart of the community!
@pizza-pi 3 ай бұрын
@@DanielBoctor semantic colour coding is life, in work and in your vids. very nice touch.
@OrangeYTT 4 ай бұрын
<a href="#" class="seekto" data-time="30">00:30</a> you should cover the highest paid bug bounty on that list, about staying in Apple for 3 months. Seems incredibly interesting!
@DanielBoctor 4 ай бұрын
The headline there is actually a bit misleading, lol. They didn't remain inside Apple for 3 months - they just assembled a team of pen testers to find bugs at Apple over a 3 month period. They found 55 total vulnerabilities over the time span. The reason why the bounty is listed so high is because it's a summation across the payouts for all 55 bugs. Here's the full report if you're interested: samcurry.net/hacking-apple/
@cexeodus 4 ай бұрын
55 in only three months does seem highly eligible for an efficiency-to-haul ratio bonus tbh Alone I have found about 20 in a single month, but thats across multiple vendors/manufacturers. (never been paid for them so theres no record to cite here)
@gg-gn3re 4 ай бұрын
@@komorebi8182 The URL has words in it, those words tell you what site it is. If you traverse to the main domain of a website they generally tell you what they are. In this case it's a guys blog.
@DanielBoctor 4 ай бұрын
@@komorebi8182oops, didn't see this till now! It's called pentester.land - pretty awesome site.
@shapelessed 4 ай бұрын
Amazing, isn't it? You find a critical, 0-click RCE in a company's product and they pay you out 150k... Go to a company like NSO, sign a simplr NDA and you've got yourself 1.5 million...
@serviteccompletojimenez8995 4 ай бұрын
Check the history, we're talking about Microsoft!
@ayecab 4 ай бұрын
Just the right amount of technical details while providing a great overall narrative. Nice work.
@DanielBoctor 4 ай бұрын
Thanks for the support! Means a lot
@Megamanthemachine 4 ай бұрын
Dead ass this is better than straight up bashing Microsoft and saying go to Linux go to Linux as it’s the underlying that matters
@itsthesteve 4 ай бұрын
AngularJs in teams? Lordy.
@Voltra_ 4 ай бұрын
The fact that they use AngularJS instead of Angular >=2 is baffling
@BlueEdgeTechno 4 ай бұрын
You will be surprised by how degraded technologies these MNCs use. It requires them time to overhaul their system.
@anonymoususer6801 4 ай бұрын
They still use knockout js in azure it seems it takes quite a while for a service become in production and it seems like they move slow with replacing it.
@Voltra_ 4 ай бұрын
@@anonymoususer6801 I mean sure, but like AngularJS has been softly deprecated 10 years ago, fully deprecated not long after, and the last release was 4 years ago...
@mitchell6679 4 ай бұрын
And that they sanitize user input a little and then just treat it as dynamic markup, that’s the insane part to me
@haroldcruz8550 4 ай бұрын
It's all about profit margins, switching to a different code base is an additional cost. You'll be surprised how many legacy frameworks are still in use today even by large companies.
@jacobjayme6280 4 ай бұрын
Awesome video Dan! Always delivering high quality content
@DanielBoctor 4 ай бұрын
Thank you Jacob!!!
@Pr0toPoTaT0 4 ай бұрын
Thank you for taking the time to say and make all these graphics! Your hard work doesnt go unnoticed sir!
@DanielBoctor 4 ай бұрын
Thank you so much! The support means a lot ❤️. Thank you for the recognition, and for being apart of the channel 😊
@LatteCannon 4 ай бұрын
These videos are so informative and well made, I can’t believe you only have 15k subs. You’re gonna make it big
@DanielBoctor 3 ай бұрын
Thank you for the support! I appreciate it ❤️
@Christopher_S 4 ай бұрын
That was a great video, and your ad-read of SquareX was fantastic information. I've downloaded an extension for the very first time that I've seen on a video haha! I never thought I'd see the day when I'd be persuaded to install an extension.
@DanielBoctor 4 ай бұрын
haha, that's awesome to hear!
@Christopher_S 4 ай бұрын
@@DanielBoctoryeah I've used it since too haha!
@joe-skeen 4 ай бұрын
Your explanation of Angular's role in the exploit was confusing to me because it seemed that you conflated AngularJS, the ancient, deprecated framework with the modern versions of Angular. It is not clear which version they were using in the exploit. The screenshots showed version 1.8 which would be the old version, which in the year of that exploit would have been after end of life support. Feels very careless of Microsoft to continue using that of version so long...
@DanielBoctor 4 ай бұрын
Good question. They were indeed using the old AngularJS. I even linked the exact line I referenced in the video in the description: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
@joe-skeen 4 ай бұрын
Thanks for the clarification!
@DanielBoctor 4 ай бұрын
of course
@AlexiHusky 4 ай бұрын
That took an impressively detailed knowledge of all the applied frameworks to pull off. Kudos to them!
@glitchy_weasel 4 ай бұрын
What an incredible video! I really like your explanation - complete without being overbearing. Not a JS dev, but I still could pick up on the important details - so nice job! Will definitely check out the rest of your channel. Cheers!
@DanielBoctor 4 ай бұрын
Thanks for watching! Glad you liked it
@levvayner4509 3 ай бұрын
Thank you for a clear, step by step illustration of how each step of the exploit worked.
@SylvainPOLLETVILLARD 4 ай бұрын
Masato Kinugawa is a legend, with Gareth Heyes those are the best XSS hunters i know. 150k$ well deserved !
@zugly1999 4 ай бұрын
<a href="#" class="seekto" data-time="398">6:38</a> love how you use Lemino's music for bgm ❤
@DanielBoctor 4 ай бұрын
hes an inspiration to me
@randomperson9282 4 ай бұрын
It’s actually quite simple but man you gotta really understand the know how’s to get in and get out. Genius to find this minuscule window from such a huge company. btw thank you for the simple explanation you made it easy to understand and amazing visuals.
@DanielBoctor 4 ай бұрын
glad it was helpful
@tofoo_ninja 4 ай бұрын
Thanks for the informative and well made video. Perfect depth for the format. Maybe you could somehow link the source in the video. Like having a foot note number in a corner
@coolinmac 4 ай бұрын
This is such a well made video. Excellently explained!
@DanielBoctor 4 ай бұрын
Glad you liked it!
@ByronShingo 4 ай бұрын
Another amazing video, keep up the fantastic work!
@DanielBoctor 4 ай бұрын
Will do! Thanks for the support!
@sangeetguha51 4 ай бұрын
as always, very good quality!
@DanielBoctor 4 ай бұрын
Glad you think so! Thanks for the support 😊
@petar0402 3 ай бұрын
I work in IT and I hate Teams app with great passion. Actually, ANY app or a script that auto-launches itself in window mode by default.
@yash1152 3 күн бұрын
what does that mean? what is window mode? > _"I hate .... ANY app or a script that auto-launches itself in window mode by default"_
@petar0402 2 күн бұрын
@@yash1152 Any app/script that opens it's window that is not minimized or in system tray.
@yash1152 2 күн бұрын
@@petar0402 why do you hate them? do you want your browser, editor (notepad, intellij, eclipse, etc), office suite, preferences app to NOT OPEN as windows? [1/n]
@yash1152 2 күн бұрын
i mean, i agree - there are some apps where openining minimized makes sense, sharex screenshot app, media players, overlay tools etc... but majority of apps don't fall in this category. [2/n]
@yash1152 2 күн бұрын
> _"Any app/script that opens it's window that is not minimized or in system tray."_ [3/3]
@joshua_337 3 ай бұрын
Great explanation, even with your pronunciation of JavaScript 😉. Your latest video on speculative execution was also amazing. Just discovered your channel today and subscribed. Looking forward to future videos as well as going through your previous ones.
@DanielBoctor 3 ай бұрын
Thank you for the support! I appreciate it. Glad you're finding my content interesting
@Sacrosaunt 3 ай бұрын
bruh who is this guy dude came out of nowhere and is making this clutch content
@DanielBoctor 3 ай бұрын
LOL, this is truly a great comment
@CoreyKearney 4 ай бұрын
Eletron is an opensource program with it's own org and framework. The code is hosted on github, it is not a github project. That matters.
@DanielBoctor 4 ай бұрын
You are right, however it was originally developed by GitHub. They transferred Electron's ownership from GitHub to the OpenJS Foundation in ~2019.
@justanotherbee7777 4 ай бұрын
Awesome explanation. This should reach more people.
@DanielBoctor 4 ай бұрын
You are an awesome fella. Thank you for the support! I'm glad that you enjoyed ❤️
@jesenialimited1385 4 ай бұрын
That was an awesome explanation
@DanielBoctor 4 ай бұрын
not as awesome as you
@timd6214 4 ай бұрын
Amazing vid and explanation, mate! Love the channel!
@DanielBoctor 4 ай бұрын
Thanks for watching! Glad you liked it
@gravity00x 3 ай бұрын
"accidentally" 😂😂😂 absolute commedian
@rogerdeutsch5883 4 ай бұрын
Was the patch to fix this problem done in node.js (or a package it depended on) or Teams? If node.js, which version had this problem? Thanks for a great video.
@chy4e431 3 ай бұрын
this was *not* an issue with Nodejs itself If that was your conclusion I question if you actually followed along the video.
@larry1851 4 ай бұрын
Always a blessing to watch!
@DanielBoctor 4 ай бұрын
Always a blessing to have you apart of the channel
@vijayramachandran3559 4 ай бұрын
Thx for such a comprehensive explanation ñ
@gridlocdev2023 4 ай бұрын
Hey, just a heads-up the way the sponsor was mentioned in this video may have violated KZbin sponsoring disclosement guidelines since there wasn't a verbal disclosure and/or paid promotion notification. (See the "Add paid product placements, sponsorships & endorsements" KZbin Help page) I'm not a creator myself, but the way to properly do it would probably be one or more of the below two things, I think: - In KZbin Studio, under "More", clicking the “My video contains paid promotion like a product placement, sponsorship, or endorsement.” box will display a "Includes paid promotion" disclaimer at the first 10 seconds of the video - In the KZbin video content or description, I believe there's some requirement to verbally disclose the nature of the relationship with the sponsor. E.g. by saying "You may want to check out this video's sponsor, SquareX", or "This video was sponsored by SquareX", etc.
@DanielBoctor 4 ай бұрын
Thanks for bringing this up. The paid promotion option was always on, and the notification was always present at the start of the video. Are you sure you didn't see it? It shows up for me. In terms of the verbal disclosure though, can you find / link where it states that? I looked through the page that you referenced, and nowhere could I find any sort of verbal disclosure requirement. I genuinely appreciate your heads up, I just couldn't find the verbal requirement anywhere. Let me know if you can find this. Thank you
@dimo3611 4 ай бұрын
I canot even Teams get render html in chat messages. Did they generally remove html support in chat messages to close down this vector?
@MaZe741 4 ай бұрын
goddamn regex wildcard made this possible
@Selsato 4 ай бұрын
Fucking love regex man. Terrible to write, worse to read. Has the security of swiss cheese. And we just CANNOT help ourselves.
@specy_ 4 ай бұрын
@@Selsatolet's use a LALR parser instead!
@pabloenriquegorga4222 4 ай бұрын
Excellence again ! thanks you !
@DanielBoctor 4 ай бұрын
thank you for watching!!
@sawxpatscelts 4 ай бұрын
$150k ain’t much of a bounty for something that could topple your entire company.
@solovoypasando 4 ай бұрын
Very nicely explained
@DanielBoctor 4 ай бұрын
Thanks!
@vicitacious 4 ай бұрын
What a processsss to pull thisss one of
@RikThePixel 4 ай бұрын
I just love how they paid him €150.000 but it would have cost Microsoft multiple millions in legal fees. Not saying that he should have been paid more, but still kinda funny
@thewhitefalcon8539 4 ай бұрын
He could have got at least double that on the dark web
@Matia.s 4 ай бұрын
@@thewhitefalcon8539he could get even more if he sold that exploit to usa or russia
@paramveerdhoot6415 3 ай бұрын
This guy should have got paid like 10 million. This could have compromised so many people so quickly.
@RikThePixel 3 ай бұрын
@@paramveerdhoot6415I agree, I am don't really agree with my past self here. There is no real price-tag for the safety, privacy and security of millions of people.
@SimX9000 3 ай бұрын
Really well done video
@KristianKumpula 3 ай бұрын
<a href="#" class="seekto" data-time="20">0:20</a> Why did you put slashes instead hyphens into that command?
@rockNbrain 4 ай бұрын
Nice job dude🎉
@Shazam999 4 ай бұрын
Fairly sure this is how Data got the Borg cube to go to sleep.
@TinyDeskEngineer 3 ай бұрын
Accidentally? That sounds more like a security vulnerability than a backdoor.
@RealBenAnderson Күн бұрын
“In the early days of the Internet, browsers used a single program instance that was shared by all browser tabs…” Bro some of us remember when tabs didn’t even exist yet 😂
@abcdefgh1279 4 ай бұрын
I don't understand most of these code lines, but I still enjoy watching this, because of clear graphics explaining what's going on... 😅
@123norway 4 ай бұрын
I wish you named your channel «Doctor Boctor»
@DanielBoctor 4 ай бұрын
You have no idea how many people call me that irl lol. I might actually change the name of the channel one day.
@mono_si 4 ай бұрын
What are those background videos? The strange geometry is very nice, where can I find them?
@DanielBoctor 4 ай бұрын
They actually come from a collection of "Visualising AI" animations from Google DeepMind. They are quite incredible indeed. Here is the source if you want to check it out! deepmind.google/discover/visualising-ai/
@mono_si 3 ай бұрын
@@DanielBoctor thanks!
@TrimeshSZ 4 ай бұрын
This just makes me feel that my instinct to never use any desktop JS app was 100% correct.
@laztheripper 4 ай бұрын
Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe file that has direct and complete access to all win APIs. This is pure regurgitating of popular slogans like "js bad".
@specy_ 4 ай бұрын
@@laztheripperexactly, I hear people complain all the time about this stuff, I preach for more low level access (like having a sandboxed file system) to websites installed as webapps (with permissions prompted to the user) and every time I'm answered with "but that's dangerous!!!" Yeah because let's just ignore the fact everyone just downloads random exe files that have complete access to your OS
@TrimeshSZ 4 ай бұрын
The problem is that if you want to produce a desktop app that does anything useful then you have to provide access to the underlying system anyway - and that's an issue when dealing with a language that was designed with the underlying assumption that it was running in an ephemeral isolated context where nothing it does actually matters. It's also extremely hard to carry out static analysis on, and has led to the spread of the incredibly dangerous idea that code that passes the tests is "correct". @@laztheripper
@piotrc966 4 ай бұрын
@@laztheripper "Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe " As you can see - yes. In a native application, you have no way for the displayed text in the control to call scripts. You don't need to sanitize anything.
@wolfeygamedev1688 4 ай бұрын
@@laztheripper actually yes, Js bad. You cant XSS a native app that doesnt have scripting…
@RandomGeometryDashStuff 4 ай бұрын
<a href="#" class="seekto" data-time="389">06:29</a> is "malicious" separate class because there is space before?
@DanielBoctor 4 ай бұрын
Just to be clear, there is only a single class here, "swift-*", as perceived by Teams. What we're doing is piggybacking the ng-init directive onto the swift-* class. The Teams sanitation library, sanitize-html, allows this, as it only sees a single class that conforms to the allow-list. The "ng-init: malicious" is NOT it's own class as perceived by Teams sanitation library sanitize-html, but WILL be recognized by Angular's own parsing engine. To answer your question, no, the space before the malicious expression is not needed. From Angular's perspective, the only thing required is the semicolon, as its RegEx uses a semicolon as a delimiter. In short, the space is not necessary, but the semi colon is. Hopefully this helps!
@seeibe 4 ай бұрын
Thanks for this explanation, from what you've outlined I have to conclude that Microsoft doesn't have any processes in place to ensure their code meets even the most basic security requirements. Both of the exploits used are gross oversights. Makes you really wary of using anything Microsoft for sensitive applications.
@IllidanS4 4 ай бұрын
Perfectly explained and very interesting! The pronunciation of "processes" is quite jarring though.
@GainingDespair 4 ай бұрын
"accident" Feds accidentally left multiple bags of cash at an executives office as well
@Derekzparty 4 ай бұрын
One of my first uses of psexec was remotely opening calculator on a coworker's desktop!
@i_am_dumb1070 4 ай бұрын
How can someone even find such a thing mann 🤯it sounds too difficult...but nice explanation ❤
@DanielBoctor 4 ай бұрын
Some of these bug hunters are on another level. Thanks for watching ❤
@supremebeme 4 ай бұрын
incredible video. subbed
@DanielBoctor 4 ай бұрын
Thanks!
@maximumeffort6049 3 ай бұрын
I have no idea what you are talking about, but it is interesting.
@Darkregen9545 4 ай бұрын
I never understood the point of microsoft teams and microsoft forcing this program down my throat. I miss the days where we could uninstall and delete anything on our PC, but nah local administration means literally nothing even Super users.
@GenericUsername00172 3 ай бұрын
Lol backdoor was all ready there
@PeachBug 4 ай бұрын
I don't get it... how did we get from it not being possible to send HTML to being able to set the class value of a HTML tag on the renderer?
@DanielBoctor 4 ай бұрын
We were always allowed to send HTML in chat messages - it was just sanitized, restricting the specific HTML elements and classes allowed. This exploit was able to be pulled off because the only class that we used was the swift-* class, which was allow-listed by the sanitation library.
@PeachBug 4 ай бұрын
@@DanielBoctor thank you, he just used one of the allowed HTML tags, now I get it! :D
@YT2go4me 24 күн бұрын
Great video
@JNET_Reloaded 3 ай бұрын
Hey im on indows trying to get git to work defender sais its a threat when i install it and git still dont run correct any ideas?
@TibinThomas1993 4 ай бұрын
@<a href="#" class="seekto" data-time="355">5:55</a> the screenshot you are showing is wrong. Its of Angular but not of Angular JS.
@tacticalassaultanteater9678 4 ай бұрын
I would simply not compile chat messages as an Angular template, because the template compiler is designed with trusted input in mind.
@hi_tech_reptiles 2 күн бұрын
Thank god you stopped the upspeak lol
@iakleon 3 ай бұрын
It doesn’t surprise me that teams was the weak link. shortly before the venerability was found, a teams crash corrupted my user data to the point that i had to re install windows
@ehwiwh7358 3 ай бұрын
Hey, love these videos! Can you make one about the RCE exploit that shut down the servers of all Souls games developed by Fromsoftware?
@ehwiwh7358 3 ай бұрын
It's super interesting because if the exploit hadn't been reported responsibly, it could have been used on Elden Ring, one of the biggest games of all time, on hundreds of thousands of people simultaneously. It could have been one of the worst exploits in gaming
@ehwiwh7358 3 ай бұрын
It did not even require P2P connection, as it exploited the game's servers. Tremwil wrote a great explanation on gitthub
@ehwiwh7358 3 ай бұрын
Even players sitting on the main menu were affected! (sorry I had to type the comment like this, YT kept deleting it over and over again. Might need to "sort by new" to see it all)
@HairEEck 4 ай бұрын
This video is just perfect
@DanielBoctor 4 ай бұрын
you are perfect
@Dane-dv1ik 4 ай бұрын
These bugs seems deliberate
@ryangrogan6839 4 ай бұрын
It's so baffling to me that developers decided to beat JS into a bloody pulp until it does what you want it to do, instead of just admitting that we should probably just use a different technology. Now, we have wild exploit chains like this that are possible because we keep adding crap to make HTML do things it was never meant to do. This is what happens when you combine two completely separate and highly open ended technologies together. Of course you can do some really wacky stuff, especially when the combination of the two technologies was not expected, intended, or standardized. But we loved them so much that we forced them together into unholy matrimony. And we just can't get enough. We just have to keep coming up with newer, hotter and wilder ways to get some JS all up in our HTML.
@SianaGearz 4 ай бұрын
And on the other side we have C++, which sort of looks like it was developed for the purpose of making complex and robust applications, as were the common frameworks, but which is good for spectacularly dangerous exploits, probably more so than dynamic HTML land.
@ryangrogan6839 4 ай бұрын
I still feel that JS vulnerabilities are more worrisome because they are usually due to bad config and build tools/frameworks with bugs. These vulnerabilities would then affect all projects that use them. C++ doesn't become vulnerable until you write or use bad code.
@SianaGearz 3 ай бұрын
@@ryangrogan6839 Oh but where there's code, there's bugs, it's inevitable. There's memory safety bugs in every C and C++ framework that you're sitting atop right now, this can be guaranteed. It's not like buggy code necessarily smells, bad code routinely passes reviews and gets examined hundreds of times without something being noticed wrong, because in other possible contexts the same code is correct. My two favourite cases have been both caused by iterator invalidationm, both caused month of hunting because the outcome was wrong logic which wasn't legible in debugger, because at the point of invocation it was "correct", it was just dealing with data that could no longer exist but looked valid, and occasional malloc crashes elsewhere in the program.
@SgtStarSlayer 4 ай бұрын
Not surprised , Microsoft has been doing this since the earliest iteration of Windows.
@coladict 4 ай бұрын
Using third-party libraries like that and hoping they don't have major vulnerabilities is unavoidable. It's how pretty much the entire Java ecosystem got hacked by Log4J having LDAP parsing enabled by default.
@YeloPartyHat 4 ай бұрын
The price tag attached and knowing now that is one of the highest bounties is sad. I am very surprised how poorly this pays
@derzsidaniel7656 3 ай бұрын
The multiprocess browser model was invented by Firefox through the e10s project, not Chrome
@wannadie2003 4 ай бұрын
Awesome!
@DanielBoctor 4 ай бұрын
no you
@georgeh6856 4 ай бұрын
I wonder why the Teams main process would have unlimited access to system calls. I would think it should run in a more limited mode, i.e. not as administrator. Using one of the examples in the video, I cannot think of any reason why the Teams main process should ever be allowed to shutdown the computer. Restricting the Teams main process to be limited would by no means be a cure-all. However, it would help to limit possible damage when bugs like this are exploited.
@serviteccompletojimenez8995 4 ай бұрын
Man it's Microsoft, it's invasive!
@Sammysapphira 4 ай бұрын
Idk if you know but every single application can run "system calls". It's how it runs to begin with.
@georgeh6856 4 ай бұрын
@@SammysapphiraThere are different privileges. Some of the most basic privileges allow programs to allocate memory or write files. More sensitive privileges allow a program to make changes to the registry or shutdown the computer. So, yes, every program which runs must be allowed to do basic system calls like allocating memory. However, not all system calls are treated the same. Some system calls which can do more destructive things when used improperly are only allowed with the least restricted accounts (like Admin) or groups. That is how security models work. Not all system calls are or should ever be allowed for all programs.
@__nemesis__1571 4 ай бұрын
the least disasterous "accident" microsoft ever did
@DanielBoctor 4 ай бұрын
LOL
@MehranGhamaty 3 ай бұрын
Perfect example of why I know have a dedicated language for the front-end and the server process is ideal. Why are people making this more complex than needed?
@randomcatdude 4 ай бұрын
what im getting from this is that electron and every other webapp technology was a mistake
@TheFPSPower 4 ай бұрын
It wasn't a mistake but it has been done so poorly where everyone sets their own standards that it has turned into a very unsafe technology because there are 10001 ways to inject code everywhere. People talked shit about Windows DLLs back in the day, Javascript is on another level.
@hgbugalou 4 ай бұрын
Web apps are great inside browsers. Not so much trying to shoe horn them in to a desktop native app framework.
@Roboprogs 4 ай бұрын
@@hgbugalouit would be nice to have something HTML-like, but much more secure for developing a native desktop app, which can also generate a web client. Yeah, that’s the reverse of what evolved, but maybe that’s what we need.
@patrickprafke4894 2 ай бұрын
If you think for a second that every OS doesn't have back doors to the parent company or the government. Your special.
@heregundir8292 4 ай бұрын
risksssss, attackssss 👀 nice video tho
@Beregorn88 3 ай бұрын
Astronomical? Astronomically small you mean? How much would have cost if even only a fraction of those 270 million people sued for damage?
@DanielBoctor 3 ай бұрын
Astronomical just meaning relative to other bounty payouts. In absolute terms it was multiple orders of magnitude lower than it should have been.
@Luzgar 4 ай бұрын
Some languages have the concept of raw strings, wouldn't that put a definitive end to all of this madness?
@jondo-vh8tx 4 ай бұрын
amazing content
@DummyFace123 2 ай бұрын
teams: runs on electron, but feels like its running on java
@chrismoritz6706 4 ай бұрын
Using Frameworks is always a risk. Better write independent, but clients don't give you time and money to do so.
@chriss3404 4 ай бұрын
Eh, that's a risk too. You might close yourself off to a widespread framework bug, but make an even more common web security blunder. Picking the right tool for the job is important and if a well maintained framework GENUINELY helps you reduce complexity, it can often be a better option. Using a framework for a simple static site though? Something simple? Def go with vanilla web tech, maybe a few libraries for complex tasks, polyfills, and styles.
@gustavblomqvist1983 4 ай бұрын
Nice video. Sub well earned.
@DanielBoctor 4 ай бұрын
thanks!
@jonr6680 4 ай бұрын
Fascinating and terrifying, but this is 'just' talented humans discovering the exploit... Imagine AI explicitly tasked with taking down any software, any system. THIS is the future, and you can bet there are institutional players in certain countries doing exactly that.
@JSDudeca 3 ай бұрын
If electron was built on Deno, could this have been possible?
@mynameismynameis666 4 ай бұрын
not an accident, a data sales.
Tomaž Zaman
Рет қаралды 1,1 МЛН
China Observer
Рет қаралды 771 М.
Immersed
Рет қаралды 13 МЛН
Ujjawal4u. 120k Views . 4 hours ago
Рет қаралды 10 МЛН
Павел Хмурчик
Рет қаралды 115 М.