Permission to Hack You: Illicit Consent Grant Attack

Рет қаралды 58,915

John Hammond

Күн бұрын

Пікірлер: 81

@_JohnHammond 24 күн бұрын

big yikes so anyways join up at jh.live/training and jh.live/newsletter if you want i guess idfk lol

@cinderwolf32 6 ай бұрын

This is a massive issue in the Hypixel Skyblock community for Minecraft. There are plenty of incentives to link your ingame profile to discord bots which interact with the Hypixel API to provide utilities around your ingame stats, and many people end up misled and thinking the ones which ask for authentication with Microsoft are safe. Accounts are stolen left and right, and I believe the people stealing them are turning right around and selling the profile / ingame items and coins on real world trading sites. Probably often to the same people they stole from, who may then want a quick way to get close to the level of progression they had before they unknowingly gave away their account.

@Atmatan 6 ай бұрын

Sorry, whale blubber is tasty and I have no empathy here.

@geroffmilan3328 6 ай бұрын

@@Atmatan well, nice of you to volunteer for my team's TargetDummies list, we're always looking for people no-one else would care about to test PoCs on 👍

@xCheddarB0b42x 6 ай бұрын

you might be interested in the recent Darknet Diary episode about the Roblox player > Roblox stealer > cryptothief life cycle. Wild episode.

@ultravioletiris6241 6 ай бұрын

Paying for a Minecraft account is one of the saddest things ive seen in awhile

@_JoeVer 6 ай бұрын

@@ultravioletiris6241true.

@OctaMihail 6 ай бұрын

Funny enough, today I ran ping castle on our tenant and saw the option that every user could grant permission to any app 😂😂

@trouble-1 6 ай бұрын

That tool was written by me :)

@mikee. 6 ай бұрын

The editing is wild on this one 🙈

@nordgaren2358 6 ай бұрын

What did I do? :|

@cat47 6 ай бұрын

@@nordgaren2358 it looks like it plays two takes of him turning his list into a string list at around 14:30

@nordgaren2358 6 ай бұрын

@@cat47Ah, crap, yea. Sometimes it can be hard to edit those out. You'll see why at the end of the year. Haha 😅

@lsik231l 6 ай бұрын

@nordgaren2358 what's happening at the end of the year?

@nordgaren2358 6 ай бұрын

@@lsik231l you'll just have to keep watching to find out. :)

@geroffmilan3328 6 ай бұрын

I like this technique, have been using it for at least 4 or 5 years on engagements This weird coincidence might amuse about 3 people, but just for them: TIL that there was a composer called John Hammond, on account of getting a YT notification about him while watching this..

@Zachsnotboard 6 ай бұрын

Seen this used as a persistence mechanism for an already compromised account, not really for initial compromise

@ThinkOrchid 6 ай бұрын

Another fun video as always with all the debugging :D

@youtubasoarus 6 ай бұрын

The first time I ever saw this I thought it was the most re todded things i'd ever seen. Why would anyone EVER give their credentials to a third party website?

@Archmage9885 6 ай бұрын

Same here. That's a terrible idea.

@x1k790 6 ай бұрын

In corporate world, bc staff isn’t adequately trained and goes clicking on stuff that looks totally legit. In civilian life, people are promised free stuff. Basically ignorance and greed 😭

@robertb6276 5 ай бұрын

The trick here is they aren't giving their credentials to a third party site. The site that prompts for the credentials is Microsoft's

@peacefaker1170 6 ай бұрын

That's excactly why the first thing you do on any tenant is to block user only consent.

@threeMetreJim 6 ай бұрын

My comment about getting back at some bad actors has been hidden. Hopefully John has read it, as it would make a good video.

@roxyu3384 6 ай бұрын

consent for my organisation... just never click that and your good

@vpakarinen 6 ай бұрын

requirements file should be a mandatory these days, makes me mad when people doesn't do things properly.

@floppa.flo88a 6 ай бұрын

your mic was quiet in this video

@lsik231l 6 ай бұрын

I like when people leave in mistakes/issues/errors while using these tools. We can learn, troubleshoot, or prevent them. Thanks

@LabelsAreMeaningless 6 ай бұрын

While I find these videos fascinating I also always wonder how they're being allowed. I understand it's dual purpose in the sense that people could use this information to know how to avoid these types of attacks, but it's also helping bad actors learn how to do these attacks, and how to avoid being caught as easily. Same as the videos such as 'how easy it is to steal a car'.. and a ton of others long these lines. I often wonder how it weights the scale in terms of more people being helped or more people being victimized.

@madezra64 5 ай бұрын

This is the EXACT reason why these attacks today are so rampant and easy, because you have the mentality that willful ignorance is somehow a security feature, when in reality it's causing billions of dollars of damage to innocent people because nobody will teach them how to defend themselves or identify threats. Do we ban people from learning Brazilian Jiu Jitsu, Taekwondo, or self defense in general? No, we encourage it and need people to learn how to fight, so that they can DEFEND themselves from others who would love to take advantage of the ignorance being willfully imposed onto their victims. Look, I hope you can take this comment for what it's worth and recognize that teaching people how hacking and cyber security works would exponentially increase the safety of hundreds of millions of people who normally never would've stood a chance because people want to gatekeep knowledge, because that's exactly what that is. None of these attack vectors we saw in the video would be of much concern if people actually knew how this stuff worked. Then they could be PROACTIVE and not REACTIVE. PROACTIVE defense is the safest and most effective means of protecting yourself and others; being SMART.

@gunnargu 5 ай бұрын

I wonder, can admins prevent users accepting certain permissions, f.ex CRUD on email sounds really dangerous, why not have a whitelist for app ids that are even permitted at all?

@gunnargu 5 ай бұрын

What sane person would approve that kind of app permission request, that's insane to me.

@KevinMitnickWood 6 ай бұрын

Thanks for your all informative videos

@khaelkugler 6 ай бұрын

Bro is learning

@ITTom 6 ай бұрын

Should’t Conditional Access prevent that attack ?

@WesselvanderGoot-tb9gg 6 ай бұрын

I don’t think so, the user gets tricked to sign in from their own location and IP-adres, from their usual device.

@Marenthyu 6 ай бұрын

It does not. OAuth is specifically meant to gather consent from a signed-in user (with CA) to act on their behalf. The Access can also be revoked again and the Admin can require Administrator Approval for unknown/new Apps to be able to grant access.

@mikezio 5 ай бұрын

365 developer program has not not gone to the wayside

@xdcountry 6 ай бұрын

that was pretty sweet -- I like getting token via HAR files though -- this approach is really interesting!!!

@KieranFoot 6 ай бұрын

I'm still a member of the developer program and have had no notification that it will end... Also, I guess you meant to choose the account type that includes personal accounts :P

@_JohnHammond 6 ай бұрын

As far as I know, existing accounts will continue to operate (like mine or yours) but I don't believe it is freely available to new users now-- unless things have changed since. o365reports.com/2024/03/14/creating-a-free-microsoft-365-e5-developer-tenant-is-no-longer-possible/

@KieranFoot 6 ай бұрын

@@_JohnHammond Hmm, good to know. Also, great video. So many people misunderstand the intentions of OAuth/OpenID :)

@Shadow-Algeria 6 ай бұрын

Best time❤

@ELVISismaelyumbainabanza1942 6 ай бұрын

H E L L NO.

@Atmatan 6 ай бұрын

Why you only calling out threat actors with this? I'm getting sick of Google tracking me all over the net: they force me to sign in to a reddit account that I never even signed up for every time I even remotely visit reddit in my searches. I can't delete the account, I can't unlink it, and it logs back in on its own every single time. The only solution is to just not use Google, which, would love to, but then I wouldn't have a phone.

@PaulaXism 6 ай бұрын

Do you have access to your cookies?.. Desktop user. made this mistake and had to delete a few to stop this

@ChristopherBruns-o7o 6 ай бұрын

There is a vuln in andriod bio metrics. Im on oreo or jellybean maybe and Have guest account and now i need biometrics to sign into my second account and not the primary. The google accounts aren't linked either.

@LeonEdwinsHeart 6 ай бұрын

Thank you for sharing this

@fadiallo1 6 ай бұрын

Hello John Do You Know This Channel "george hotz archive"? Can You Do A Video Like Him?

@rufussthubbins8891 6 ай бұрын

@19:12 why is the code “redirect_uri” for url? Is the forging of an l to an i necessary?

@kcnl2522 6 ай бұрын

uri and url are different things

@Atmatan 6 ай бұрын

URLs are a specific type of URI. URIs cover a broader range of identifiers, including URLs and URNs. Both URLs and URIs identify resources.

@ItzRuiiiiii 6 ай бұрын

YOOO, So this is really common for Hypixel Skyblock on Mincecraft

@kernowaudits 6 ай бұрын

Try for real this time.... 😅 Persistence is the key lol

@carebearcarebear8185 6 ай бұрын

"tenant" lol

@popeyehacks 6 ай бұрын

Heyz John ❤

@Capiosus 6 ай бұрын

bros on hypixel skyblock hacking again

@Xetrill 6 ай бұрын

How is that an attack? You literally just created an app and registered it, that's all. All you showed is that leaving a M365 tenant non-configured is a bad idea. Because it allows users to arbitrarily register apps. But, that's easy to rectify, just follow MS recommendations. They are right there in the Entra panel. This looks to me like InfoSec making an issue out of a nothing burger and congratulating themselves for it.