Too often sites don't require reauth to change account settings. Huge fail! If they can't change passwords, email, phone numbers, or delete accounts you at least have the ability to get your account back. Also KZbin.. don't allow video deletion without reauth!

you can't steal mine *aint got one*

I think it gets even scarier when you start looking at mobile platforms

There are legitimate problems with session tokens, but this isn't one of them. If the attacker has code execution, stealing the session token is a matter of convenience. They could just remote control your browser session.

John Hammond's next video: How I social engineered myself. (For educational purposes only)

Knowing this can happen from a simple file download is is actually insane. Seriously more people need to know about this. Appreciate your attention to detail and clear explanation. I would LOVE to see more videos on this topic of vulnerabilities and online privacy/security. I subscribed

Cool video, even if the scenario seems a bit contrived(just assume ACE on the victims machine, lol). But from what I can learn about Flare I don't see them doing anything useful. The idea is to scrape publicly-available information from paste sites, forums, etc. and "the dark net"(just more forums probably), and then analyze that using simple string pattern matching and "AI" to "warn" their customers. But such data is very often not uploaded immediately to such freely available public sources because the hackers want to use the data themselves or sell it(can't sell it if you've already given it away). They basically get to see the data that is so low-value to hackers they give it away for free. At that point you've already been thoroughly hacked, the hackers have made their money, and have gotten away with it. This tool might help you "mop up the floor" a bit afterwards. It does nothing to actually protect you, and detects threats only after they've been fully exploited. Investing in additional actual IT security(-worker, education, programmer time, etc.) seems more prudent.

I'm highly surprised that Reddit doesn't match secondary data to their sessions. In eCommerce and secure application practices, sessions must be matched to things like GeoIP data. I've been exporting cookies and keeping them on a flashdrive to use my sessions on other computers since I was a teenager. Interesting to see it hit the mainstream.

Is there a way to make Windows programs more like Android where when an app wants to do something to your files that aren't related to that specific app (for example, reading web browser cookies) it has to ask for permission first?

Take a shot every time he says “infostealer malware”

Most websites use a double check if you login from a different IP address, so you might need to proxy of vpn to that country

A bit worried this violates the Reddit ToS even if only a demo. Hope they don't mind. Would be silly of them to care anyway.

I started to watch this video and was like "no way you can easily steal sessions", and I was right. If your victim is ready to click on random applications, it's not "easy", you can only steal from complete idiots

This is, as usual 90% informative and entertaining, and 10% scary 😅

This is scary man!

Can you pls share your script's so we can do it for our selves pls?

You can simply paste that into another browser using a plugin n you have successfully done the same

What if the person is using Incognito? Or if they clear cookies before closing the browser? Because when the browser is open, the files which contain the cookies are locked until you close it.

Wow, thank you for sharing this information. I love this kind of stuff that show the vulneravilities

Was your windows defender enabled? Would it stop the payload from downloading on the system?

The best keyboard and mouse combo ❤❤ awesome content as usual!!!

Enabling Device Bound Session Credentials in Chrome (Flags) does not help to prevent cookie theft?

Seems that we all view windows as a joke rather than an OS. lol

I like how the hacker is so leet, that it says leet in the name twice.

Where do these infostealer logs come from?

Awesome!!! Thanks Hacker

and again, it needs a stupid one on the other side, as, 99% of all techniques

Bro you're the real hacker. Great 😃

of course it's cookies. but nice user name tho

Was Windows Defender turned on?

i stole my own reddit account too. i just input a password and it works

Hello from Argentina !!!!!

Now its my time to unsub, this was the worst clickbait ive ever saw.

Could of sworn you were wearing overalls at first

umm, what's the purpose? (also I don't have a Reddit Account so you can't hack mine)

Ok.

John Hammond please talk about app bound encryption and how Hacker bypass it by opening chromium browser on debugging mode

I lost my account

Running out of video ideas? 😂

I would be surprised but Reddit has always had bad programming. Any programmer with a brain can tell.

Hi

Sorry, but it captures the cookie itself, it's beautiful in practice, it shows me you making a network sniffer in vps, capturing the network packets without any, client-side failure! And capturing session cookies, on an onion network for example! Baby script I am too

CPP book malewear analysis name show mi

🎉

Great video.

mic way too loud hurts the earholes no need to shout dude!

Wow 😂

🎉🎉🎉

First!

If you pin this than you are a legend (actually already).

First here !

I need your help bro please tell me where can i contact