The popunder developer is gonna put a hit on you

I can't help but admire those people for finding these bugs again and again. Reverse engineering them is one thing, but actually discovering them is really impressive. Don't get me wrong, I hate popunders as much as everyone here.

For that debugger trap you can use the "never pause here " feature of the of chromes debugger by right clicking on the line number with the debugger statement.

Thinking about this makes me realize that there is "battle" between greedy programmers who just want to find exploits to earn money (people who make those pop-under javascript libraries) and guys like you who try their best to quickly figure out their exploits and report them so that they get fixed. Now, every time pop-up/pop-under gets introduced I'll remember this, browsing the internet will never be the same again, at least for me. Thank you for your hard work!

This actually taught me how to debug JavaScript properly 😂!! win win

You are a pure genius! I'm sure those people who make library flips all the table in their office by now. Great job! Thank you for sharing it 😄

@LiveOverflow. Funny thing is that back in 2012 a ticket was opened to discuss if it would be possible to pass user gestures over postMessage. Back in 2012 it was quickly dismissed as too difficult to implement and too easy to exploit. Fast forward a couple of years and a couple of replies later this feature was implemented regardless and merged into master. So that discussion back in 2012 lead to this exact and predicted issue. bugs.chromium.org/p/chromium/issues/detail?id=161068.

As of December 2018 they are still using tab unders in Chrome 71. Nice work.

Even after watching so many of your videos , I'm still boggled by the way you think and approach security, bugs and programming in general. It just seems like second nature .... You find out what is to be done and boom! It's implemented. As a beginner , I still get stuck in implementing simplest of tasks, not able to "get" how I can implement something I want to in code , especially when I'm not familiar with the language ...It's highly motivating to watch experienced people like you as it inspires me to work hard till the time I can be as fluent as you are ...till the time code becomes second nature. Amazing video :)

Not many people on KZbin can say this but you actually make the internet a better place. Thank you

Not only are you doing good work by finding these bugs. But you are also explaining and educating the process to get there. This so so entertaining and interesting! Thank you so much for sharing your thought process.

I'm no developer, but i'm glad this video popped under my recommendations.

LO - That totally makes sense! How didn't i understand that earlier? Me - Yeah, damn right. *Molten brain dripping down to floor*

You are the hero we need, but not the one we deserve!

Thank you for that interesting video! And some people i'm sure are angry for that, but keep up the good work!!

Oh wow such a simple but effective method, was also expecting something completely insane.

Awesome!! Just in time when I should study for my finals!

The amount of work that you put into these video's is incredible. You are probably my favourite channel on KZbin right now. I'm currently studying cyber security and recommending your channel to everyone!

If I'm not mistaken you can right click on the number of the line in the dev tools and and choose "Never stop here" to get rid of the debugger

Whoever is finding these chrome pop-under exploits - full respect. I would never think of anything like that.

1 minute of video watched and a quick glance at your other videos earned you an instant subscribe. This stuff is awesome.

If you clone the repo using --depth 1 arg you will end up with much smaller source code. ~4.5 GB

I am somewhat sorry to hear that you went through all the trouble of compiling chrome. Still pretty cool :) Also subscribed - Guess I will watch more from you now.

I love your explanation process, each step is very detailed and your thinking methodology is well documented. Keep up the good work!

What a great thriller! 10/10 would watch again!

Wow already fixed and integrated into chrome 67. Too few big players respond to bug reports that quick. Really nice to see. The library makers now need to sell as much licences as they can before chrome 67 hits :D

In-page push is an extremely interesting ad format! I use MonadPlug in-page push, and cannot believe how much I am making just on this ad format only. Its most certainly the ad format of the future!!

I'll be honest, I was quick in figuring out it was an async callback trick (as soon as I fully comprehended the timeline shown at 4:00). I expected you to look into using postMessage to open the popups as soon as you found it as the originator at 6:53. Very nice work though, keep it up.

This was so good. You're the batman of pop under bugs.

aweosme and unique tutorials...thanks for these videos...when most channels focus on using the pentesting tools...this channel really teaches us what underlying hacking is all about...one of my best channels on KZbin

Awsome! Although I'm suspecting this type of videos will become a popular and requested entry in your channel

While I agree with you saying that you hate pop-unders, I still love them because I love seeing you reverse engineer obfuscated JS.

I always feel so ashamed when i overlook something obvious like the async functions.. glad to see it happens to the best :)

These videos are so interesting, you should make more videos where you try to look at malicious code that is obfuscated and try to recreate it like this.

I've always thought something like Chromium source code is for gurus only. But when I watch how you just casually say "So I've decided to look into Chromium source code to figure out what's happening" and then actually make something useful out of this idea not knowing how it even works inside I get stunned. You seem to view it not as source code, but as a tree of abstractions. And you find and use these abstractions really well. My approach here would be to look for some articles on how Chromium works internally, maybe read Chromium docs, try to finally look at the source code and fail miserably. It's just too big. Plus I'm extremely unexperienced, maybe that's the reason I still look at source code with a bit of uncertainty and frustration. "Will I understand how it works? Do the devs provide good documentation? What if the source code is a mess" and so on. But watching your videos made me think about how I approach such tasks. Thank you, great work!

That's why I used custom builds all the time (when I can).. it lets me get around DEBUG checks and lets me control how much detail I can view.

Awesome work! Thanks for your contribution to us all chrome users.

U are incredibly strong into Brower Code and technnics gg can't wait to see what will be next

ignoring the pop-up blocker? you are a genius

I know this is old, but you can use Burp to remove any debugger() statements so you can still use the Chrome debugger functionality

You are the hero the world needs!

LO was like, "I better download & build Chromium" and then "Oh cool, I didn't need it after all". I'd have been outraged :P Also, since you checked out Chromium, you are able to fix it up for yourself :D

Amazing work! JS can be really tricky, especially when trying to secure websites :)

Well done mate, that was some good investigation work. Keep at it :)

Very interesting video, I like how you present your thoughts and how your process information. Nice work !

I admire the bravery in diving into Chrome source code but FYI you should always assume its unnecessary. window/document/elements are all instances of the EventTarget prototype. So you can intercept every event listener with just: const orig = EventTarget.prototype.addEventListener; EventTarget.prototype.addEventListener = function(){ const [eventName, fn, capture] = arguments; console.log('someone tried to create event listener', eventName, 'for', this, 'with function ', fn); orig.apply(this, arguments); } If you run this in a userscript (with tampermoney) with @run-at document-start, it will capture event listeners before any other javascript has had a chance to load. I use this technique to modify web-based games.

You are doing God's work. People who lean on these techniques to 'advertise' are the scum of the earth. Seriously, who has ever, ever, made a purchase from a pop under ad? The lengths they go to these days makes me have zero sympathy for sites I use ad block on. Your methods of advertisement via annoying and tricking the end user are just reprehensible. Site owners that rely on ads need to reevaluate their designs that rely on these shady techniques.

80gb of disk space to build chromium? that is insane! i haven't built it in years, but it was never this bad - at least on linux.

Another option that might have been possible is to break the link to the script doing the popup (e.g. rename the key/function it's under) and hope whatever is referencing it to be triggered later aborts with an error.

nice i think they might just updated it unless it already been out awhile just got the green update required sign on chrome =) i got it almost instantly while watching this video, great content as always!

78 GB of source code???? holy crap.... holy crap man. and god bless you for finding that annoyance, you are a hero!

Doing gods work right here!

This channel is so much fun!

Cat and mouse in the browser ;-) awesome detective work

Amazing work and write-up. You are a hero :)

Amazing work as always Sir !

This website teaches me more practical stuff than my university

You really inspire me, thank you for making videos

Nearly 100k subs! I thought I'd better sub and help you on your way! Great content.

Man this is amazing. Great video.

Yayyy, Popunder is just tab-under now.

Why not call the original setTimeout function in the modified one, so that you log the function call and also do not break the code. This can also be applied to other interesting JavaScript functions, to get something like JavaScript instrumentation.

Amazing work, dear!

doing the lords work son

can the same things even be found using firefox? From watching this video I found out the Firefox developer tools are quite different.

You are so cool LiveOverflow. Amazing video.

For the longest time, I've wanted a setting in browsers that would suppress ALL open tab/window functions no matter where the call came from. This setting should be easily accessible so I can allow popup for say, the bank or better yet, create a white list of domains for it. Thought of hacking it together into a custom built Firefox, but then I got lazy because I thought of all the FF updates and I'd have to rebuild and maintain the feature.

Amazing work!

@LiveOverflow why dont you use Alert() as an breakpoint when the script stops the debugger?

You are a beast! Great video 😄

I would like to see one of your videos about code virtualization and obfuscation. For example VMProtect on windows or any other software that virtualize and obfuscate the assebly of an executable. I obiously don't ask for a guide to reverse it, but just a quick analisys and explaination on how they works. It would be interesting to me. Thank you and great work with this channel.

Awesome game of cat and mouse going on, GOOD WORK!

3:50 I would then call the actual timeout function, but only when it's not calling debugger. There's many ways you can identify the unwanted calls. Maybe just ignoring the calls with 5000 ms. (editing comment as I watch the video) 7:00 That's obviously a web worker. 14:25 Huh, no web worker necessary?

Really great work, highly aprreciate it =)

seem like that use artistscope to protect video, have firefox custom aplication

That's just one awesome video :) Thank you

Could you use the custom build to disable the debugger statement?

I'm curious how Google would fix that. Disallow postMessage in onclick-Handlers? Disallow window.open in the message-eventlistener? Both seem to come with possibly unwanted sideeffects that might break harmless code.

Great video! Nice find

What font were you using in Sublime?

postmessage allows javascript to send messages from page to tab, page to page, page to locally, doesnt work on IE though.

doing gods work here

Fabian God mode activated ✔️

what is a popunder?

dude. just create a stack trace in settimeout and check if it matches the debugger location. you could also tostring the callback and check if it matches.

Great find! (and a nice trick)

How about creating a webworker and he triggers 2 meesage events which then trigger popups?

Why not do a popup but the popup is the same website and the old website changes

This channel is awesome

His code is obfuscated with an open source obfuscation engine, there are a few template that the engine uses to detect unminimization and tampering of anti-debugging code, the templates are here, could help you recognize a few code pattern that this engine generates: github.com/javascript-obfuscator/javascript-obfuscator/tree/master/src/templates Basically, the code will match a few small functions with RegExp and enters an infinite loop or just throw an error if the test fails. The template code tries to decoy itself as a library (e.g. cookie manipulation functions), also sometimes it uses Unicode to mask difference in two strings, a lot of good tricks.

I just set option in browser to always open everything in new tab. I just don't see any reason to have multiple browser windows. Never have any problem with popups.

Got curious if popupunder works for current chrome v77 but I cant find its homepage. :D Hilarious! Good work!

"Fixed, will request a merge to M67 on Monday."

but why it still works? Haven't they fixed it

dude u got me subscribed after watching 1 minute in

Wow, nice work 👍

You could modify V8 to change the debugger keyword to something else, the anti-debugger wouldn't work and you could add the custom keyword to trigger the debugger

Aaand 5 days after the initial report there's a patch commited to the repo... Props to all. I love this continuing battle between popunder libraries and LiveOverflow.

That's some crazy build time, about 5 times of firefox on my I 975k

The popunder "owner " must hate you really badly for doing this 😆