To try everything Brilliant has to offer -free- for a full 30 days, visit 👉 brilliant.org/DanielBoctor/. You'll also get 20% off an annual premium subscription! THANKS FOR WATCHING ❤ JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm 👇 Let me know what type of content you would like to see next! 👇 Thank you for all of the support, I love all of you

"Why are you so worried about Microsoft and Google having all your personal data?" Me:

Why on earth would a health application need to execute remote JavaScript from client to server? Most of these bugs wouldn't exist if this feature hadn't been implemented in the first place

The real question is "who trusted Microsoft with healthcare data"

200k is not a fair price. Even if microsoft stock only fell down 5% after leaking 100 million *medical* data, this would cost them 162 billion. This is equivalent to paying someone a dollar for protecting your millions... after you mess up.

Should have gotten way more than 200k for something this severe…

Wow, giving user interactive chat robots Root Privileges hasn't worked out well. Who would have thought. Please, let us hold hands in stunned silence.

Leave it to Microsoft to do something so stupid it boggles the mind.

Anyone else notice that bug bounties often have a habit of not paying? You'll find the bug and they'll say "Oh we already knew about that" then patch it and act like its no big deal.

I think a better question is why does Microsoft AI have access to private medical records.

Microsoft CEO even announced last week that they would replace the entire azure product line with only ai "agents" where the bots would be able to create, update and delete all data on your services on azure...

AI and nodejs. Name a more iconic duo of security terribleness.

I’m surprised the microsoft patch wasnt to just ban his ip and then have bugfixes to add his new ip every time

Probably was due to AI code being used for the backend! People don’t understand how many security vulnerabilities are to come out from all the AI code being written!

as if i wasnt already worried by the whole "copilot takes screenshots of your computer"

Why the hell was it connected to the medical data in the first place?

I can't wait to cash my $2.49 check after the lawyers suck all the value out of the class action data breach lawsuit.

Running arbitrary code on a machine with sensitive data sounds like a recipe for disaster, even when sandboxed... They should definitely give the "running javascript" bit to some other server that only does this. That server can then be isolated from the rest, making any breach somewhat useless.

One of the great things about being American: I ain't been to a doctor in decades, you got nothin on me

"AI WiLl RePlAcE SoFtWaRe EnGiNeErS!"

It seems like QA and security is irrelevant today. The only thing that matters is getting out a semi-broken thing as fast as possible

Sound like a HIPPA violation!

tHErE wiLL Be nO SuCH thINg aS teCH joBS BY 2030!!!

Personally I would never ask AI for any serious health issues, even if they were 100% private and 100% secure because if AI happens to hallucinate then I can easily end up on 10x worse situation than I started with. If there is something I don't know how to deal with I would rather go to doctor and get some real advice than for example trying to heal flu by standing uv light and drinking mercury.

"Little Bobby Tables we call him"

Simple , it's Microsoft.... they write their programs to just do things... security, safety and non-crashing come later... I went to a MS conference once with their programming team... where they outlined their programming development and internal "mantra" when i left I was completly shocked at how lax they were... They basically write software with as few checks and balances as possible, it just matches the spec & that is it.. when they have to modify the systems for other uses.. they just make changes & fix what visibly breaks

These Lawsuits need to be far more punitive, there needs to be drastic consequences for exposing and harming so many people!

4:50 - using query code that is not read-only / execute is a security issue

"Can't fix stupid" theory confirmed

In Germany the Bug Hunter would have been sent to jail because of the Hackerparagraph and the bugs would persist.

These are super basic level mistakes, that would never pass a security audit. I am more concerned about the info sec standards of the healthcare organisation that they worked with.

So, it's basically like hunting for open folders, in 1997, to dump MP3's on unsecured FTP servers in order to share music. Gotcha.

All doctors that dared to upload personal info were compelled. Who is going to pay for this? I would say all corporations and doctors must pay.

Imagine if a certain legend asked for help removing a specific cylinder…

Whoever worked on this must be borderline non-functional. Was this whole project just 1 dude? How did not a single person on the team call out this insanity? Insane.

That's why I don't use gadets to monitor my health, our data is incredibly valuable.

People: Why don’t you trust AI tools? Me:

while the services of M$ have been becoming broader and more sophisticated, the quality really keeps going down the toilet.

Apostrophe fail.

Well explained. Amazing work

hackers are such nice people, that hacker could have made everyone's medical records say they tested positive for aids. it's wonderful we have bug bounties and they are paid, hard work was do to earn that small sum of money and the whole world benefits.

Wow I can't find a job but these clowns can

Total Recall and CopePilot+

Oh wait, hold on, Microsoft doesn't know what the fuck they're doing? With AI?? Noo that can't be right. Again?!?

can someone explain exploit 2, specifically the part where the bug hunter modify the underscore module "_.indexOf()", how did he modify it on the azure instance ?

Isn't that also the corporation, which "promises" that making photocopies of your screen all the time does not break privacy?

This makes me just think about co-pilot. Microsoft is getting greedy with their data stealing.

The omniscient AI has certified that the code was secure. Oops that was a hallucination. Okay delete/ fire that AI and try uploading a new one… which is almost identical, and trained on the same data set. It’s just good business.

I wonder if they could have made more then 200k if they would have placed a short position on the stock and informed an hacker group about the holes.

Can’t help but think the term “updationing” was part of conversations during development of this.

In case you forget, Microsoft will help you Recall this instantly!

Videos like these just leave me in awe of how little I know about programming

Omg the vids are back!!!

Brilliant video, thanks!

Welcome back!

Dude i just discovered your channel today and speedrun all your vids, love the content and the way you go in details without losing anyone that know a little abt cybersecurity, definitly got a sub keep up with that content and youll become big we feel your passion and that what make it special! Hope you have a great day my dude !

But this story is not about AI anyway.... AI bot not leak anything, stupid platform architecture and stuipd developers (who maybe were expert in AI but not not in other areas)

Nothing can go wrong, go wrong, go wrong

god these companies are stupid. they want AI to be a thing so bad that consequences be damned

Very interesting. Underrated channel, you earned a new sub!

that wild bc most basic thing for sql is to prevent the moving of going back .. as well as doing a ls of a dir row colm etc. failed huge.

I know little about software engineering n this kind of crap, but god I love your vids explaining it so clearly. Keep up the amazing work m8!

How was the underscore module modified remotely??

Internet Computer: solves this problem permanently

My take away from this is that nodejs is not secure by default, and needs some careful design and hardening to make it production grade. Compounded with dynamic and super flexible JIT nature of node, it sounds like a nightmare.

*Yep. Mine was stolen and the medical field still tries to harrass me, when they can't even protect my confidential information.*

Please make more videos, I'm getting addicted to your explanations

This is straight up malfeasance. It is not caused by AI, but is an classic injection attack using APIs that are not engineered, by design, to sanitize inputs and enforce data permissions regardless of how the LLM calls the agent tool. It's like everything they learned about securing data APIs went out the window as soon as they put the API behind a chatbot.

No way the legend is uploading again!!!

Excellent video, editing, sound design. You deserve more views (:

Why haven't I heard about this? No other videos relating to this topic

This must be why my organization sprang new AI rules on us recently regarding using AI with any sensitive medical or org info.

Remember, when you adopt a package/technology, you adopt all it's flaws.

Node js is a menace, dude

@5:55 I think you've either misinterpreted how the query injection works or the exploit you copied from wasn't documented correctly. Unless MS has made a mistake with implementation of building a quert. If this is even actually a reality. I feel like it's not. But first the query needs to be completed by providing an escaped ' and ) and then you can initiate the other escaping to insert the transversal and allow the query to be completed again.

Why is the back-end in JS instead of a strongly typed language which would reject input and help require data be properly sanitized? Why is the database input not properly sanitized?

Why doesn't NodeJS remove the SlowBuffer class from the Buffer module? It's been deprecated for 8 years and there has been 17 major versions since then. I don't get it.

Data breaches are often the result of errors in system management or configuration, not “automated” AI. More importantly, the responsibility lies with the humans who design, deploy, and monitor the system, not the AI ​​itself.

Somehow all these big tech companies don't pentest their products... Good for bughunters and black hats

All of them came down to sanitizing input and isolating data... it didn't have to cost nearly as much as 200k , but props for the hacker

how did they get 100 million records?

sounds like they are doing commands that microsoft does automated meaning microsoft is probably already selling that data

Microsoft try not to humiliate your entire company with terrible design challenge.

video qulaity and explanations are amazing ,

Seems very similar to a modern version of SQL injection

If a company with bad intent and a history of monetizing directly or using for AI training purposes data it doesn't own the rights to do that with? "My AI leaked it" and "this third world company used the leak data and provided us with this trained AI and or customer contact and needs data it said was legit and we used it for monopoly purposes". Well played M$!!

Personal information needs to be away from any automation. I am not surprised ai messed up.

This was fascinating

This sh*t has just been driving my anxiety through the mfing ROOF.

Its not an accident. Wake up fools

"I'm sure all these tech companies laying off ~10% of their developers will have no impact whatsoever, I mean it's not like those people did anything, right?"

So once again, the super smart programmers of Microsoft allowed direct access to data, rather than buffering it, ensuring encrypted connection between intermediate server & data, as well as not keeping the AI software isolated from important data. Also, adding directory capabilities within a URL, rather than having the server or data server do the searching has been a known exploit/issue for decades. You never allow directory level execution or maneuvering at the URL level AND we have become so dependent on showing URL data, that this type of thing will happen due to sloppiness. as the old adage goes: it isn't the new guy that gets hurt (makes serious errors), it is the experienced person because he becomes so confident in his experience

This is criminally negligent. We, the people, need to hold companies and CEOs (corporations aren't people, but people run corporations) for software negligence. This data literally represents peoples lives, not bargaining chips for business deals.

"a" hacker "A" hacker, several people have shown how easy it is to do

sooo, they wernt sanitisign inputs? still watchign,.t hats A ENTRY LEVEL SECIURITY ISSUE and bug

Great video man! So cool that I know this guy in real life.

Where do we sign up for the class action suit?

Now imagine that government of Poland keeps data on Microsoft Azure cloud.

"one of the highest paid bug bounties" - Have you seen NSO's payouts...?

That is...certainly a way to pronounce "JavaScript" that I haven't heard before.