How Microsoft Accidentally Backdoored 270 MILLION Users
Переглядів 233,770
День томуTry SquareX for free today! 👉 sqrx.io/dbv2_yt
In this video, we take a deep dive into the Microsoft Teams RCE (remote code execution) exploit chain, discovered by bug hunter Masato Kinugawa. This exploit chain consists of cross-site scripting (XSS), prototype pollution, and a sandbox escape within the desktop application framework Electron. Whether you're a pen tester, security researcher, or cyber security expert, having a solid foundation in web and desktop technologies, as well as JavaScript, prototypes, and APIs are crucial.
JOIN THE DISCORD! 👉 / discord
0:00 - Overview
0:46 - Electron
2:30 - Entry Point + Chain Architecture
3:25 - Cross-site Scripting (XSS)
6:53 - Prototype Pollution
11:10 - Sandbox Escape
13:26 - SquareX
Masato Kinugawa's report:
speakerdeck.com/masatokinugaw...
AngularJS RegEx:
github.com/angular/angular.js...
SquareX socials:
Twitter: / getsquarex
LinkedIn: / getsquarex
Instagram: / getsquarex
Facebook: / getsquarex
Blog: labs.sqrx.com/
MUSIC CREDITS:
LEMMiNO - Cipher
• LEMMiNO - Cipher (BGM)
CC BY-SA 4.0
LEMMiNO - Firecracker
• LEMMiNO - Firecracker ...
CC BY-SA 4.0
LEMMiNO - Nocturnal
• LEMMiNO - Nocturnal (BGM)
CC BY-SA 4.0
LEMMiNO - Siberian
• LEMMiNO - Siberian (BGM)
CC BY-SA 4.0
LEMMiNO - Encounters
• LEMMiNO - Encounters (...
CC BY-SA 4.0
#programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #bugbounties #ethicalhacking #encoding #lowlevelsecurity #zeroday #zero-day #bugbounty #security #cybersecurity #breaches #databreaches #bug #bugbounty #pentesting #penetrationtesting #backdoor #javascript #XSS #crosssitescripting #web #webdev #electron #HTML #hacked #BeFearlessOnline #SquareX #Befearless&SecureOnline #Cybersecurity #Privacy #Security #Cybersec
@DanielBoctor 2 місяці тому
THANKS FOR WATCHING ❤ JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm ** UPDATE ** A few commenters have been confused weather or not Teams was using the deprecated AngularJS, or the new Angular. The answer is that it was indeed using the deprecated AngularJS. I even referenced the exact line of code in my description, within the old AngularJS: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still... The only part that I messed up on was @ 5:53 - I used the wrong README. This should have been the old AngularJS. I stand corrected. Thanks to those who pointed this out! ** UPDATE 2 ** Thanks to @Possible1985 for pointing out that the sentence @ 7:52 should have read "even if nodeIntegration is DISABLED", not enabled. 👇 Let me know what type of bug bounty reports you would like to see next! 👇 Thank you for all of the support, I love all of you
@Pr0toPoTaT0 2 місяці тому
I love people too 💓 💗 ❤️ 💕 💛 ♥️ 💓 💗
@emo666man122 2 місяці тому
this the shocker that they made such a big deal about using this malware over c-19
@sharonfox 2 місяці тому
Angugar?
@CatFish107 2 місяці тому
When you started the section on xss with "but first", I thought you were about to do an ad read for a VPN. Thank you for not doing sponsored ad reads. That was a relief.
@renakunisaki 2 місяці тому
Someone really decided to make it possible to embed JavaScript in a CSS class name
@jfbeam 2 місяці тому
YES. Would you expect anything less stupid from Google?
@seeibe 2 місяці тому
The issue is more to do with the fact that Teams is injecting dynamic, user generated HTML that then gets picked up by Angular. Basically what they're doing is akin to using "eval" on a user input string, and then running some sanitizer over that input to ensure the code contains nothing bad. That's extremely bad practice, for exactly the reasons outlined in the video.
@xmine08 2 місяці тому
That's as smart as it would be allowing to download and run arbitrary java code by passing a string to a logging library, right? Oh, dang, that happened as well...
@pianowhizz Місяць тому
And that’s why everyone stopped using Angular in 2015! One of React’s main advantages has always been its protection against XSS :)
@xapk_ Місяць тому
How the HELL?😊
@Code_Capital 2 місяці тому
I'm surprised by how uncomplicated each singular step is but how much persistence is needed to pull the entire attack off...
@omanshsharma6796 2 місяці тому
Uncomplicated is a subjective term
@DensityMatrix1 2 місяці тому
@@omanshsharma6796They really are uncomplicated. This attack is more like a mathematical proof, each statement is understandable but having the insight about how to link them together is the clever bit.
@Bialy_1 2 місяці тому
@@DensityMatrix1 Working as intended... how hard is to block code injection via text chat? Crazy easy as you need specific and exact comands to do anything...
@MygenteTV 2 місяці тому
Uncomplicated? Not at all. Everything is easy and Uncomplicated once you know it. For you to pull a RCE, you really need to know what you are doing, you need to know the many different technologies and tricks to pull this off. This guy built a 0 day from scratch, step by step. That's talent, I'm not surprised he is Chinese. Those guys are built different.
@jfbeam 2 місяці тому
It's only "uncomplicated" once you've seen it done. This is a pretty novel and slick chain of events, requiring locating some pretty tiny needles in a very big haystack.
@NightMX_ 2 місяці тому
I could not pull this off if my life depended on it
@RayScheelhaase-nd9rw 2 місяці тому
Sounds like something a hacker would say
@diaahanna8882 2 місяці тому
No one could that is why it is valued at 150k $
@humanbeing2730 2 місяці тому
for real I could have a thousand years and not figure it out
@cc-dtv 2 місяці тому
git gud
@cc-dtv 2 місяці тому
@@diaahanna8882 just a matter of time spent
@kevin41420 2 місяці тому
> used electron
@jaygay 2 місяці тому
I literally paused the video at this point 😅
@mgord9518 20 днів тому
The corporate obsession with JS will never cease to amaze me
@denisel 2 місяці тому
Wow 150k for this is embarrassing. 270 MILLION high-quality targets with a zero click. 3 TRILLION company btw. No wonder people turn to crime, good thing dudes compass points north. Finding exploits is a thankless job...
@DanielBoctor 2 місяці тому
I agree with you on this. The bounty definitely should have been far higher for the impact of the exploit 🤷
@schwingedeshaehers 2 місяці тому
around 0.5 dollar per 1000 users
@commander3494 2 місяці тому
@@schwingedeshaehers wow i think an ad would make more money than that
@savire.ergheiz 2 місяці тому
Shame on M$ 😅 They should pay $1m at least.
@kkamau5479 2 місяці тому
If he sold this to any government he would've had a major pay day
@2beJT 2 місяці тому
150k is among the largest bug bounties? Wow, so now I know nothing is secure.
@kRySt4LGaMeR 2 місяці тому
modern exploit chains are pure insanity. it really makes you wonder whether all those mitigations are helping or just delaying the inevitable.
@andytroo 2 місяці тому
it's both - in some ways it shows how 'secure' things are these days - no more drive-by from script kiddies dropping quotes into text boxes. But all steps in this chain were patched - so any new security break like this needs 4 new exploit steps. And there are prizes for discovering any 2 in a row (1 alone isn't worth that much). We're trying to setup an environment where the user can do whatever they want, without allowing them to do specific actions - the target is 'hard' to achieve :)
@tylerbreau4544 2 місяці тому
A lock doesn't stop criminals. It just deters criminals. Patching exploits and improving security makes it harder to do malicious things in these apps. It's a deterrent.
@TuxedoMaskMusic Місяць тому
Grabify is a easy drive by phish used today to log your ip in a text box (just 1 of many examples) so there are still things people can do Phishing wise that just relies on social engineering A SINGLE CLICK. @@andytroo
@MaxJM711 2 місяці тому
I'm beginning to start my journey into cybersec and I couldn't have found this at a better time, amazing content my brother! As a side note, 150k seems stupidly low for the gravity of the exploit and how many people could've been affected by it
@4.0.4 2 місяці тому
And yet one of the biggest payouts ever.
@stellviahohenheim 2 місяці тому
cybersex?
@MaxJM711 2 місяці тому
@@stellviahohenheim Amen homie
@paramveerdhoot6415 Місяць тому
Now this guy should have got paid like 10 million at least. That would have encouraged more people to pursue stuff like this and find vulnerabilities. This bounty will actively discourage people which is kind of sad. Good thing this guy had a good heart/head.
@shapelessed 2 місяці тому
Amazing, isn't it? You find a critical, 0-click RCE in a company's product and they pay you out 150k... Go to a company like NSO, sign a simplr NDA and you've got yourself 1.5 million...
@serviteccompletojimenez8995 2 місяці тому
Check the history, we're talking about Microsoft!
@OrangeYTT 2 місяці тому
00:30 you should cover the highest paid bug bounty on that list, about staying in Apple for 3 months. Seems incredibly interesting!
@DanielBoctor 2 місяці тому
The headline there is actually a bit misleading, lol. They didn't remain inside Apple for 3 months - they just assembled a team of pen testers to find bugs at Apple over a 3 month period. They found 55 total vulnerabilities over the time span. The reason why the bounty is listed so high is because it's a summation across the payouts for all 55 bugs. Here's the full report if you're interested: samcurry.net/hacking-apple/
@cexeodus 2 місяці тому
55 in only three months does seem highly eligible for an efficiency-to-haul ratio bonus tbh Alone I have found about 20 in a single month, but thats across multiple vendors/manufacturers. (never been paid for them so theres no record to cite here)
@gg-gn3re 2 місяці тому
@@komorebi8182 The URL has words in it, those words tell you what site it is. If you traverse to the main domain of a website they generally tell you what they are. In this case it's a guys blog.
@DanielBoctor 2 місяці тому
@@komorebi8182oops, didn't see this till now! It's called pentester.land - pretty awesome site.
@kevinvoiceactor9694 2 місяці тому
This was an incredible video. Animations are fire, going back to the high-level steps of the exploit, and coloring the relevant code snippets were all incredibly helpful for me to follow along. Liked, subbed, did all the things. Hoping to see more from you.
@DanielBoctor 2 місяці тому
Man this is one of my favourite comments ever, thank you ❤️. You're the first person so far to mention the semantic colour coding, which I pay a lot of attention to. I'm happy it helped, and glad to have you apart of the community!
@pizza-pi Місяць тому
@@DanielBoctor semantic colour coding is life, in work and in your vids. very nice touch.
@itsthesteve 2 місяці тому
AngularJs in teams? Lordy.
@Voltra_ 2 місяці тому
The fact that they use AngularJS instead of Angular >=2 is baffling
@BlueEdgeTechno 2 місяці тому
You will be surprised by how degraded technologies these MNCs use. It requires them time to overhaul their system.
@anonymoususer6801 2 місяці тому
They still use knockout js in azure it seems it takes quite a while for a service become in production and it seems like they move slow with replacing it.
@Voltra_ 2 місяці тому
@@anonymoususer6801 I mean sure, but like AngularJS has been softly deprecated 10 years ago, fully deprecated not long after, and the last release was 4 years ago...
@mitchell6679 2 місяці тому
And that they sanitize user input a little and then just treat it as dynamic markup, that’s the insane part to me
@haroldcruz8550 2 місяці тому
It's all about profit margins, switching to a different code base is an additional cost. You'll be surprised how many legacy frameworks are still in use today even by large companies.
@ayecab 2 місяці тому
Just the right amount of technical details while providing a great overall narrative. Nice work.
@DanielBoctor 2 місяці тому
Thanks for the support! Means a lot
@Megamanthemachine 2 місяці тому
Dead ass this is better than straight up bashing Microsoft and saying go to Linux go to Linux as it’s the underlying that matters
@Pr0toPoTaT0 2 місяці тому
Thank you for taking the time to say and make all these graphics! Your hard work doesnt go unnoticed sir!
@DanielBoctor 2 місяці тому
Thank you so much! The support means a lot ❤️. Thank you for the recognition, and for being apart of the channel 😊
@Christopher_S 2 місяці тому
That was a great video, and your ad-read of SquareX was fantastic information. I've downloaded an extension for the very first time that I've seen on a video haha! I never thought I'd see the day when I'd be persuaded to install an extension.
@DanielBoctor 2 місяці тому
haha, that's awesome to hear!
@Christopher_S 2 місяці тому
@@DanielBoctoryeah I've used it since too haha!
@jacobjayme6280 2 місяці тому
Awesome video Dan! Always delivering high quality content
@DanielBoctor 2 місяці тому
Thank you Jacob!!!
@joe-skeen 2 місяці тому
Your explanation of Angular's role in the exploit was confusing to me because it seemed that you conflated AngularJS, the ancient, deprecated framework with the modern versions of Angular. It is not clear which version they were using in the exploit. The screenshots showed version 1.8 which would be the old version, which in the year of that exploit would have been after end of life support. Feels very careless of Microsoft to continue using that of version so long...
@DanielBoctor 2 місяці тому
Good question. They were indeed using the old AngularJS. I even linked the exact line I referenced in the video in the description: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
@joe-skeen 2 місяці тому
Thanks for the clarification!
@DanielBoctor 2 місяці тому
of course
@LatteCannon 2 місяці тому
These videos are so informative and well made, I can’t believe you only have 15k subs. You’re gonna make it big
@DanielBoctor 2 місяці тому
Thank you for the support! I appreciate it ❤️
@SylvainPOLLETVILLARD 2 місяці тому
Masato Kinugawa is a legend, with Gareth Heyes those are the best XSS hunters i know. 150k$ well deserved !
@glitchy_weasel 2 місяці тому
What an incredible video! I really like your explanation - complete without being overbearing. Not a JS dev, but I still could pick up on the important details - so nice job! Will definitely check out the rest of your channel. Cheers!
@DanielBoctor 2 місяці тому
Thanks for watching! Glad you liked it
@levvayner4509 Місяць тому
Thank you for a clear, step by step illustration of how each step of the exploit worked.
@ByronShingo 2 місяці тому
Another amazing video, keep up the fantastic work!
@DanielBoctor 2 місяці тому
Will do! Thanks for the support!
@tofoo_ninja 2 місяці тому
Thanks for the informative and well made video. Perfect depth for the format. Maybe you could somehow link the source in the video. Like having a foot note number in a corner
@coolinmac 2 місяці тому
This is such a well made video. Excellently explained!
@DanielBoctor 2 місяці тому
Glad you liked it!
@AlexiHusky 2 місяці тому
That took an impressively detailed knowledge of all the applied frameworks to pull off. Kudos to them!
@sangeetguha51 2 місяці тому
as always, very good quality!
@DanielBoctor 2 місяці тому
Glad you think so! Thanks for the support 😊
@Sacrosaunt Місяць тому
bruh who is this guy dude came out of nowhere and is making this clutch content
@DanielBoctor Місяць тому
LOL, this is truly a great comment
@joshua_337 Місяць тому
Great explanation, even with your pronunciation of JavaScript 😉. Your latest video on speculative execution was also amazing. Just discovered your channel today and subscribed. Looking forward to future videos as well as going through your previous ones.
@DanielBoctor Місяць тому
Thank you for the support! I appreciate it. Glad you're finding my content interesting
@randomperson9282 2 місяці тому
It’s actually quite simple but man you gotta really understand the know how’s to get in and get out. Genius to find this minuscule window from such a huge company. btw thank you for the simple explanation you made it easy to understand and amazing visuals.
@DanielBoctor 2 місяці тому
glad it was helpful
@zugly1999 2 місяці тому
6:38 love how you use Lemino's music for bgm ❤
@DanielBoctor 2 місяці тому
hes an inspiration to me
@timd6214 2 місяці тому
Amazing vid and explanation, mate! Love the channel!
@DanielBoctor 2 місяці тому
Thanks for watching! Glad you liked it
@dimo3611 2 місяці тому
I canot even Teams get render html in chat messages. Did they generally remove html support in chat messages to close down this vector?
@CoreyKearney 2 місяці тому
Eletron is an opensource program with it's own org and framework. The code is hosted on github, it is not a github project. That matters.
@DanielBoctor 2 місяці тому
You are right, however it was originally developed by GitHub. They transferred Electron's ownership from GitHub to the OpenJS Foundation in ~2019.
@rogerdeutsch5883 2 місяці тому
Was the patch to fix this problem done in node.js (or a package it depended on) or Teams? If node.js, which version had this problem? Thanks for a great video.
@chy4e431 2 місяці тому
this was *not* an issue with Nodejs itself If that was your conclusion I question if you actually followed along the video.
@justanotherbee7777 2 місяці тому
Awesome explanation. This should reach more people.
@DanielBoctor 2 місяці тому
You are an awesome fella. Thank you for the support! I'm glad that you enjoyed ❤️
@larry1851 2 місяці тому
Always a blessing to watch!
@DanielBoctor 2 місяці тому
Always a blessing to have you apart of the channel
@vijayramachandran3559 2 місяці тому
Thx for such a comprehensive explanation ñ
@jesenialimited1385 2 місяці тому
That was an awesome explanation
@DanielBoctor 2 місяці тому
not as awesome as you
@gravity00x Місяць тому
"accidentally" 😂😂😂 absolute commedian
@gridlocdev2023 2 місяці тому
Hey, just a heads-up the way the sponsor was mentioned in this video may have violated UKposts sponsoring disclosement guidelines since there wasn't a verbal disclosure and/or paid promotion notification. (See the "Add paid product placements, sponsorships & endorsements" UKposts Help page) I'm not a creator myself, but the way to properly do it would probably be one or more of the below two things, I think: - In UKposts Studio, under "More", clicking the “My video contains paid promotion like a product placement, sponsorship, or endorsement.” box will display a "Includes paid promotion" disclaimer at the first 10 seconds of the video - In the UKposts video content or description, I believe there's some requirement to verbally disclose the nature of the relationship with the sponsor. E.g. by saying "You may want to check out this video's sponsor, SquareX", or "This video was sponsored by SquareX", etc.
@DanielBoctor 2 місяці тому
Thanks for bringing this up. The paid promotion option was always on, and the notification was always present at the start of the video. Are you sure you didn't see it? It shows up for me. In terms of the verbal disclosure though, can you find / link where it states that? I looked through the page that you referenced, and nowhere could I find any sort of verbal disclosure requirement. I genuinely appreciate your heads up, I just couldn't find the verbal requirement anywhere. Let me know if you can find this. Thank you
@sawxpatscelts 2 місяці тому
$150k ain’t much of a bounty for something that could topple your entire company.
@JNET_Reloaded Місяць тому
Hey im on indows trying to get git to work defender sais its a threat when i install it and git still dont run correct any ideas?
@pabloenriquegorga4222 2 місяці тому
Excellence again ! thanks you !
@DanielBoctor 2 місяці тому
thank you for watching!!
@KristianKumpula Місяць тому
0:20 Why did you put slashes instead hyphens into that command?
@PeachBug 2 місяці тому
I don't get it... how did we get from it not being possible to send HTML to being able to set the class value of a HTML tag on the renderer?
@DanielBoctor 2 місяці тому
We were always allowed to send HTML in chat messages - it was just sanitized, restricting the specific HTML elements and classes allowed. This exploit was able to be pulled off because the only class that we used was the swift-* class, which was allow-listed by the sanitation library.
@PeachBug 2 місяці тому
@@DanielBoctor thank you, he just used one of the allowed HTML tags, now I get it! :D
@rockNbrain 2 місяці тому
Nice job dude🎉
@petar0402 Місяць тому
I work in IT and I hate Teams app with great passion. Actually, ANY app or a script that auto-launches itself in window mode by default.
@SimX9000 Місяць тому
Really well done video
@vicitacious 2 місяці тому
What a processsss to pull thisss one of
@ryangrogan6839 2 місяці тому
It's so baffling to me that developers decided to beat JS into a bloody pulp until it does what you want it to do, instead of just admitting that we should probably just use a different technology. Now, we have wild exploit chains like this that are possible because we keep adding crap to make HTML do things it was never meant to do. This is what happens when you combine two completely separate and highly open ended technologies together. Of course you can do some really wacky stuff, especially when the combination of the two technologies was not expected, intended, or standardized. But we loved them so much that we forced them together into unholy matrimony. And we just can't get enough. We just have to keep coming up with newer, hotter and wilder ways to get some JS all up in our HTML.
@SianaGearz 2 місяці тому
And on the other side we have C++, which sort of looks like it was developed for the purpose of making complex and robust applications, as were the common frameworks, but which is good for spectacularly dangerous exploits, probably more so than dynamic HTML land.
@ryangrogan6839 2 місяці тому
I still feel that JS vulnerabilities are more worrisome because they are usually due to bad config and build tools/frameworks with bugs. These vulnerabilities would then affect all projects that use them. C++ doesn't become vulnerable until you write or use bad code.
@SianaGearz 2 місяці тому
@@ryangrogan6839 Oh but where there's code, there's bugs, it's inevitable. There's memory safety bugs in every C and C++ framework that you're sitting atop right now, this can be guaranteed. It's not like buggy code necessarily smells, bad code routinely passes reviews and gets examined hundreds of times without something being noticed wrong, because in other possible contexts the same code is correct. My two favourite cases have been both caused by iterator invalidationm, both caused month of hunting because the outcome was wrong logic which wasn't legible in debugger, because at the point of invocation it was "correct", it was just dealing with data that could no longer exist but looked valid, and occasional malloc crashes elsewhere in the program.
@mono_si 2 місяці тому
What are those background videos? The strange geometry is very nice, where can I find them?
@DanielBoctor 2 місяці тому
They actually come from a collection of "Visualising AI" animations from Google DeepMind. They are quite incredible indeed. Here is the source if you want to check it out! deepmind.google/discover/visualising-ai/
@mono_si 2 місяці тому
@@DanielBoctor thanks!
@RandomGeometryDashStuff 2 місяці тому
06:29 is "malicious" separate class because there is space before?
@DanielBoctor 2 місяці тому
Just to be clear, there is only a single class here, "swift-*", as perceived by Teams. What we're doing is piggybacking the ng-init directive onto the swift-* class. The Teams sanitation library, sanitize-html, allows this, as it only sees a single class that conforms to the allow-list. The "ng-init: malicious" is NOT it's own class as perceived by Teams sanitation library sanitize-html, but WILL be recognized by Angular's own parsing engine. To answer your question, no, the space before the malicious expression is not needed. From Angular's perspective, the only thing required is the semicolon, as its RegEx uses a semicolon as a delimiter. In short, the space is not necessary, but the semi colon is. Hopefully this helps!
@MaZe741 2 місяці тому
goddamn regex wildcard made this possible
@Selsato 2 місяці тому
Fucking love regex man. Terrible to write, worse to read. Has the security of swiss cheese. And we just CANNOT help ourselves.
@specy_ 2 місяці тому
@@Selsatolet's use a LALR parser instead!
@solovoypasando 2 місяці тому
Very nicely explained
@DanielBoctor 2 місяці тому
Thanks!
@Shazam999 2 місяці тому
Fairly sure this is how Data got the Borg cube to go to sleep.
@seeibe 2 місяці тому
Thanks for this explanation, from what you've outlined I have to conclude that Microsoft doesn't have any processes in place to ensure their code meets even the most basic security requirements. Both of the exploits used are gross oversights. Makes you really wary of using anything Microsoft for sensitive applications.
@supremebeme 2 місяці тому
incredible video. subbed
@DanielBoctor 2 місяці тому
Thanks!
@TrimeshSZ 2 місяці тому
This just makes me feel that my instinct to never use any desktop JS app was 100% correct.
@laztheripper 2 місяці тому
Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe file that has direct and complete access to all win APIs. This is pure regurgitating of popular slogans like "js bad".
@specy_ 2 місяці тому
@@laztheripperexactly, I hear people complain all the time about this stuff, I preach for more low level access (like having a sandboxed file system) to websites installed as webapps (with permissions prompted to the user) and every time I'm answered with "but that's dangerous!!!" Yeah because let's just ignore the fact everyone just downloads random exe files that have complete access to your OS
@TrimeshSZ 2 місяці тому
The problem is that if you want to produce a desktop app that does anything useful then you have to provide access to the underlying system anyway - and that's an issue when dealing with a language that was designed with the underlying assumption that it was running in an ephemeral isolated context where nothing it does actually matters. It's also extremely hard to carry out static analysis on, and has led to the spread of the incredibly dangerous idea that code that passes the tests is "correct". @@laztheripper
@piotrc966 2 місяці тому
@@laztheripper "Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe " As you can see - yes. In a native application, you have no way for the displayed text in the control to call scripts. You don't need to sanitize anything.
@wolfeygamedev1688 2 місяці тому
@@laztheripper actually yes, Js bad. You cant XSS a native app that doesnt have scripting…
@i_am_dumb1070 2 місяці тому
How can someone even find such a thing mann 🤯it sounds too difficult...but nice explanation ❤
@DanielBoctor 2 місяці тому
Some of these bug hunters are on another level. Thanks for watching ❤
@RikThePixel 2 місяці тому
I just love how they paid him €150.000 but it would have cost Microsoft multiple millions in legal fees. Not saying that he should have been paid more, but still kinda funny
@alexc4924 2 місяці тому
He could have got at least double that on the dark web
@Matia.s 2 місяці тому
@@alexc4924he could get even more if he sold that exploit to usa or russia
@paramveerdhoot6415 Місяць тому
This guy should have got paid like 10 million. This could have compromised so many people so quickly.
@RikThePixel Місяць тому
@@paramveerdhoot6415I agree, I am don't really agree with my past self here. There is no real price-tag for the safety, privacy and security of millions of people.
@abcdefgh1279 2 місяці тому
I don't understand most of these code lines, but I still enjoy watching this, because of clear graphics explaining what's going on... 😅
@Derekzparty 2 місяці тому
One of my first uses of psexec was remotely opening calculator on a coworker's desktop!
@TibinThomas1993 2 місяці тому
@5:55 the screenshot you are showing is wrong. Its of Angular but not of Angular JS.
@123norway 2 місяці тому
I wish you named your channel «Doctor Boctor»
@DanielBoctor 2 місяці тому
You have no idea how many people call me that irl lol. I might actually change the name of the channel one day.
@ehwiwh7358 2 місяці тому
Hey, love these videos! Can you make one about the RCE exploit that shut down the servers of all Souls games developed by Fromsoftware?
@ehwiwh7358 2 місяці тому
It's super interesting because if the exploit hadn't been reported responsibly, it could have been used on Elden Ring, one of the biggest games of all time, on hundreds of thousands of people simultaneously. It could have been one of the worst exploits in gaming
@ehwiwh7358 2 місяці тому
It did not even require P2P connection, as it exploited the game's servers. Tremwil wrote a great explanation on gitthub
@ehwiwh7358 2 місяці тому
Even players sitting on the main menu were affected! (sorry I had to type the comment like this, YT kept deleting it over and over again. Might need to "sort by new" to see it all)
@CrispyPotatoChip 28 днів тому
The only thing I can think of when electron and discord are together is Pls update electron for Linux
@IllidanS4 2 місяці тому
Perfectly explained and very interesting! The pronunciation of "processes" is quite jarring though.
@GainingDespair 2 місяці тому
"accident" Feds accidentally left multiple bags of cash at an executives office as well
@iakleon Місяць тому
It doesn’t surprise me that teams was the weak link. shortly before the venerability was found, a teams crash corrupted my user data to the point that i had to re install windows
@georgeh6856 2 місяці тому
I wonder why the Teams main process would have unlimited access to system calls. I would think it should run in a more limited mode, i.e. not as administrator. Using one of the examples in the video, I cannot think of any reason why the Teams main process should ever be allowed to shutdown the computer. Restricting the Teams main process to be limited would by no means be a cure-all. However, it would help to limit possible damage when bugs like this are exploited.
@serviteccompletojimenez8995 2 місяці тому
Man it's Microsoft, it's invasive!
@Sammysapphira 2 місяці тому
Idk if you know but every single application can run "system calls". It's how it runs to begin with.
@georgeh6856 2 місяці тому
@@SammysapphiraThere are different privileges. Some of the most basic privileges allow programs to allocate memory or write files. More sensitive privileges allow a program to make changes to the registry or shutdown the computer. So, yes, every program which runs must be allowed to do basic system calls like allocating memory. However, not all system calls are treated the same. Some system calls which can do more destructive things when used improperly are only allowed with the least restricted accounts (like Admin) or groups. That is how security models work. Not all system calls are or should ever be allowed for all programs.
@TinyDeskEngineer 2 місяці тому
Accidentally? That sounds more like a security vulnerability than a backdoor.
@maximumeffort6049 Місяць тому
I have no idea what you are talking about, but it is interesting.
@tacticalassaultanteater9678 2 місяці тому
I would simply not compile chat messages as an Angular template, because the template compiler is designed with trusted input in mind.
@mghemke 2 місяці тому
I'm surprised Microsoft only paid $150K for this bounty. I'm reasonably sure that there are more nefarious folks, maybe on the black web, maybe organized crime, maybe nation states, that would have paid much, much, much more.
@heregundir8292 2 місяці тому
risksssss, attackssss 👀 nice video tho
@HairEEck 2 місяці тому
This video is just perfect
@DanielBoctor 2 місяці тому
you are perfect
@JSDudeca Місяць тому
If electron was built on Deno, could this have been possible?
@derzsidaniel7656 Місяць тому
The multiprocess browser model was invented by Firefox through the e10s project, not Chrome
@MehranGhamaty 2 місяці тому
Perfect example of why I know have a dedicated language for the front-end and the server process is ideal. Why are people making this more complex than needed?
@run00n0 22 дні тому
found this in my watch later, it blows my mind how the xz exploit which affected nobody became headlines over headlines despite never hitting prod/stable distros but windows has a exploit of this scale and not a soul is talking about it
@jonr6680 2 місяці тому
Fascinating and terrifying, but this is 'just' talented humans discovering the exploit... Imagine AI explicitly tasked with taking down any software, any system. THIS is the future, and you can bet there are institutional players in certain countries doing exactly that.
@jondo-vh8tx 2 місяці тому
amazing content
@Dex0z Місяць тому
Lol backdoor was all ready there
@Darkregen9545 2 місяці тому
I never understood the point of microsoft teams and microsoft forcing this program down my throat. I miss the days where we could uninstall and delete anything on our PC, but nah local administration means literally nothing even Super users.
@mnageh-bo1mm 2 місяці тому
but what is a preloaded script ?
@lyschneider 2 місяці тому
It is for communicating from the main process with its renderer processes.
@rayanfernandes2631 2 місяці тому
How in the world one learns about these exploits , the guy is truly a genius hacker 😮
@patrickprafke4894 17 днів тому
If you think for a second that every OS doesn't have back doors to the parent company or the government. Your special.
@YeloPartyHat 2 місяці тому
The price tag attached and knowing now that is one of the highest bounties is sad. I am very surprised how poorly this pays
@mixmashandtinker3266 2 місяці тому
How the blazes does one come up with these vectors!!??
@DummyFace123 19 днів тому
teams: runs on electron, but feels like its running on java
@gustavblomqvist1983 2 місяці тому
Nice video. Sub well earned.
@DanielBoctor 2 місяці тому
thanks!
@Dane-dv1ik 2 місяці тому
These bugs seems deliberate
@Possible1985 2 місяці тому
7:52 "even if nodeIntegration is DISABLED" not enabled
@DanielBoctor 2 місяці тому
AHHHHHHHHH I don't know how I didn't catch this! To be fair, you were the first to mention it out of 100k+ views. Good catch. I updated the pinned comment. Thanks!
@Jone952 Місяць тому
Allowlist?
@SgtStarSlayer 2 місяці тому
Not surprised , Microsoft has been doing this since the earliest iteration of Windows.
@toms7114 2 місяці тому
This is one of the reasons I say you should never use wildcards in any regex in code, and anyone who does or suggests it should be fired immediately.
@chrismoritz6706 2 місяці тому
Using Frameworks is always a risk. Better write independent, but clients don't give you time and money to do so.
@chriss3404 2 місяці тому
Eh, that's a risk too. You might close yourself off to a widespread framework bug, but make an even more common web security blunder. Picking the right tool for the job is important and if a well maintained framework GENUINELY helps you reduce complexity, it can often be a better option. Using a framework for a simple static site though? Something simple? Def go with vanilla web tech, maybe a few libraries for complex tasks, polyfills, and styles.
@assgoblin3981 2 місяці тому
great content
@DanielBoctor 2 місяці тому
love you
@assgoblin3981 2 місяці тому
@@DanielBoctor 👦
13News Now
Переглядів 14 млн
Слідство.Інфо | Розслідування, репортажі, викриття
Переглядів 1,3 млн
Low Level Learning
Переглядів 1,2 млн
Polly Pie
Переглядів 129 тис.
ASMR Detected
Переглядів 77 тис.
Мой Компьютер
Переглядів 83 тис.
Creative Passion 88
Переглядів 818 тис.
LED Screen Factory-EagerLED
Переглядів 3,9 млн