Telegram Has Been Hacked
HTML-код
- Опубликовано: 19 авг 2024
- Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricet...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥RUclips ALGORITHM ➡ Like, Comment, & Subscribe!
Yes please. I would love a video that does a deep dive on the *Metaspyclub* project
Metaspyclub gang in the house! Thanks for the analysis!
Metaspyclub anticipation is building to a fever pitch! 😥
I'm not afraid of a calculator! Bring it on!
Everybody gangsta till the calculator app starts to ask permissions for camera, microphone and location 💀
💀
Oh it will be problems! Count on it!
At 8:14 that evil laughter Muaahhh!! lol
@@yukiplaysFr**salutes to the therian**
Ma'am how can I help you ma'am
RCE after RCE, I hope kids wont have to learn about the year of the vulnerabilities, 2024, in the future
Thy Digital Apocalypse is drawing nearer by the day
This is literally cybersecurity history.
No it will be certainly eclipsed by the number of them in 2025
I wonder whether the whole AI hype will make even more RCEs show up. Either by improving exploit code or by reducing code quality in the attacked app because people trust AI code without questioning it.
@@SLZeroArrow seriously. I dedicated my whole life to computers and now they looking like they wanna kill us (ai). Ai is phuggin everything up. Its kinda scary tbh
TL;DR
The exploit disguises as a fake video that when played executes python code, requires python to be installed for it to work.
saved me about 10 mins bro ty
Me, an it student, got "hacked" like that...🤣
too much rce exploits bro 💀💀💀💀💀💀💀
What are others?
Xz utils, rust, palo alto
@@amaankhan8436 Palo alto?? My company uses that lul
@@sunbleachedangel there was a rust rce CVE-2024-24576, aint that effective though
Rust already released a patch its java that said they ain't fixing it. Tbf .bat codes running aren't used anywhere so who really cares
I just got a SNYK sponsored ad by John Hammond before his own video
Fr
I did too
It's rigged!1!1!1!1!1
Saaame
Wait ... we can hack those spammers that are sending us the messages to text them?
Bet the three later agencies are punching air rn. All their exploits getting found.
While reading your comment. lol
You think every exploit exists because of "three later agencies"? 😂
@@MrCobaltgiven the past of their involvement with 0days, I wouldn’t be surprised if they were aware of maybe 1 of the RCE vulnerabilities discovered this year
@@MrCobalt theres no way this was an unintended oversight
They should have a list of trusted extensions instead of a list of untrusted ones.
Very bad idea
@@zeteyawhy?
@@rafayahmed6259 Many reasons, one being a good extension can turn bad one day, but an extension that was bad to begin with will never turn good.
They have that so they can warn you, and it's much easier to read in the code, because you alreayd have the list of untrusted ext. You will not be confused if you missed some unt ext.
The scrum meeting: "Yeah, an approve list is too short, let's write out every single extension that could execute code instead of just choosing some image and video formats that we support."
A whitelist can get annoying tbh.
@@user-hp2dr5qc8p Ah yeah, you're right, much more annoying than a 0 day. Also a blacklist had to have been annoying from the very start.
I'm glad that I migrated to Debian + KDE two months ago. I still have my Windows on my drive, but never want to boot it anymore.
The KDE environment in Linux is just much better than Windows.
who asked?
Welcome to the family.🐧
@@HyBlock the implication was that I'm not affected by windows RCE anymore.
I've tried making Ubuntu and Linux mint my daily driver many times. Can't do it.
But for home labbing and running servers it's perfect.
it's just so much more superior, once you try it you never go back lol
This one RCE was indeed fun to use, gotta find more ;)
hello vro
im gonna touch u vro ♥
This just shows how blacklist are ineffective as a security tool
The fuzzing begins ❤
LPL has entered the chat, fuzzing locks are fun. hehe
@@BillAnt...we're getting an SQL injection on three, oh it's binding. A little malware on four, and we're set. Going back to three, gained root access to run our query, annd now we're in.
@@AuxiliaryPanther lol that took like 30 seconds.... not a very secure lock. :D
“It is not by default installed”
**laughs in Linux**
Having a whitelist instead of a blacklist would prob. be more secure and reliable. Basic security not?
I was thinking the same
@@tablettablete186 governed by implicit deny. Also agree.
nah, its not think again
depends on size
Oof, this is why blacklists can be problematic, with a whitelist they would not have had this problem.
Except perhaps for the problem of naming this list as "white" 😁
@@BaggerPROblock allow lists?
@@joshallen128 , Yeah, it looks like it's fashionable to call these lists that way now :)
A block list is usually shorter than a white list, but it's just a matter of decision.
@@BillAnt Deny list because block sounds like black with an accent
Hate the red border on the thumbnails, I assume I've already watched and scroll past half the time
3:55 Not me watching the John Hammond video and getting an ad with John Hammond in it. Some may say it's a 2 for 1.
Taking it up the a** without lube. lol
I find it very bizarre that you can execute a file in the first place. That seems like a bad idea in many ways.
How do you suggest to open a .txt file?
@@user-hp2dr5qc8p .txt file should be read, not executed.
calculator opens in my nightmares.
Who's idea it was to hardcode bunch of files there. They'll just keep updating it every timea new file type that can execute code comes? Sounds like horrible idea.
The red bars in the thumbnail made me think I already watched this video.
Right, I thought so too!
Surely some communities would have a very high hit rate for python being installed on a windows machine right?
Yup. All data science and AI nerds.
Anybody even slightly interested in programming has a decent chance of having it installed on their computer. I refuse to believe less than 0.01% of users were affected.
@@Bromon655a) is the 6th most downloaded app - is your grandma programming?
b) die this you must use it on your PC. how many people just have it on their phone?
They are identifying files by extension. Nice.
every vulnerability whether or not its trivial, can and will be leveraged
"Google Photos would like to make Phone calls"
Requires Python to be installed in the local path as a global environment variable.
it requires the file extension to be registered to the python interpreter, not anything to do with environment variables
Такое чувство, что на безопасность всем насрать, только ты можешь себя обезопасить, не кликая на всякое говно
Если человек наивный, то его никакая защита не спасет) Однажды мой знакомый запустил подозрительный tampermonkey скрипт в дискорде, говорит "2FA стоит же, чего бояться?". В конечном итоге украли его токен и смогли получить доступ к аккаунту.
I like cats. Btw we can all be farmers. No tech no rce problems 😎
Part of whyI never share diagnostic data with devs.
It’s so nosey now
Why do they blacklist file types they believe are unsafe. They should be whitelisting filetypes that are safe. If some new software comes along that belongs in the unsafe catagory they have to know about the related filetype and then add it to the blacklist...
whitelist would take too long.
@@wafinashwan8242got any quote from a developer?
"Reimplemeent file open confirmations" has a noWarning list, so I think that's done now.
@@wafinashwan8242how so?
@@wafinashwan8242 how come
the title of the video is not that nice because i thought it would be a vulnerability that accurs right now.
anyways.
Thanks for sharing.
3:28 lol. They backed themselves into a corner with that statement.
They might have been logging something like "There is no any program to open this file-type/mime-type" perhaps? Or they just RCE'd to everyone... Who knows?
@@allxrise I’m more inclined to believe they were just fabricating a number as an attempt at damage control
Tis the season to find folly, tra la la la la, la la la lol
Me as python developer and windows user💀
Wow good job I want more info ❤
Thanks for the news!
Hello john . I am a big fan of your content can you make a roadmaps for us form when need to start 😅❤
Good, they banned my account for no reason.
Oooff... thank you John... cant believe im one of those 0.01% .. slackin
Thanks John you explained that very well
This is super sensationalised, I hate this form of clickbait content
gets attention, wasn't even searching for any exploiting related content but got this recommended
Meh, this channel isn't nearly as guilty of sensationalized clickbait as other channels. I felt the discussion in this video was pretty straightforward and no-nonsense.
Propose a title for this video.
I think the problem is Windows. It runs everything too fast without permission.
I've never liked the idea of "allow" and "deny" list... just deny all and allow the user to specify.
You should watch Telegrams owners interview with Tucker Carlson. They have like 30 employees and have never spent a dime on advertising. 😂
Why are you laughing though?
Interesting shiz John. Liked and subbed, stay safe
Bad stuff for many. One of the reasons I always tell people to NOT use this medium.
Hey how can i get an xss is account? i tried and always the same when i create an account "Your account has been declined."
With a bit of social engineering this could have been pretty terrible
1:48 macOS has it installed by default, last I checked at least
Does mac have a similar concept of file extension associations as on windows, so a pyzw file will open with python by default?
Not anymore, used to have Python 2.x
Everybody be acting gangsta until calculator auto launches
How is this RCE? It's just running the code that someone sent to you. There's no difference between that and opening an exe.
Nice Video!
This is why you should use whitelists instead of blacklists.
What email do you need to sign up for flare I can’t sign up
I got an ad from you on this video
Amo tus videos
Hey, nice video, but just one thing. Your audio and video dosent seem to be perfectly in sync and its getting on my nerves
Haha so specific but I would've been at risk
But, isn't pyzw supposed to be a zip-archive? That contains a __main__.py? I'm actually surprised this runs at all.
A lot of noodles will be leaked for sure.
i better uninstall python on my machineto prevent such kinds, since i have wsl2 i dont need it in win
oh no.. now i feel so dirty i cant wash it off
How do u register for that forum?
Great Content ...
You can add an extra dot at the end. Windows -> Run -> 'calc.exe.' -> Enter opens calc. Does that work to bypass.
tf is going on .. rce 💀
"Certified rce moment" 💀
bro, youtube just showed me your ad, on your own video. theyre wasting your ad money
But was it a typo :D
I have Python installed on Windows computer... It helps with learning Python programming, idk why people are so against it.
Yea, not sure why he made it seem like something extremely unusual. I think most people that do any kind of programming and use Windows will have python installed.
Why would you learn python if you could not use it? :D
@@Slada1 wdym not use it? You can use it to create various programs.
yeah but it updates every hour so it's chill
this is such an interesting rce tho... lol
2024 is on fire with RCEs🤞🏾
All the old programmers have retired and the new generation are having to re-learn everything it seems.
what is "flair"
Music to my ears
can you stop using the word "stupid" so frequently and often?
Sometimes you guys are very clever with tech but not so clever with people…
This was surely done by purpose. Believe me not.
There is always a way in😉
I edited my comment so no one knows what I said!
I got a SYNK ad with John right before the video and was confused why there was a skip button 😂
python on windows, not that unnatural
Please sir all my devices is hacked my phone my laptop what can i do for this problem there is someone above me every step i make on my laptop or my phone knock the roof like if there know everything im doing .
THANK YOU FOR HELP 🚨🆘
Code please
It sounds like a group of cowboys. No unit testing. No code reviews. Obviously. A simple typo like that should NEVER get to production in an org with a healthy product lifecycle. The fact that they came from mobile development says a lot. Phones are very locked down gardens. Your PC - not so much. Regardless, this was a simple rookie mistake that should have been caught long before it ever went to production. The fact that they have a lackadaisical attitude about it tells you a lot - they are egotistic and can't accept improvement. In my 30 years in this industry I have seen it all.
"Windows that has python installed" you claim is extremely odd.
That... Is an extremely odd statement.
isnt that note more like a trojan horse than a RCE
👍Nice.
echo y | format c:
Yeah uae does not like private messaging.
😅😅
@@rafayahmed6259 Do you know uae connection with then twitter ? Or the documentary about state hackers of usa training uae agents.
That documentary is so interesting
Anf i thought wiiu wansthe only thing that has rce 😂
Less then 0.01%.... yeah idk why im having a hard time believing that 😂 its not that uncommon to have Python installed on ur system
Good thing I run it in a vm on a vps
vm escape + pyzw = your vps gets owned
how do RCEs still exist in 2024 bro 😭😭😭😭😭
They are found in everything
ironic how you mention x as x has same fkin vulns as t look into clicking vid links on x on some accounts it will open up links and do stuff etc!
Can you provide examples of that?
Some bots post links that have a picture that looks like a video as the thumbnail of the preview card. It's very hard to explain
@@user-qbxjwxumr i mean like, i want a link
@@Sinstyson There's really no documentation for it; you just have to see it for yourself. It's a link preview that tricks you into thinking it's a playable video with a thumbnail designed to deceive. With closer inspection, it displays the site title, link, and description below the thumbnail. It's easy to be fooled by this if you're not tech-savvy or have poor vision. Mainly this is used by adult content bots to lure people to their websites. It's not a security vulnerability, but rather a case of OP being oblivious no offense
@@user-qbxjwxumr lol, adult content sites and poor vision. I guess they go hand-in-hand. 😄
I GOT AN AD ON THIS GUYS VIDEO, OF LITTERALLY THE SAME MAN?? TALKING ABOUT CFT?? it just fucked me up for a second
Same