Don't Trust GitHub Download Links
Вставка
- Опубліковано 11 чер 2024
- Sponsored: Stop data brokers from exposing your personal information. 😤 Go to aura.com/thiojoe to get a 14-day free trial and see how much of yours is being sold.
▼ Time Stamps: ▼
0:00 - Intro
1:05 - Why It's So Tricky
3:23 - An Excellent Thing
4:38 - The Unusual Way It Spreads
5:32 - How the Payload is Hidden
5:54 - What is ByteCode Anyway?
7:28 - Another Example: Python
8:07 - LUA ByteCode
9:07 - Even More Tricks Left
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
• My Gear & Equipment ⇨ kit.co/ThioJoe
• Merch ⇨ teespring.com/stores/thiojoe
• My Desktop Wallpapers ⇨ thiojoe.art/
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Наука та технологія
Sponsored: Stop data brokers from exposing your personal information. 😤 Go to aura.com/thiojoe to get a 14-day free trial and see how much of yours is being sold.
Hello
sure
hii
Ok
Aura owns Pango Group. Pango Group owns some shady VPNs. I'd stay away from Aura.
For anyone wondering, the zip file at 0:58 contains a text file named "Why did you download this 💀.txt" and if you open it, has ASCII art of Big Chungus
nice
It an Easter egg
big big chungus, big chungus, big chungus!
Luckily ASCII and not ANSI ...with an ANSIBOMB.
5:51 It's not L-U-A, it's not an acronym, it's just called Lua.
like the moon
Just like 'lua', moon... Brasilian language, portuguese pronunciation, right? Pelo menos eu sei que é da Puc-RJ lol
Ah yes, Lua Uppercase Accident, my favorite language!
As a dev, I'm furious
As a not dev, this is average
As a fed, I am watching through your webcams :)
@@FBIagentObamashiver me timbers
@@FBIagentObama woah, I didn't know you got a new position as an FBI agent!
@@anthgodzmy Shivers has been timbered
Wow, this is a huge oversight by the people who designed this comment-file-upload feature. Not just for the malicious side, but even more for the servers that will have so many files uploaded to them without ever being used or needed
This ^
yeah, just by requiring to upload the comment would make finding who's behind the malware much easier, since you can just find the first comment to contain that link (though obviously burner accounts exist)
@@capsey_ im sure github internally also tracks who uploaded which file (and then can punish the user accordingly) but it does suck that regular people can't see it
My reaction is just pure. . .what the hell. .
What a coincidence, something giving you something to talk about and react to. How does keep happening!
A couple of things:
1. The random string is an UUID, it's basically an identifier for the image.
2. When you copied the image URL, there was a jwt parameter in it. That's usually used for Oauth, it's probably not a good idea to just share them with the world. But, they do usually expire in like 5-10 min (depending on the server config).
that's what I was going to mention lol
I downloaded software from an official Microsoft URL and now my OS is covered in advertising and trying to trick me into signing up for services that cost money! Oh wait, that's just Windows now. :(
When a customer is asking me to scan his PC for malware I tell them I made a found, it's called Windows and ask if they want me to remove it..
Windows 7: WHATS UP
I'm surprised by this. I don't ever get ads in windows 11
@@UnrealOG137 I wonder if there's a regional aspect to it or something. They're all over it for me, including right in the File Explorer path field, but I have a friend in another country who says he's never seen any either.
@@LeoDavidson Probably the DMA restrictions in the EU
12 MINUTES after this video posted, Github patches their site. I guess yesterday's 'shot across the bow' didn't get their attention! Is Github run by Microsoft or what ?! As soon as I saw this video pop up I said "Oh shit, Github's in trouble!" I can hardly believe they didn't fix it last night.
microsoft bought github a while ago
the feature is old, and mostly everyone who ran guthub before still runs it now - MS only bought it because they were moving to host all or most of their software in dev there.
lua is not an acronym 🗣🔥
Wdym, you seem like a basic programmer, you probably never coded in r.u.s.t or j.a.v.a or . N.e.t c.o.r.e, i dont think you even coded in p.y.t.h.o.n or j.a.v.a.s.c.r.i.p.t
Yeap. It just means "moon" in Portuguese
@@gschizas so moon animator is actually lua animator????
@@nomadvagabond1263 what does this have to do with the comment
@@gschizas the developers are brazilian
Quite a mistake no GitHub's part to allow anyone to upload any file under any repository, even if they don't have write permissions over it. The URL format should be //files/... where is the user that uploaded the file. This way it's made clear exactly who uploaded the file.
I've noticed that this was possible before, but never thought it will be used to distribute viruses.
The language is called Lua not L-U-A
What am I not going to be able to trust next? everything is malware nowadays:/
Ikr
obviously operating systems are next
As long as a link is sent from a trusted source, it should be valid.
If you are uncertain I think you can post links in virustotal to see if the resulting file is malicious (please correct me if I am wrong)
"Trust no one" as they all say.
@@crankylucifer Not an expert in any capacity, but AFAIK. Yesn't. Yes, virustotal will scan the link, however that does not necessarily mean that the download is safe (that should be scanned separately), especially, in the general case, considering that the website may (or may not) serve different content to virustotal as to you. However I am not sure how it treats download links from stuff like github which will probably (unless they get it to do so somehow...) not try to do such things... Anyway, even then, after you scanned it manually, it might just be a "benign" program which will download the malware afterwards. (speaking from experience). It always comes to what you choose to trust in the end.
Hi, just wanted to say that your content is very high quality, informative and entertaining. Thank you for all your hard work!
Bro i've been non stop watching thiojoe vids i love this
don't tell me you've already spent 2+ hours setting up applocker 😂
@@suhaibanisansari 😅
Hi Joe, thanks so much for the information. Getting back into my PC's after years away and just found your channel. Love your content and appreciate your cadence while explaining tips, tricks, and fixes.👍🏻
A good, heroic, effort to explain bytecode and VMs.
Real interesting information thanks for sharing it. Much appreciated.
I was not aware that the file uploaded will still be there if I don't sumbit the post in the issue tracker. damn. that is scary stuff. Thanks for mentioning this.
Thank you for your excellent information!
Will “Scan URL with VirusTotal” of that link find suspicious file?
Thanks for the ideas
Enjoyed the bytecode explanation 👍👍
This is the first bug I found out about before the joe made a video about it.
Thank you very much for this video, I’m kinda of a techie guy, I always check everything I’m downloading but I might fall for this one if I hadn’t watched your video
I watched another video on this topic, and I'm pretty sure they fixed it by checking if the file was never used in a github post, and then deletes the files after some time. If it's in a posted post, then it stays up (idk how they do that though).
Bruh, I can't even find the download button there to begin with 😂
Nice job, you fixed it !
Wow thank you Joe
Hi like it when you upload your malware videos
"a language called "L-U-A" lmfao
At 2:50 that super long string contains a JWT, a token, just like a cookie. Which can maybe be used to login into your GitHub account I think. Correct me if I'm wrong
Seems like it, but, usually, they are only valid for like 5-10 min. It depends on their configuration, though.
The second I saw the link at the start I knew EXACTLY what was happening.
2:27 pretty sure that string is just a GUID i assume since images are probably the most popular kind of file uploads this is the safest way of guaranteeing no filename clashes
esp since most ppl would be pasting things in from the clipboard which gives a filename of unknown.png or image0.png or similar
I think the difference is that the files that are actually in the repo do not have the random number in the path prior to the name of the file o: but it is good to always double check things and set browser not to download things automatically :)
Great Video!
wow this is crazy, how hasn’t there been a big uproar about this yet?
Wow, not knowing about this I could have been caught off guard.
2:28 - Not a "random long string", but a UUID, version 4 specifically.
5:50 - Did you just call Lua "L.U.A"...?
How’s that from a “random long string”? I’m curious, because UUID generation seems almost just as random
@shapelessed BOZO UUID 4 is random string by definition. LUA/ L.U.A. who cares it's not like gif and jif.
@@skatcat743 Generate random bytes, parse them to base64 and you've got a random string. UUIDs follow patterns specified by their standard. They aren't entirely random. Take the first character in the 3rd segment and you'll know the version, take the first character of the 4th segment and you'll know the specific variant, "bozo"...
A UUID is actually just a random string - Thio is 100% correct
@@skatcat743 2:18 he called Gif -> Jif lol
it also detects if ur running it in a virtual maschine and check if programs are instanlled
lol its like that dodgy php site i made back in school where the web server just accepts any file and host it
I think you can even make the repo look like it contains arbitrary files with a URL that specifies a specific commit. As far as I know, everybody can upload commits to your repo. At least that was possible about 5 or 10 years ago. I don't expect that this has changed, but I don't know. I think it was a quite fundamental "limitation" of the architecture from GitHub.
....The way you said lua, its one word
Not sure whether these things used to exist before Microsoft acquired GitHub . Its sad opensource platform has a hard time these days. I suspect whether bad corporate actors are behind things like these. Thank you for the info now we know to crosscheck any links before downloading anything.
I actually reported one of these links and it got taken down. Later this video came out.
Hi Theo Joe. Have you done a video on Bluetooth security? My employer sends weekly cyber security information. This time it's about Bluetooth vulnerability. I'm specifically interested in how a hacker/scammer can get around pairing to compromise devices
Funniest part is that the gh link auto downloads when clicked
Yo bro, i need help because my conputer keeps going into a state of automatic repair and my passwords incorrect when im sure its correct any solutions?
Hi thanks for this video
im also curious if it being from github plays a role in its ability to remain undetected.
some antiviruses have a rep system
I think ive been watching your videos for like 8 years. Young me used to think your prank videos were honest
is gitkraken safe to use to download github folder? .. there was a game addon i needed and was lazy to download each file.. couldn't see a way to get all the folder.. but gitkraken did it.. worried it could inject something into the lua files.. but it's just a game addon could it write or execute anything outside the game.. i looked at most of the files with notepad.. no machine like coding
How awesome those virus videos are. Thank you
5:51, Brazil mentioned
Hi can you make a video on booting ios fully off of a usb on a windows PC. Basically How to live boot ios on pc.
Could you please create a video explaining why FPS drops occur after performing a factory reset on Windows 11?
Why github? WHY?!
I have a trojan and i I tried every antivirus even bid defnder i cant deleted it and the virus is delting .exe files
0:29 QWOP sesh while the parents are asleep
that's an absolutely insane oversight, hello???
8:35,First, I've never heard someone reading Lua as L.U.A, should be read as "loo" "ah" for future reference. Second that malware is using an old version of lua, as if it weren't bad enough that it scams people, it's even using old libraries instead of newest ones (last I checked the latest was v5.3 which for some reason is displayed as lua53 instead of lua5-3 or something).
Now what you said about Java software somehow after I installed a driver on my computer it automatically installed Java software on my laptop so I uninstalled it to make sure it didn't do anything wrong to it but I didn't have any use for it so I just uninstalled it if it was okay to keep the software or not I just don't know what it's used for
Sounds like the best way to avoid this is to just go to the actual github page instead of just trusting the link, right?
Carvertical, Incogni, Airup, Clark, Wise
Flytech, Danoct, Enderman, ZGuardian, Olivers Tech
2:18 - Like this WHAT?! 🤨
sounded like "jif"
The guy who literally created the "GIF" file format said it should be pronounced as "jif". I disagree tho, that's a "giff" to me, dangit!
There can be legit reasons to download cheat programs outside cheating btw! The first thing that comes to mind is making tool assisted speedruns or experimenting with mechanics offline.
Saludos y bendiciones de Libros Neobiblismo.
a virus in lua... wow, we truly are in the worst timeline
But also flight simulators and children card games
yeah, know that, although very interesting and security concerned
Interesting
How to know if someone unfollowed you on Facebook but still your friends
Hello thio! My laptop just runs 2 cmd windows randomly after i turn it on, is this normal?
And what can i do?
Becaus im in syria and i dont have access to antivirus programs, and thank you
ok, so if you are able to access youtube, you are able to access any free antivirus software on the web.
also windows has it's own build in antivirus since windows vista.
as for the CMD windows, that can be normal, depending on the windows install. are you running a work or school account on the laptop? if so, it normal
Good video.
Yes hello good day is what is in the txt at 10:43
This probably may catch GitHub's and Microsoft's attention.
1:00 big chungus….
You showed your jwt token!!!
It would be so, sooooooooo easy to break that whole thing altogether without killing the feature.
Just upload the damn file when the comment is submitted. If it was a screenshot copied and pasted into the text box, I'm sure you could implement something for the browser to do a temporary .png file and keep it in cache until the button is pressed.
Someone was too lazy to work with the file after the save button pressed! :D
3 ThioJoe vids in one week!? I must be dreaming 😂
Here we go with Redline making a comeback... again.
now explain how my gpu can only run 4k 30fps video but can play 8k video *on a 1080p screen* (rtx 3050)
so, why doesn't github fix this and not allow people to make a url to make it look like it came from a different repo like that ?
bro redeemed himself
Over my head✌
I thought this was fixed, saw Mutahar do a video on it, so I wonder if it wasn't completely fixed still?
Just wait for a youtube video " I stole storage space from github"
Joe? Love Your vids but I can't look at a lot! On a land-line with HORRIBLE SPEED! I notice that YT had changed the closed captioning deal and it's HARDER for me to read. They are using a GRAY on black? How can I get the JERKS at YT to use the old way with WHITE PRINT on a black background? I have enough vision problems with-out this nonsense! ROCK ON DUDE!
*Surprised Face*
Checks repo
Wow, this with the appearance of different Deep Malwares that are next to impossible to detect, really has gone up ALOT in the late 2023/2024. Kinda pisses me off.
Cold War type of malware
Found it interesting that you were opening hack files...
Wow. This is crazy lol
Uh oh... No...😢😢😢😢😢
Time to spam discord memes in repos
Lua is not an acronym...
I will continue to trust Github links like the No Man Sky Save Editor that is well known. Or the REFramewok for RE Engine powered Games.
as a developer that commonly posts stuff like this I am pretty pissed about this as it is a very useful feature
Sounds like Github will hopefully be putting a stop to that. Only files uploaded by the Repo maintainers should use an URL like that. Everyone else i should use something else.
6:10 machine code _is_ human readable, granted it’s not the easiest thing to read