This is a massive issue in the Hypixel Skyblock community for Minecraft. There are plenty of incentives to link your ingame profile to discord bots which interact with the Hypixel API to provide utilities around your ingame stats, and many people end up misled and thinking the ones which ask for authentication with Microsoft are safe. Accounts are stolen left and right, and I believe the people stealing them are turning right around and selling the profile / ingame items and coins on real world trading sites. Probably often to the same people they stole from, who may then want a quick way to get close to the level of progression they had before they unknowingly gave away their account.
@@Atmatan well, nice of you to volunteer for my team's TargetDummies list, we're always looking for people no-one else would care about to test PoCs on 👍
I like this technique, have been using it for at least 4 or 5 years on engagements This weird coincidence might amuse about 3 people, but just for them: TIL that there was a composer called John Hammond, on account of getting a YT notification about him while watching this..
The first time I ever saw this I thought it was the most re todded things i'd ever seen. Why would anyone EVER give their credentials to a third party website?
In corporate world, bc staff isn’t adequately trained and goes clicking on stuff that looks totally legit. In civilian life, people are promised free stuff. Basically ignorance and greed 😭
While I find these videos fascinating I also always wonder how they're being allowed. I understand it's dual purpose in the sense that people could use this information to know how to avoid these types of attacks, but it's also helping bad actors learn how to do these attacks, and how to avoid being caught as easily. Same as the videos such as 'how easy it is to steal a car'.. and a ton of others long these lines. I often wonder how it weights the scale in terms of more people being helped or more people being victimized.
This is the EXACT reason why these attacks today are so rampant and easy, because you have the mentality that willful ignorance is somehow a security feature, when in reality it's causing billions of dollars of damage to innocent people because nobody will teach them how to defend themselves or identify threats. Do we ban people from learning Brazilian Jiu Jitsu, Taekwondo, or self defense in general? No, we encourage it and need people to learn how to fight, so that they can DEFEND themselves from others who would love to take advantage of the ignorance being willfully imposed onto their victims. Look, I hope you can take this comment for what it's worth and recognize that teaching people how hacking and cyber security works would exponentially increase the safety of hundreds of millions of people who normally never would've stood a chance because people want to gatekeep knowledge, because that's exactly what that is. None of these attack vectors we saw in the video would be of much concern if people actually knew how this stuff worked. Then they could be PROACTIVE and not REACTIVE. PROACTIVE defense is the safest and most effective means of protecting yourself and others; being SMART.
I wonder, can admins prevent users accepting certain permissions, f.ex CRUD on email sounds really dangerous, why not have a whitelist for app ids that are even permitted at all?
I'm still a member of the developer program and have had no notification that it will end... Also, I guess you meant to choose the account type that includes personal accounts :P
As far as I know, existing accounts will continue to operate (like mine or yours) but I don't believe it is freely available to new users now-- unless things have changed since. o365reports.com/2024/03/14/creating-a-free-microsoft-365-e5-developer-tenant-is-no-longer-possible/
It does not. OAuth is specifically meant to gather consent from a signed-in user (with CA) to act on their behalf. The Access can also be revoked again and the Admin can require Administrator Approval for unknown/new Apps to be able to grant access.
There is a vuln in andriod bio metrics. Im on oreo or jellybean maybe and Have guest account and now i need biometrics to sign into my second account and not the primary. The google accounts aren't linked either.
Why you only calling out threat actors with this? I'm getting sick of Google tracking me all over the net: they force me to sign in to a reddit account that I never even signed up for every time I even remotely visit reddit in my searches. I can't delete the account, I can't unlink it, and it logs back in on its own every single time. The only solution is to just not use Google, which, would love to, but then I wouldn't have a phone.
How is that an attack? You literally just created an app and registered it, that's all. All you showed is that leaving a M365 tenant non-configured is a bad idea. Because it allows users to arbitrarily register apps. But, that's easy to rectify, just follow MS recommendations. They are right there in the Entra panel. This looks to me like InfoSec making an issue out of a nothing burger and congratulating themselves for it.
This is a massive issue in the Hypixel Skyblock community for Minecraft. There are plenty of incentives to link your ingame profile to discord bots which interact with the Hypixel API to provide utilities around your ingame stats, and many people end up misled and thinking the ones which ask for authentication with Microsoft are safe. Accounts are stolen left and right, and I believe the people stealing them are turning right around and selling the profile / ingame items and coins on real world trading sites. Probably often to the same people they stole from, who may then want a quick way to get close to the level of progression they had before they unknowingly gave away their account.
Sorry, whale blubber is tasty and I have no empathy here.
@@Atmatan well, nice of you to volunteer for my team's TargetDummies list, we're always looking for people no-one else would care about to test PoCs on 👍
you might be interested in the recent Darknet Diary episode about the Roblox player > Roblox stealer > cryptothief life cycle. Wild episode.
Paying for a Minecraft account is one of the saddest things ive seen in awhile
@@ultravioletiris6241true.
That tool was written by me :)
I like when people leave in mistakes/issues/errors while using these tools. We can learn, troubleshoot, or prevent them. Thanks
Funny enough, today I ran ping castle on our tenant and saw the option that every user could grant permission to any app 😂😂
I like this technique, have been using it for at least 4 or 5 years on engagements
This weird coincidence might amuse about 3 people, but just for them:
TIL that there was a composer called John Hammond, on account of getting a YT notification about him while watching this..
Seen this used as a persistence mechanism for an already compromised account, not really for initial compromise
Another fun video as always with all the debugging :D
The editing is wild on this one 🙈
What did I do? :|
@@nordgaren2358 it looks like it plays two takes of him turning his list into a string list at around 14:30
@@cat47Ah, crap, yea. Sometimes it can be hard to edit those out. You'll see why at the end of the year. Haha 😅
@nordgaren2358 what's happening at the end of the year?
@@lsik231l you'll just have to keep watching to find out. :)
My comment about getting back at some bad actors has been hidden. Hopefully John has read it, as it would make a good video.
That's excactly why the first thing you do on any tenant is to block user only consent.
requirements file should be a mandatory these days, makes me mad when people doesn't do things properly.
The first time I ever saw this I thought it was the most re todded things i'd ever seen. Why would anyone EVER give their credentials to a third party website?
Same here. That's a terrible idea.
In corporate world, bc staff isn’t adequately trained and goes clicking on stuff that looks totally legit.
In civilian life, people are promised free stuff.
Basically ignorance and greed 😭
The trick here is they aren't giving their credentials to a third party site. The site that prompts for the credentials is Microsoft's
consent for my organisation... just never click that and your good
that was pretty sweet -- I like getting token via HAR files though -- this approach is really interesting!!!
While I find these videos fascinating I also always wonder how they're being allowed. I understand it's dual purpose in the sense that people could use this information to know how to avoid these types of attacks, but it's also helping bad actors learn how to do these attacks, and how to avoid being caught as easily. Same as the videos such as 'how easy it is to steal a car'.. and a ton of others long these lines. I often wonder how it weights the scale in terms of more people being helped or more people being victimized.
This is the EXACT reason why these attacks today are so rampant and easy, because you have the mentality that willful ignorance is somehow a security feature, when in reality it's causing billions of dollars of damage to innocent people because nobody will teach them how to defend themselves or identify threats. Do we ban people from learning Brazilian Jiu Jitsu, Taekwondo, or self defense in general? No, we encourage it and need people to learn how to fight, so that they can DEFEND themselves from others who would love to take advantage of the ignorance being willfully imposed onto their victims. Look, I hope you can take this comment for what it's worth and recognize that teaching people how hacking and cyber security works would exponentially increase the safety of hundreds of millions of people who normally never would've stood a chance because people want to gatekeep knowledge, because that's exactly what that is. None of these attack vectors we saw in the video would be of much concern if people actually knew how this stuff worked. Then they could be PROACTIVE and not REACTIVE. PROACTIVE defense is the safest and most effective means of protecting yourself and others; being SMART.
I wonder, can admins prevent users accepting certain permissions, f.ex CRUD on email sounds really dangerous, why not have a whitelist for app ids that are even permitted at all?
What sane person would approve that kind of app permission request, that's insane to me.
I'm still a member of the developer program and have had no notification that it will end... Also, I guess you meant to choose the account type that includes personal accounts :P
As far as I know, existing accounts will continue to operate (like mine or yours) but I don't believe it is freely available to new users now-- unless things have changed since. o365reports.com/2024/03/14/creating-a-free-microsoft-365-e5-developer-tenant-is-no-longer-possible/
@@_JohnHammond Hmm, good to know. Also, great video. So many people misunderstand the intentions of OAuth/OpenID :)
Thanks for your all informative videos
Bro is learning
H E L L NO.
your mic was quiet in this video
Thank you for sharing this
365 developer program has not not gone to the wayside
Best time❤
Should’t Conditional Access prevent that attack ?
I don’t think so, the user gets tricked to sign in from their own location and IP-adres, from their usual device.
It does not. OAuth is specifically meant to gather consent from a signed-in user (with CA) to act on their behalf. The Access can also be revoked again and the Admin can require Administrator Approval for unknown/new Apps to be able to grant access.
There is a vuln in andriod bio metrics. Im on oreo or jellybean maybe and Have guest account and now i need biometrics to sign into my second account and not the primary. The google accounts aren't linked either.
YOOO, So this is really common for Hypixel Skyblock on Mincecraft
Hello John
Do You Know This Channel "george hotz archive"?
Can You Do A Video Like Him?
Try for real this time....
😅
Persistence is the key lol
Why you only calling out threat actors with this?
I'm getting sick of Google tracking me all over the net: they force me to sign in to a reddit account that I never even signed up for every time I even remotely visit reddit in my searches. I can't delete the account, I can't unlink it, and it logs back in on its own every single time.
The only solution is to just not use Google, which, would love to, but then I wouldn't have a phone.
Do you have access to your cookies?.. Desktop user. made this mistake and had to delete a few to stop this
What a vidéo ! Thank you
"tenant" lol
How is that an attack? You literally just created an app and registered it, that's all.
All you showed is that leaving a M365 tenant non-configured is a bad idea. Because it allows users to arbitrarily register apps.
But, that's easy to rectify, just follow MS recommendations. They are right there in the Entra panel.
This looks to me like InfoSec making an issue out of a nothing burger and congratulating themselves for it.
@19:12 why is the code “redirect_uri” for url? Is the forging of an l to an i necessary?
uri and url are different things
URLs are a specific type of URI. URIs cover a broader range of identifiers, including URLs and URNs. Both URLs and URIs identify resources.
Heyz John ❤
bros on hypixel skyblock hacking again
so cool. That's why I'm building a "verified Sender" startup :)
Zaddy
AYO?!
😅
And FBI COMING YOU HACKER 😅
"We could one-a-cup", sounded kinda of weird, seemed as an invitation to play 2 girls, one cup
"play"? You must not know what 2g1c even is.... So lucky.
Why would you bring that up anywhere!?!?!?
Hi
Need collab with Loi Liang Yang bro
he changed after cnn
Nocebo
first! :D
first
You mean third?
@@Mininukefromfallout this is disinformation
@@Mininukefromfallout this is disinformation