Your analysis is very accurate, and your assumptions logical and fair. Great video! I, however, have a hard time believing that - in such a niche space - there is no overlap between open-source contributors and for-profit "security" companies researchers. Supply chain attacks have become so common, my spider sense "tingled" when I saw that commit with unassuming title, huge list of changes and no mention of the table size change. This really looks like an attempt to cover a mistake, or a previously opened backdoor.
Making baseless assumptions is never good in security. You don't mention at all if you checked the code before the update, whether or not it contained anything exploitable or anything else pointing towards an existence of a backdoor. You simply assume as much and leave it at that. The tingling you have is just the spiky top of the Dunning-Kruger curve. Or if you actually know something more about this, you hide it very well, for which I cannot see any point of doing because it just makes you sound like a run-of-the-mill tin foil hatter.
@@fizzlefritz9782 That sounds like a roundabout way to ask advice on hating. I'm sorry but can't help you. I'm old enough not go clubbing anymore and never was a hating type, so I wouldn't know how to advice you.
@@fizzlefritz9782 All he is saying is that it's not as simple... While supply chain attacks are a thing of course, the fact that the code is open source also makes it very easy for security researches to find your backdoor (if you were an "evil" adversary implementing it). So I personally don't think they are practical in the long run (just look up the liblzma attack CVE-2024-3094). If there is a way to exploit the bug... sure, by all means get out the pitchforks. But you have yet to prove that point. And also we must remember that BLASTPASS is not simply a single exploit that will simply let you install malware on iOS. It is in fact an exploit chain which requires multiple bugs within various components which could't all have possibly been introduced by a supply chain attack. I think the people behind such vulnerabilities just take the time to study these formats and/or systems in depth and know them better then most developers that just use them. They may even have contributed to such projects at some point, but to say that there are people everywhere infiltrating repos has yet to be proven by more than just some "wired commits".
@@anteshell The weakest link in security is always people. Assuming everyone is honest would be more dangerous than showing skepticism. You don't need to put a full reverse SSH shell in the code to open a door. You're welcome to challenge my point but please do so with less arrogance.
The commit you found could be squashed, that is, many commits merged into one. He might have possibly found this because MSVC complained about some kind of out-of-bound access or something
@@t0rg3 I found the original PR, but unfortunately it leads to a dead end. The original branch was deleted. It seems like the committer worked at Google at the time. It's PR 118 on the google/brunsli repository
Bro its so weird as someone completely removed from coding or cyber security in general, just a random idiot. You keep me so fixated on this stuff. Really love to see more from you on just about anything
Mostly cause Project Zero was/is less like an arm of Google's security engineering and more like a passion project that was a result of Google's massive counter-surveillance movement after the events of Heartbleed and Edward Snowden. It was more about researching and responsibly disclosing zero days in any and all public facing software than it was about Google protecting/improving their own. Many of the vulns they have discovered range widely from Safari, to Windows 8, to CPUs, to RAM, to Cloudflare, to Apple. Their specialty is not just discovering these zero days but writing about how they could be actively exploited to impact anyone and everyone. It also doesn't hurt that one of their earliest members was geohot... Famous for his iOS jailbreaks.
i mean if you look at their blog they concerned about all type of internet application, the IOS one is more concerned probably because there's not enough source code online and the exploitation method require one to research the internal on their own. while android/linux/google based projects is open source that way community can contribute and have different approach for fuzzing/exploitation cmiiw
Since my original comment got deleted for some unknown reason............. Project Zero was started as part of Google's huge counter-surveillance movement after the Heartbleed and Edward Snowden leaks. It was less about Google's product security and more about exposing the dangers of the Zero Day market and improving public awareness of how a zero day could be exploited to compromise their sensitive information. Their specialty is in not only discovering by also publicizing the vulns and exploits.
If you find such a zero day, you could either report to apple, and get pennies, or sell it to some govt-funded security firm, such that they can "deal with" some of their enemies.
Here's a discovery path: Vulnerabilities are put into software like this on purpose to be sold to the highest bidder for a few years, by the developers themselves.
Watch how this is going to become a year-long series into fuzzing webp, just like the sudo exploit.
this video's url contains no lowercase letters
you guys really made this the top comment huh?
What in the fu--
Maybe they're running out of namespace lol
@@joshuatatum8519i assure you they are not
@@joshuatatum8519 Go see the tomscott video on the topic
With some quick mafs (((64-26)/64)^11), we get a probability of around 0.323%.
Your analysis is very accurate, and your assumptions logical and fair. Great video!
I, however, have a hard time believing that - in such a niche space - there is no overlap between open-source contributors and for-profit "security" companies researchers.
Supply chain attacks have become so common, my spider sense "tingled" when I saw that commit with unassuming title, huge list of changes and no mention of the table size change. This really looks like an attempt to cover a mistake, or a previously opened backdoor.
Making baseless assumptions is never good in security. You don't mention at all if you checked the code before the update, whether or not it contained anything exploitable or anything else pointing towards an existence of a backdoor. You simply assume as much and leave it at that. The tingling you have is just the spiky top of the Dunning-Kruger curve. Or if you actually know something more about this, you hide it very well, for which I cannot see any point of doing because it just makes you sound like a run-of-the-mill tin foil hatter.
@@anteshell I don't understand how you can hate from outside the club; you can't even get in!
@@fizzlefritz9782 That sounds like a roundabout way to ask advice on hating. I'm sorry but can't help you. I'm old enough not go clubbing anymore and never was a hating type, so I wouldn't know how to advice you.
@@fizzlefritz9782 All he is saying is that it's not as simple... While supply chain attacks are a thing of course, the fact that the code is open source also makes it very easy for security researches to find your backdoor (if you were an "evil" adversary implementing it). So I personally don't think they are practical in the long run (just look up the liblzma attack CVE-2024-3094).
If there is a way to exploit the bug... sure, by all means get out the pitchforks. But you have yet to prove that point. And also we must remember that BLASTPASS is not simply a single exploit that will simply let you install malware on iOS. It is in fact an exploit chain which requires multiple bugs within various components which could't all have possibly been introduced by a supply chain attack.
I think the people behind such vulnerabilities just take the time to study these formats and/or systems in depth and know them better then most developers that just use them. They may even have contributed to such projects at some point, but to say that there are people everywhere infiltrating repos has yet to be proven by more than just some "wired commits".
@@anteshell The weakest link in security is always people. Assuming everyone is honest would be more dangerous than showing skepticism. You don't need to put a full reverse SSH shell in the code to open a door. You're welcome to challenge my point but please do so with less arrogance.
These types of videos are fun. Would also like to see more fuzzing content
Good to see you after a long time!
Excited for more great content on hextree. All the best!
The commit you found could be squashed, that is, many commits merged into one. He might have possibly found this because MSVC complained about some kind of out-of-bound access or something
Does that mean that there is a chance to find the PR to that commit and then maybe unearth the unsquashed commit chain in another branch/repo?
@@t0rg3 I found the original PR, but unfortunately it leads to a dead end. The original branch was deleted. It seems like the committer worked at Google at the time. It's PR 118 on the google/brunsli repository
6:30 Valley nerds try not to build a LISP for 1 hour challenge (impossible)
The URL of this video is the best thing in the world!
This video made me realise why I'm bad at VR :D So much to learn and so little time.
Bro its so weird as someone completely removed from coding or cyber security in general, just a random idiot. You keep me so fixated on this stuff. Really love to see more from you on just about anything
consistent with my overall assessment but insightful .. and just remember kids you are ALREADY pwned
We’re so back
Yes, I did miss you. I will check it out.
The Return of the King
hey ur back :D
I fully admired your talk 🙃
This is why I love this channel❤
nice you are smart . I salute the first researcher he might be laughing 🤣. Please make a video on how to use Afl to find the vulnerability thanks.
Will be great if this libwebp series turned like sudo vulnerability series, from fuzzing to full working exploit.
that’s just a theory, a hacking theory
He has a concept of a vulnerability.
Aaaand cut
really missed your videos
Inlove how you explain complex vulnerability even if 50% of the time i don't get it😅
Awesome video as always
Hey liveoverflow, can you make a video on hunting for CVEs, your methodology and ideas?
amazing one as usual, thanks for sharing
Finally you have started ironing your shirt after google sponsorship ...
waited so long for this one
Wow
the moment of searching for same code in other projects felt like "eureka!"
After seeing Linus' friends hacking his phone, it is scary how much stuff can be hacked.
Yeah, though that attack and the exploit discussed in this video don't have much in common besides both involving a phone
SS7 exploits are in tge news and forums on and off for the last copule of years. Last time I had seen them in the wild was in 2018-19
very interesting video
Nice, hope you'll start your hacked Minecraft series again xD
Very cool
BlastDoor
Now THAT is a cool fucking name for a library
ur back!!
Bro he’s back 🗣️🔥
Big Brain🔥
Love your new glasses! What are they called?
And remember guys. That's just a theory. A VULNERABILITY THEORY
He has a concept of a vulnerability.
Finally! My man got his password back
YESSS
Push!
7:09 *Samuel not saelo
Saelo is your friend.
Finally you're back
A. Tornhill nods.
Why is project zero so concerned with ios and not solely android/Google projects?
Mostly cause Project Zero was/is less like an arm of Google's security engineering and more like a passion project that was a result of Google's massive counter-surveillance movement after the events of Heartbleed and Edward Snowden. It was more about researching and responsibly disclosing zero days in any and all public facing software than it was about Google protecting/improving their own. Many of the vulns they have discovered range widely from Safari, to Windows 8, to CPUs, to RAM, to Cloudflare, to Apple. Their specialty is not just discovering these zero days but writing about how they could be actively exploited to impact anyone and everyone. It also doesn't hurt that one of their earliest members was geohot... Famous for his iOS jailbreaks.
Apple pays better for exploits. Android is OSS as well.
They say they want the whole Internet to be secure.
i mean if you look at their blog they concerned about all type of internet application, the IOS one is more concerned probably because there's not enough source code online and the exploitation method require one to research the internal on their own. while android/linux/google based projects is open source that way community can contribute and have different approach for fuzzing/exploitation cmiiw
Since my original comment got deleted for some unknown reason.............
Project Zero was started as part of Google's huge counter-surveillance movement after the Heartbleed and Edward Snowden leaks. It was less about Google's product security and more about exposing the dangers of the Zero Day market and improving public awareness of how a zero day could be exploited to compromise their sensitive information. Their specialty is in not only discovering by also publicizing the vulns and exploits.
Just in time for xmas
Its possible sms hack buffer overflow android zero clicks ?
i message ❤
I feel I seen this 1year ago
😀
If it ain't broke, FIX IT!
Liveoverflow is alive! Heart, Pin, First!;;;
Watching you since 4 yrs
6:30 (display "LISP MENTIONED!!~%")
video consistently crashes the player after 19 seconds
oooo
not first its cringe
Early 🎉
why don't they report the vulnerability to Apple? don't they have a bug bounty program
apple's bug bounty program payouts are tiny in comparison to the actual value of these exploits.
Organizations want the vulnerabilities to do bad things. They don’t want the vulnerabilities reported.
@@Tjkrusinskispy agencies*
If you find such a zero day, you could either report to apple, and get pennies, or sell it to some govt-funded security firm, such that they can "deal with" some of their enemies.
Here's a discovery path: Vulnerabilities are put into software like this on purpose to be sold to the highest bidder for a few years, by the developers themselves.
first
First!
Let’s make the video as long as possible with filler and bluff. Could’ve been answered in a minute or 2. Not 15
Could be answered in 0 seconds if you knew already everything
@@LiveOverflow it's rewarding comments like that one which keep you coming back to post free content so regularly isn't it! Oh, wait...
Bro fell off 93 views in 2 mins
93/2min = 46.5/1min
2790/1hour
66960/1day
still more than you would ever get.
@@siomek101 actual estimate, you're right
_ACCK0AUQ8Q wow no lowerspacs