Having a link that was legitimate before become compromised and screw me over when clicking it is a huge nightmare scenario for me. Thankfully it's never happened and I've been online since the mid 90s.
It's called a watering hole attack. Not super common though, because it would be discovered quickly on a well trafficked site, usually, so they design it in a way only to target specific ips when they visit a particular site
If you browse facebook, they promote ads that have scammers and all kinds crap like fake sites which is very common. before CORS/CSP was mature these link hijacking types of attacks were far more common
I love all the news agencies that say scanning a qr code is a clickless fully automated no action no awareness hack that also immediately does identity theft. And they say literally nothing about the geocities page that just asks them to manually type their info in for no reason and hit submit.
5:55 that edge virtualisation thing is still there. You just need to enable it in a few places. It works like it used to, except it now uses the chromium based edge
@@epic_journey. "turn windows features on or off, microsoft defender application guard, also enable hyper v and the vm stuff. Open windows security, app and browser control, isolated browsing, install. When it's installed, change application guard settings, enable advanced graphics. Open edge, press the 3 dots, you'll now see "new tab, "new window" "new InPrivate window" and finally, "new application guard window", hit the last one, wait for it to load, done
Why is it disabled in the first place... Alas they force useless AI crap that wont definitely not be abused, and file encryption which also won't definitely not be abuse but the most common "trickery" is affective with ignorance so why not make file extensions still hidden by default. that "docuemnt.xlxs.exe" document certainly has what I'm looking for.
@@balsalmalberto8086 The average user won't have a clue what a vm is, never mind know when to use one and what they can do. The actual purpose of the virtualised browser is for enterprise. You install a chrome extension that checks what websites you visit, if you visit an unknown website, the website is blocked and instead loaded in the vm browser. All the vm stuff in windows is disabled by default. Partially due to the fact it's a power user thing, partially due to it needing virtualisation to be enabled in the motherboard and partially because virtualisation can be unstable on some systems. Eg, if I enable edge virtualisation on my laptop, I bluescreen boot loop till I disable it in safe mode. Your parents and granny will just use the edge like normal, it's only a very small section of the userbase that would actually know what it does and use it
@@epic_journey. I wrote a reply but it seems to have gone into the ether. So here's the short version. Enable the vm stuff in "turn windows features on or off", "microsoft defender application guard" is the option that actually enables the browser vm. Then open windows security, go to app and browser control, on "isolated browsing" hit enable. Fiddle with the settings, then you'll see a fourth option when you hit the 3 dots in edge
I remember xss exploits back in the day getting abused on vbulletin boards, allowing exactly for what you've described in the video - to take over the logged in session on the board. Those were fun days...
If you really are worried about this, a DNS blocker like pihole can also block malicious dns', meaning your request never gets to their servers in the first place since pihole shoots it down.
I thought the point of the Mullvad browser was supposed to protect against fingerprinting though? The fingerprint being unique means it's failing at that purpose.
As a web application developer, the answer is yes, you can get hacked by a link, but not in the way you might think. Hackers can access your cookies if they are not secured, but only for the page they hijack. For example, if you visit an unsecured website and create an account or enter any credit card details, they can be stolen. In the middle of the communication between the website and its server, the data can be intercepted and transferred to the hacker's server. A hacker can inject code into the website through a malicious link. However, most modern websites use SSL (HTTPS) encryption and huge operations often have firewalls and many other security measures in place.
Its crazy to me people still act in 2024 as if clicking a link will install a virus on your computer without you doing anything. As long as you don't actually open the file you accidentally download because of the malicious link, you should be fine. Its always so funny to me seeing the shocked face of my coworkers when i tell them i don't use an anti-virus, because my anti-virus is common sense and actually knowing what i'm doing. As to this day, i have never had a virus on my computer.
In theory yes, in practice it's extremely underdeveloped. You can get decent security with profiles on apparmor, but very distros want to package all of it. This may start to change if the market share grows high enough.
@@EricParkerThat's why it's recommended to use Flatpak versions if available, as the packages are itself sandboxed from the OS. Browsers such as Brave, Firefox, Librewolf, Ungoogled Chromium, and even ones like Zen and Floorp, are now available as native Flatpak package officially, I believe Browser companies should be focusing more on working towards their flatpacks. Btw what package do you use your main system Eric? I know you are on Linux..
Haven't watched yet but a good idea is to enable 'ask browser where to save file' setting in whatever browser you're using because some links can make you auto download a file, however if you have that enabled it will ask where you want to save it every time, instead of just auto downloading to the default place
I'm curious how much damage a virus can do if it gets downloaded but you don't manually execute it? My browser changed this setting and I changed it back cause I like the option to choose the location or cancel, didn't even connect how it can also improve security as opposed to not notifying you of downloads, yikes and thanks! I'll be sure to be mindful of this setting on my family's computers.
@@alfamari7675 I think generally speaking most viruses wont cause you any problems unless you execute them but there’s more advanced ones that do. This is just from memory though
@@alfamari7675nothing - if the application isn’t run it never does anything. You can park a car in your garage but it won’t just turn on by itself, you gotta do it.
@@alfamari7675 Zero. What CAN do damage is if your browser has a zero-day and it's exploited, but then they would have to be really stupid to leave traces (the downloaded file) behind them...
2:34 PCs are more easily to get fingerprinted, regarding mobile devices, there are less unique information, so it is a little harder to do so. For example, latest and previous iPhone can generate high amount of the hit, and there is a really high chance, you will have more than 1 device under same fingerprints.
There is a way to have a binary be downloaded and ran on your system by just opening a link. It's an actual feature on Microsoft Edge and Internet Explorer.
Another thing that I might have overheard at ~ 10:00 : If you don't want to, or maybe even can't install NoScript, you can also deactivate JS by default in any common browser. Then, you have to also allow list the site, when you are opening it to run it. An Icon might be viewable in the browser address bar or go via the Site Settings on the left of the address bar
NoScript sound like a very good solution, but the use of it seems quite complicated. I know you dont really do the "tutorial" kind of stuff, but i think it would be interesting to do a NoScript vid since you're the tech man!
Noscript relies on origin whitelisting which is quite a weak way of doing it, you just find an XSS on a white listed origin and you can deploy your payload
I was wondering this due to the new age ads that can open new tabs, or open the page you want in a new tab while opening an ad in the previous tab. Thanks for the video :)
What I'm about to say will be completely off-topic, but kinda not at the same time...I hope replying to scam emails is safe. I always reply to them with some not so nice things.. I typically will forward the email to the real company as well, in hopes they'll be able to do something about it.
hey Eric, i remember there was a website that once you went on it it would log you out everything you were logged in ur browser but if you run it in a private window nothing happens, remember which website it was?
I'd like to see you test the code execution on Linux theory, both with distros that use AppArmor/SELinux (which are most of them), and the very few distros that don't, like Arch.
O yeah that would be great Btw in case Eric is seeing this : I would strongly advise you to watch TheMisterEpic’s 2 videos on the subject, he tells a lot about TLauncher
TLauncher is potentially unsafe because it was stolen from original creators. OG creators made TLegacy or something. I’m not sure if it’s safe, so check that info anyway
There was a vulnerability in Safari's WebKit back in iOS 10 which allowed for arbitrary kernel-level code execution, which allowed for jailbreaks like TNS (Totally not Spyware), which you could use with a simple flick of a slider in its webpage.
The most typical hack most would get from visiting sketchy websites would be cookie sniffing/stuffing where they would take your browser sessions and cookies from accessing the site Its similar to how LMG got their credentials stolen
Dumb question about linux, is that why it's always recommended you never give root access to users? Also wouldn't that basically stop any attack (unless you're extremely unlucky and just used a sudo command before getting attacked)?
Not really, the main reason not to give root access to users is so that commands run as the user cannot damage the system (either due to user error or malware/bugs). However if the js in the browser gets access to do anything your user can do the could for example upload all your private documents somewhere as most people are not going to have those in a root-access folder. Likewise it would be possible to delete those documents. In short, root is about protecting the system but will not do anything to stop programs from accessing your private data. If you need data protection, your options are to use a separate user for accessing that data (note: anyone with root access can still get to it), encrypt the data and only decrypt when needed (note: storing the encryption password in a plaintext file is like storing your house key under the doormat so be careful where you keep it), or avoid storing the data on the system at all for example by putting it on a (potentially encrypted) flash drive or something. If at a certain point in time you can read some data, that means that any program run by you can in theory read it too.
Actually, on Linux you technically don't have any user other than root with root access, contrary to the Administrator accounts on Windows; instead, you have a group (let's say "sudoers") and a program (let's say "sudo") that runs as root no matter who starts it via the "setuid bit" in its executable's permissions, and checks sudoers to see if you are in that group before exec-ing the other program you told it to as root, hence implementing something like admin accounts. The key part of sudo's operation is the setuid bit, and the fact that it's owned by root (setuid means always run as the owner); other things that also have setuid on include networking facilities, in fact, hence it's a matter of whether those have a security vulnerability that can be triggered by the browser, given that the browser itself allows it to go through. However, in practice this isn't as feasible as it sounds.
based off this video, it kind of depends on what you mean. the link in of itself hacking you? no. where the link points to? what code the website the link goes to has? 100% yes, that link will load whatever that website has basically instantly. just dont click (ph)fishy links!
Had a guy claim he could take over someones pc just by having them open a link so like any normal person I clicked his link and tried to investigate this potential 0-day he had on his hands I was severely dissapointed to learn that he was just a brain damaged script kiddie trying to act smart because he thought I was IT illiterate 😭
It is actually possible without using any exploit. There is a feature within microsoft edge and internet explorer that WILL download anything AND run it on your system, without user interaction.
Well, on Ubuntu Linux, by default, Firefox and Chromium are snap packages, which means they are sandboxed. Which means zero access to important resources.
I've noticed that many times a button to download stuff can be disguised as a link. Thankfully till date it just downloads stuff and that pops up, so i can instantly cancel and bin it. Also technically Pegasus and other super advanced no click methods exist, but idk if those are for mobiles or laptops
@@Bhoppings Being old IS actually a correct reason, but it's not just them thinking stuff can happen, it's because many of them have cognitive decline and stuff, and it's much easier to tell them "don't download without me" rather than "see this thing you just downloaded, please remember to run a scan on it before double-clicking it" ("remember" being the key word here)...
He answered the question in under a minute, the answer is no, but they can still harvest a lot of information about you because you visited their website.
@StefanReich excellent question, but no, as the video says, browsers haven't supported arbitrary code execution from a web page in decades. There are things you just can't do from a web page because of language restrictions and api support. Also most of the time scam websites you go to are for social engineering and not actually malicious. Thinking scammers might actually hack you is giving them too much credit, they're just about all script kitties.
Said question has many interpretations to be fair, if you mean "should I be deathly afraid of clicking a link?" the answer is no, but if you mean "is it teeeeeeechnically, through some possibly as of yet undiscovered zero-day, possible?" then the answer is yes.
@@schwingedeshaehers When you visit a website, it captures a snapshot of your browser size, operating system, keyboard format, and the browser being used to render the page. If your browser window remains the same size each time you visit, the site can use this information to fingerprint your traffic. Once you log in to that website-say, Facebook-the site can identify you based on your login information. A VPN can help maintain anonymity only if you never log in and use a new VPN connection for each website you visit. Simply changing your screen size won’t improve privacy; it may only indicate an unusual screen size, which isn’t standard. A more effective solution would be to spoof the system details and screen size completely. However, the moment you log in to any website, tracking becomes possible.
Furthermore, like me, I block VPN services because 90% of the time that somebody is coming onto my website using a VPN is trying to do something nefarious. So its not beneficial for me to allow VPN services accessing my servers.
@@erikkonstas I block VPN IPs on my hosting servers because 99% of them are bots attacking my websites. VPNs were originally designed for businesses to securely connect remote computers to their internal networks, simulating local network access over different ISPs. Today, VPNs often mislead users by claiming complete protection, which only works if used correctly. Most users fail to do so. To maintain privacy, each VPN location requires a unique identity. Logging into the same accounts across multiple VPN locations or devices allows tracking. While VPNs prevent man-in-the-middle attacks, they don't hide activity from services like Facebook, which can still track users. VPNs may even invite targeted attacks like social engineering. True anonymity requires using one device, connection, VPN, and account, with no overlap or shared activity across platforms.
Chrome on Linux is also using sandboxing. Not sure how effective it is, but Linux had the ability to restrict syscalls and drop privileges way before Windows did. Don't quote me on this, but I'm pretty sure unless you're doing something stupid like disabling the sandbox or running it as root (that effectively disables the sandbox) then it should be comparable to what's being done on Windows.
You should take a look at when people would send these fake Roblox links that would steal the cookies of the person who clicked them. I think it would be interesting dissecting those links.
This is a legitimate question- Do you attempt to use an American accent in your videos? It sounds like an attempt with your native accent seeping through.
6:30 I don't really think this would be an issue when using a flatpak? Since those are sandboxed. And if you don't give them more permissions/file access then you need they can't really do that much.
Depends on their default permissions would be my guess. If they allow read and maybe write access to the home directory, that might be all that's needed to get hacked.
Flatpaks don’t really help when the Linux kernel has as many holes as Swiss cheese (when you’re talking about the kind of 0day attacks mentioned in this video) if someone can afford/build a chrome chain, they’ll have a Linux kernel PE too
@@Daniel-hz6pt LOL imagine talking about Linux holes, when Windows literally lets anything run beside the kernel (hence Crowdstrike, hence anti-cheat scandals, hence buggy drivers bringing the whole system down, etc.) 😂 Linux being monolithic is actually a plus.
@@erikkonstas That's not how it works, drivers have to be validly signed and you can tweak your code integrity options to enforce only specific signers or WQHL certified drivers which go through automated fuzz testing
In theory: if the image viewer is coded in a spectacularly moronic manner anything is possible. In practice: Probably not. ALthough there was an exploit with webp fairly recently.
Yes, not in all cases, it's rare anymore. Hackers can embed malicious code within an image file, and if you open it using a vulnerable image viewer, the code can be executed. I've seen it work decades ago, but with all the patches and security fixes, not anymore.
@@EricParkerYou should dive into steganography some time. The most basic way to pull it off is with the "cat" command. Sort of. I'd more so call this a pseudo form of it, but cat can be used to spoof RAR archives as images that will load in an image viewer. Not sure if it's possible to do this with something like an SFX, but I'm sure something could be cobbled together.
@@EricParkerI think it’s dumb to say “moronic way” the people that wrote libwebp weren’t morons, C/C++ is just very hard bordering on impossible to write without undefined behaviour
I was thinking of exploiting another app using thier custom uri scheme. Although the exploit will not occur in the browser, it will be still just a link that a victim would need to click.
For us Linux users, how would the snap and flatpak versions of browsers (Firefox, Chrome, etc) fare in case of a 0-day vulnerability that could allow browser sandbox escape? Also, I'm transitioning into using VMs for when I'm going to an untrusted site, is there anything you need to know when setting them up? Like what network configurations are safer and so on.
They’re not real angled brackets, if you look at them in dev tools you’ll see they’re html encoded entities, so your browser sees the special tag and converts it to an angled bracket in the DOM render but the actual html parser doesn’t see it as a real angled bracket
No you can't, I've tried... the Description field of a video can't have "" in it. Yes, your browser, and an official UA-cam client will most likely not mistake them for legitimate HTML, but some third-party could, and the way society works, if such an "incident" happened, it could've translated to bad PR for UA-cam, no matter how responsible they would be for it...
Inconito mode wont disable XSS Exploits its wrong it just prevents tracking , but still can inject Javascript code in the browser from the server. So the browser doesnt have any privileges but can still trick user in a few ways.
If I ever want to go to a link or download something I'm a bit sus on I just open up Vmware Workstation Pro fire up one of my VMs then use the VM to do it, if anything goes wrong just shutdown the VM and restore it back to the last snapshot that I took of it.
"Java" or "JavaScript"? Because Java applets were quite the malware festival back when they were a thing, but were in fact not exactly "within" the browser...
why are LTS (long term support) versions of web browsers not used more often? Firefox and Chrome has LTS versions. The only difference is Chrome has backdoors while Firefox doesn't.
@erikkonstas i know that nothing is bugfree, but that's not a reason to use software that was made just now and tested for only a few minutes. LTS means it doesn't get new features anymore but only receives bugfixes. Before something gets proclaimed LTS it first has to get tested for months and months, and even after that it still receives bugfixes.
@@adiadic4722 I never said that, although the versions we usually use are the stable versions, not the nightly ones anyway. The part I was referring to was "The only difference is Chrome has backdoors while Firefox doesn't."
About configuring selinux on linux, some distros ship with that already set up, like Fedora. How does ex Fedora's default selinux profile compare to the security of Mac and Windows?
from what I recall fedora mainly uses the targeted policy rather than the strict one where targeted only applies to certain high-profile processes related to for example web servers (apache) while the strict policy applies to every process (and thus is way more tedious to use on a desktop machine since there are more labels to deal with the permissions of) idk if firefox is/was included in the fedora targeted policy though and it has been a while since I tried using a strict policy on a day to day system so my memory is flaky do not know enough to compare a policy that applies to firefox to how windows/mac handles it
@@YumekuiNeru Apparently, the "strict" policy was merged into the "targeted" policy in Fedora 9. I'm still not very knowledgeable about it all, though lol
Short answer: No.
Short answer : Yes. It's called XSS, CSRF, Spoofing, etc etc
@@Chrizzy_Officialfluent in a programming language ❌fluent in yappanese ✅
beef-xss and browser spoofing and csrf lol its kinda ez to
@@Skailed Whatever you say Mr Anime Bedwars UA-camr
@@Skailed Also what I said isn't programming, its just vulnerability pentesting, but sure
Having a link that was legitimate before become compromised and screw me over when clicking it is a huge nightmare scenario for me. Thankfully it's never happened and I've been online since the mid 90s.
holy shit u joined 19 years ago... respect
It's called a watering hole attack. Not super common though, because it would be discovered quickly on a well trafficked site, usually, so they design it in a way only to target specific ips when they visit a particular site
If you browse facebook, they promote ads that have scammers and all kinds crap like fake sites which is very common. before CORS/CSP was mature these link hijacking types of attacks were far more common
@@bunnycat24lmao
happened to me 16 years ago from ads on some website u could play games on
I love all the news agencies that say scanning a qr code is a clickless fully automated no action no awareness hack that also immediately does identity theft. And they say literally nothing about the geocities page that just asks them to manually type their info in for no reason and hit submit.
5:55 that edge virtualisation thing is still there. You just need to enable it in a few places. It works like it used to, except it now uses the chromium based edge
how to enable it?
@@epic_journey. "turn windows features on or off, microsoft defender application guard, also enable hyper v and the vm stuff. Open windows security, app and browser control, isolated browsing, install. When it's installed, change application guard settings, enable advanced graphics. Open edge, press the 3 dots, you'll now see "new tab, "new window" "new InPrivate window" and finally, "new application guard window", hit the last one, wait for it to load, done
Why is it disabled in the first place... Alas they force useless AI crap that wont definitely not be abused, and file encryption which also won't definitely not be abuse but the most common "trickery" is affective with ignorance so why not make file extensions still hidden by default. that "docuemnt.xlxs.exe" document certainly has what I'm looking for.
@@balsalmalberto8086 The average user won't have a clue what a vm is, never mind know when to use one and what they can do. The actual purpose of the virtualised browser is for enterprise. You install a chrome extension that checks what websites you visit, if you visit an unknown website, the website is blocked and instead loaded in the vm browser. All the vm stuff in windows is disabled by default. Partially due to the fact it's a power user thing, partially due to it needing virtualisation to be enabled in the motherboard and partially because virtualisation can be unstable on some systems. Eg, if I enable edge virtualisation on my laptop, I bluescreen boot loop till I disable it in safe mode. Your parents and granny will just use the edge like normal, it's only a very small section of the userbase that would actually know what it does and use it
@@epic_journey. I wrote a reply but it seems to have gone into the ether. So here's the short version. Enable the vm stuff in "turn windows features on or off", "microsoft defender application guard" is the option that actually enables the browser vm. Then open windows security, go to app and browser control, on "isolated browsing" hit enable. Fiddle with the settings, then you'll see a fourth option when you hit the 3 dots in edge
I remember xss exploits back in the day getting abused on vbulletin boards, allowing exactly for what you've described in the video - to take over the logged in session on the board. Those were fun days...
B33f
@@4pThorpyPork. 😂😂but I know what you meant dawg
Answer : 8:28
If you really are worried about this, a DNS blocker like pihole can also block malicious dns', meaning your request never gets to their servers in the first place since pihole shoots it down.
babe wake up Eric Parker just uploaded
I’ve literally kept up with his videos for some time now. He never misses! 🎯
Same
real
the reason that the mullvad fingerprint is unique is because the canvas render is fucked up on purpose
I thought the point of the Mullvad browser was supposed to protect against fingerprinting though? The fingerprint being unique means it's failing at that purpose.
@Daniel15au This is wrong, it’s random, so you will never have the same fingerprint twice.
@@Capiosus oh! Well that's interesting! Thanks for the info/correction.
As a web application developer, the answer is yes, you can get hacked by a link, but not in the way you might think. Hackers can access your cookies if they are not secured, but only for the page they hijack. For example, if you visit an unsecured website and create an account or enter any credit card details, they can be stolen. In the middle of the communication between the website and its server, the data can be intercepted and transferred to the hacker's server. A hacker can inject code into the website through a malicious link. However, most modern websites use SSL (HTTPS) encryption and huge operations often have firewalls and many other security measures in place.
The vulnerability is called Cross-Site Scripting (XSS), if you want to read about it to secure your website.
Its crazy to me people still act in 2024 as if clicking a link will install a virus on your computer without you doing anything.
As long as you don't actually open the file you accidentally download because of the malicious link, you should be fine.
Its always so funny to me seeing the shocked face of my coworkers when i tell them i don't use an anti-virus, because my anti-virus is common sense and actually knowing what i'm doing.
As to this day, i have never had a virus on my computer.
Thanks you for doing that because I was really wondering about that!
Same here, also with clicking anywhere on a website and a strange pop-up comes up, loads for a few seconds, then self-exits.
About your linux security remark, it seems that the Linux kernel is adding more built in security features like mprotect, but they seem to be opt in
In theory yes, in practice it's extremely underdeveloped. You can get decent security with profiles on apparmor, but very distros want to package all of it.
This may start to change if the market share grows high enough.
@@EricParker Do flatpaks and appimages protect like you said Windows and MacOS does?
@@EricParkerThat's why it's recommended to use Flatpak versions if available, as the packages are itself sandboxed from the OS. Browsers such as Brave, Firefox, Librewolf, Ungoogled Chromium, and even ones like Zen and Floorp, are now available as native Flatpak package officially, I believe Browser companies should be focusing more on working towards their flatpacks. Btw what package do you use your main system Eric? I know you are on Linux..
@samuel87723 I’m not familiar with macOS but flatpaks seem similar as they sandbox apps and offer granular control over permissions.
@@samuel87723flatpaks, if configured correctly, put you on a similar level to MacOS.
Haven't watched yet but a good idea is to enable 'ask browser where to save file' setting in whatever browser you're using because some links can make you auto download a file, however if you have that enabled it will ask where you want to save it every time, instead of just auto downloading to the default place
I'm curious how much damage a virus can do if it gets downloaded but you don't manually execute it?
My browser changed this setting and I changed it back cause I like the option to choose the location or cancel, didn't even connect how it can also improve security as opposed to not notifying you of downloads, yikes and thanks! I'll be sure to be mindful of this setting on my family's computers.
@@alfamari7675None
@@alfamari7675 I think generally speaking most viruses wont cause you any problems unless you execute them but there’s more advanced ones that do. This is just from memory though
@@alfamari7675nothing - if the application isn’t run it never does anything. You can park a car in your garage but it won’t just turn on by itself, you gotta do it.
@@alfamari7675 Zero. What CAN do damage is if your browser has a zero-day and it's exploited, but then they would have to be really stupid to leave traces (the downloaded file) behind them...
Thanks Eric for the explanation, that was very interesting
2:34 PCs are more easily to get fingerprinted, regarding mobile devices, there are less unique information, so it is a little harder to do so. For example, latest and previous iPhone can generate high amount of the hit, and there is a really high chance, you will have more than 1 device under same fingerprints.
Request for a video on Portmaster (recommended settings, use cases, demystifying features, etc). Cheers!
I've been wondering about this topic for a while now, thank you.
Happened to me once on 4chan 10 years ago. Someone posted a link to a fake reddit page.
It was a JavaScript exploit
@@basic1279 thats crazy
There is a way to have a binary be downloaded and ran on your system by just opening a link. It's an actual feature on Microsoft Edge and Internet Explorer.
Another thing that I might have overheard at ~ 10:00 : If you don't want to, or maybe even can't install NoScript, you can also deactivate JS by default in any common browser. Then, you have to also allow list the site, when you are opening it to run it. An Icon might be viewable in the browser address bar or go via the Site Settings on the left of the address bar
new upload = happy
NoScript sound like a very good solution, but the use of it seems quite complicated. I know you dont really do the "tutorial" kind of stuff, but i think it would be interesting to do a NoScript vid since you're the tech man!
Noscript relies on origin whitelisting which is quite a weak way of doing it, you just find an XSS on a white listed origin and you can deploy your payload
Ps vita jailbreak is best demonstration of this. Going to link not only does code execution but also at kernel level.
There’s always browser sandboxing but that isn’t fool proof
If you use a browser sandbox, it blocks the fool on the other end but not the fool who uses it.
@@SpaceCadet4JesusMost browsers such as chrome have them enabled by default
The browser is a sandbox
I was wondering this due to the new age ads that can open new tabs, or open the page you want in a new tab while opening an ad in the previous tab.
Thanks for the video :)
"new age"...? 😂 I remember these from years and years ago, mainly where we watch movies that's completely legal...
Short answer: yes
long answer: its complicated (very very very rare)
Very interesting I always wondered about this thanks for this video!❤
Haven't watched yet, spectre was explotable from js right
It is in theory. JIT escapes have also happened.
What I'm about to say will be completely off-topic, but kinda not at the same time...I hope replying to scam emails is safe. I always reply to them with some not so nice things.. I typically will forward the email to the real company as well, in hopes they'll be able to do something about it.
It should be safe in itself but shows them the email is real and in use so it could make it a bigger Target
It is safe yes, but it will also signal to them that behind your email address is a human, i.e. the frequency of scams in there can increase.
@@erikkonstas its honestly cute how hard they try to scam me. It'll never happen :)
@@erikkonstas I just love wasting scammers time. Wish there was a funnier way for me to do it.
hey Eric, i remember there was a website that once you went on it it would log you out everything you were logged in ur browser but if you run it in a private window nothing happens, remember which website it was?
Don't know the site, but I'm curious now
@@imaginepercentage-th4ki unfortunately i forgot about the url of it :/
holy shit, your vpn was set like 25 minutes away from where i live, that scared me for a second for some reason
I'd like to see you test the code execution on Linux theory, both with distros that use AppArmor/SELinux (which are most of them), and the very few distros that don't, like Arch.
Hey eric, Can you make A vid abt TLauncher (the cracked launcher)? its kinda weird of ppl saying its a malware
O yeah that would be great
Btw in case Eric is seeing this : I would strongly advise you to watch TheMisterEpic’s 2 videos on the subject, he tells a lot about TLauncher
TLauncher is potentially unsafe because it was stolen from original creators.
OG creators made TLegacy or something. I’m not sure if it’s safe, so check that info anyway
@@mysticstylezz9557 It used to be called TLauncher Legacy, now it's called Legacy Launcher
There was a vulnerability in Safari's WebKit back in iOS 10 which allowed for arbitrary kernel-level code execution, which allowed for jailbreaks like TNS (Totally not Spyware), which you could use with a simple flick of a slider in its webpage.
can you get hacked by just hovering your mouse over an ad?
No.
yes. fb did it many years ago
Depends on the site
@@LordMeizu yeah u said it. Years ago. If you dont use a Browser with the last Update from "Years Ago", then not.
@@LordMeizu also not, depens on the Browser.
yes but its very rare you would need a vulnerability
3:22 I'm right there 😀
theres no user agent for 11. i knew that microsoft themselves hated what they've created. people should give awards for worst os of the year
Proof that Windows 11 is just 10 with new Graphics ... it doesn't even have its agent
The most typical hack most would get from visiting sketchy websites would be cookie sniffing/stuffing where they would take your browser sessions and cookies from accessing the site
Its similar to how LMG got their credentials stolen
Dumb question about linux, is that why it's always recommended you never give root access to users? Also wouldn't that basically stop any attack (unless you're extremely unlucky and just used a sudo command before getting attacked)?
Not really, the main reason not to give root access to users is so that commands run as the user cannot damage the system (either due to user error or malware/bugs). However if the js in the browser gets access to do anything your user can do the could for example upload all your private documents somewhere as most people are not going to have those in a root-access folder. Likewise it would be possible to delete those documents.
In short, root is about protecting the system but will not do anything to stop programs from accessing your private data. If you need data protection, your options are to use a separate user for accessing that data (note: anyone with root access can still get to it), encrypt the data and only decrypt when needed (note: storing the encryption password in a plaintext file is like storing your house key under the doormat so be careful where you keep it), or avoid storing the data on the system at all for example by putting it on a (potentially encrypted) flash drive or something. If at a certain point in time you can read some data, that means that any program run by you can in theory read it too.
Actually, on Linux you technically don't have any user other than root with root access, contrary to the Administrator accounts on Windows; instead, you have a group (let's say "sudoers") and a program (let's say "sudo") that runs as root no matter who starts it via the "setuid bit" in its executable's permissions, and checks sudoers to see if you are in that group before exec-ing the other program you told it to as root, hence implementing something like admin accounts. The key part of sudo's operation is the setuid bit, and the fact that it's owned by root (setuid means always run as the owner); other things that also have setuid on include networking facilities, in fact, hence it's a matter of whether those have a security vulnerability that can be triggered by the browser, given that the browser itself allows it to go through. However, in practice this isn't as feasible as it sounds.
How do you sound british and canadian at the same time
makes sense now why I’m subbed to random accounts I’ve never heard of
Uh... it's most likely not your browser being taken over 😂 UA-cam channels renaming suddenly isn't exactly rare.
What if my browser on Linux is installed as a flatpak?
based off this video, it kind of depends on what you mean. the link in of itself hacking you? no. where the link points to? what code the website the link goes to has? 100% yes, that link will load whatever that website has basically instantly. just dont click (ph)fishy links!
Had a guy claim he could take over someones pc just by having them open a link so like any normal person I clicked his link and tried to investigate this potential 0-day he had on his hands
I was severely dissapointed to learn that he was just a brain damaged script kiddie trying to act smart because he thought I was IT illiterate 😭
It is actually possible without using any exploit. There is a feature within microsoft edge and internet explorer that WILL download anything AND run it on your system, without user interaction.
Accurate and free information for everyone. Thank you.
Well, on Ubuntu Linux, by default, Firefox and Chromium are snap packages, which means they are sandboxed. Which means zero access to important resources.
I've noticed that many times a button to download stuff can be disguised as a link. Thankfully till date it just downloads stuff and that pops up, so i can instantly cancel and bin it.
Also technically Pegasus and other super advanced no click methods exist, but idk if those are for mobiles or laptops
downloaded files wont do anything unless executed. this isnt 1999
@@Bhoppings Yes, i understood that. Thats why i'm so confused why everyone is still harping on about don't download anything from sketchy websites.
@@normalchannel2185 cause people are old af and still think shi like that can happen in the big 24
@@Bhoppings Being old IS actually a correct reason, but it's not just them thinking stuff can happen, it's because many of them have cognitive decline and stuff, and it's much easier to tell them "don't download without me" rather than "see this thing you just downloaded, please remember to run a scan on it before double-clicking it" ("remember" being the key word here)...
It's great to watch a whole video on a question just to not get that question answered
He answered the question in under a minute, the answer is no, but they can still harvest a lot of information about you because you visited their website.
@@14ajencks Well, shouldn't the answer be, sometimes yes? There are zero-day exploits at times
@StefanReich excellent question, but no, as the video says, browsers haven't supported arbitrary code execution from a web page in decades. There are things you just can't do from a web page because of language restrictions and api support.
Also most of the time scam websites you go to are for social engineering and not actually malicious. Thinking scammers might actually hack you is giving them too much credit, they're just about all script kitties.
Said question has many interpretations to be fair, if you mean "should I be deathly afraid of clicking a link?" the answer is no, but if you mean "is it teeeeeeechnically, through some possibly as of yet undiscovered zero-day, possible?" then the answer is yes.
@erikkonstas well said
Now this, this is cinema
SOLUTION: Do not visit sketchy sites !
Happy to find this channel sad that it's to late
Too late in what regard, that your browser was exploited...?
that strange size window can still be tracked!
how? many mullvad browser users have it
@@schwingedeshaehers When you visit a website, it captures a snapshot of your browser size, operating system, keyboard format, and the browser being used to render the page. If your browser window remains the same size each time you visit, the site can use this information to fingerprint your traffic. Once you log in to that website-say, Facebook-the site can identify you based on your login information.
A VPN can help maintain anonymity only if you never log in and use a new VPN connection for each website you visit. Simply changing your screen size won’t improve privacy; it may only indicate an unusual screen size, which isn’t standard. A more effective solution would be to spoof the system details and screen size completely. However, the moment you log in to any website, tracking becomes possible.
Furthermore, like me, I block VPN services because 90% of the time that somebody is coming onto my website using a VPN is trying to do something nefarious. So its not beneficial for me to allow VPN services accessing my servers.
@@BradleySmith1985 TBF I can actually stand behind that, if you have empirically determined that, in your specific case, VPN IPs mostly cause trouble.
@@erikkonstas I block VPN IPs on my hosting servers because 99% of them are bots attacking my websites. VPNs were originally designed for businesses to securely connect remote computers to their internal networks, simulating local network access over different ISPs. Today, VPNs often mislead users by claiming complete protection, which only works if used correctly. Most users fail to do so. To maintain privacy, each VPN location requires a unique identity. Logging into the same accounts across multiple VPN locations or devices allows tracking. While VPNs prevent man-in-the-middle attacks, they don't hide activity from services like Facebook, which can still track users. VPNs may even invite targeted attacks like social engineering. True anonymity requires using one device, connection, VPN, and account, with no overlap or shared activity across platforms.
Chrome on Linux is also using sandboxing. Not sure how effective it is, but Linux had the ability to restrict syscalls and drop privileges way before Windows did. Don't quote me on this, but I'm pretty sure unless you're doing something stupid like disabling the sandbox or running it as root (that effectively disables the sandbox) then it should be comparable to what's being done on Windows.
creep js is pretty awesome for testing fingerprint resistance
You should take a look at when people would send these fake Roblox links that would steal the cookies of the person who clicked them. I think it would be interesting dissecting those links.
TL;DR // No.
That’s not what he said, the answer is yes but most users are unlikely to encounter it
This is a legitimate question- Do you attempt to use an American accent in your videos? It sounds like an attempt with your native accent seeping through.
6:30 I don't really think this would be an issue when using a flatpak? Since those are sandboxed. And if you don't give them more permissions/file access then you need they can't really do that much.
Depends on their default permissions would be my guess. If they allow read and maybe write access to the home directory, that might be all that's needed to get hacked.
Flatpaks don’t really help when the Linux kernel has as many holes as Swiss cheese (when you’re talking about the kind of 0day attacks mentioned in this video) if someone can afford/build a chrome chain, they’ll have a Linux kernel PE too
@@Daniel-hz6pt LOL imagine talking about Linux holes, when Windows literally lets anything run beside the kernel (hence Crowdstrike, hence anti-cheat scandals, hence buggy drivers bringing the whole system down, etc.) 😂 Linux being monolithic is actually a plus.
@@erikkonstas That's not how it works, drivers have to be validly signed and you can tweak your code integrity options to enforce only specific signers or WQHL certified drivers which go through automated fuzz testing
mic check needed at 7:06
I literally download the free stuff you recommend cause the info you provide is easily comprehensible and accurate to what i saw in the internet
downloaded mullvad and had 0.00% on canvas aswell (not on a vm), why?
Ok
Can you get hacked by opening an image? In theory and in practice.
In theory: if the image viewer is coded in a spectacularly moronic manner anything is possible.
In practice: Probably not. ALthough there was an exploit with webp fairly recently.
Yes, not in all cases, it's rare anymore. Hackers can embed malicious code within an image file, and if you open it using a vulnerable image viewer, the code can be executed. I've seen it work decades ago, but with all the patches and security fixes, not anymore.
no.
@@EricParkerYou should dive into steganography some time. The most basic way to pull it off is with the "cat" command. Sort of. I'd more so call this a pseudo form of it, but cat can be used to spoof RAR archives as images that will load in an image viewer. Not sure if it's possible to do this with something like an SFX, but I'm sure something could be cobbled together.
@@EricParkerI think it’s dumb to say “moronic way” the people that wrote libwebp weren’t morons, C/C++ is just very hard bordering on impossible to write without undefined behaviour
Legend content, keep it up my good sir
I got hacked watching your video!
Basically, yes but no.
I was thinking of exploiting another app using thier custom uri scheme. Although the exploit will not occur in the browser, it will be still just a link that a victim would need to click.
And that's why the browser asks you before opening the program... hence no gotcha.
Okay thanks I will start pressing links now 👍
For us Linux users, how would the snap and flatpak versions of browsers (Firefox, Chrome, etc) fare in case of a 0-day vulnerability that could allow browser sandbox escape?
Also, I'm transitioning into using VMs for when I'm going to an untrusted site, is there anything you need to know when setting them up? Like what network configurations are safer and so on.
get ur popcorn ready eric just posted!
Make sure it's a small bowl because it's only a short video.
You use virtual machines? if yes, what software do you use to run the vm's?
if you dont have a vpn than get a proxy with in and out firwall. a proxy and a vpn is overkill
just realized i clicked on a link to get here 🧐
just got my dinner and u posted
You got an entire diner? lol
@@LyritZian ?
@@Bhoppings he edited the comment
Why are you using edge?? 😭😭
Guess some people just like edging 🙄
Yes, silent drivebys, but thats an old old thing.
Technically it MIGHT still be possible, but nowadays browsers are more robust, although to think they're "definitely perfect" is dangerous.
Would flatpaks and appimages protect linux like you said Windows and MacOS does?
Not sure about flatpaks, but appimages by themselves wouldn't since they aren't sandboxed.
From the start you are not correct. There are browser vulnerabilities that allow code execution
Hm, he did mention them later, including an example from North Korea.
You can still get angled brackets on UA-cam
They’re not real angled brackets, if you look at them in dev tools you’ll see they’re html encoded entities, so your browser sees the special tag and converts it to an angled bracket in the DOM render but the actual html parser doesn’t see it as a real angled bracket
No you can't, I've tried... the Description field of a video can't have "" in it. Yes, your browser, and an official UA-cam client will most likely not mistake them for legitimate HTML, but some third-party could, and the way society works, if such an "incident" happened, it could've translated to bad PR for UA-cam, no matter how responsible they would be for it...
are you spying on me? i googled that like an day or two ago and couldnt find anything useful, really hehe
Inconito mode wont disable XSS Exploits its wrong it just prevents tracking , but still can inject Javascript code in the browser from the server. So the browser doesnt have any privileges but can still trick user in a few ways.
ahh i remember good ol java drivebys
Those depended on Java's JRE though, which ran separately from the browser.
Is cyberflow your channel? Because he stole almost everything you talked about even the words he just changed the edit
Anyone ever say you sound a lot like Tristan Tate?!
If I ever want to go to a link or download something I'm a bit sus on I just open up Vmware Workstation Pro fire up one of my VMs then use the VM to do it, if anything goes wrong just shutdown the VM and restore it back to the last snapshot that I took of it.
Depends on what you got installed. Used to java drive-by pre-eoc rs with a simple link
"Java" or "JavaScript"? Because Java applets were quite the malware festival back when they were a thing, but were in fact not exactly "within" the browser...
2:50 how is it infamous in a good way lol. Wouldn't you just been correct in saying famous or popular?
Very educational video overall. Thank you for your content. Just thought that moment was funny lol.
why are LTS (long term support) versions of web browsers not used more often? Firefox and Chrome has LTS versions. The only difference is Chrome has backdoors while Firefox doesn't.
To claim that anything is "bug-less" so confidently is quite the bold move, just saying...
@erikkonstas i know that nothing is bugfree, but that's not a reason to use software that was made just now and tested for only a few minutes. LTS means it doesn't get new features anymore but only receives bugfixes. Before something gets proclaimed LTS it first has to get tested for months and months, and even after that it still receives bugfixes.
@@adiadic4722 I never said that, although the versions we usually use are the stable versions, not the nightly ones anyway. The part I was referring to was "The only difference is Chrome has backdoors while Firefox doesn't."
Click the link in the description and find out!
I click 50 suspicious links daily and I think I am fine till now, atleast 😁
only if a browser has a VERY significant vuln.
also bruh ips almost dont show anything. the maximum they can show is the city ur in but like come on
Lain.
About configuring selinux on linux, some distros ship with that already set up, like Fedora. How does ex Fedora's default selinux profile compare to the security of Mac and Windows?
from what I recall fedora mainly uses the targeted policy rather than the strict one where targeted only applies to certain high-profile processes related to for example web servers (apache) while the strict policy applies to every process (and thus is way more tedious to use on a desktop machine since there are more labels to deal with the permissions of)
idk if firefox is/was included in the fedora targeted policy though and it has been a while since I tried using a strict policy on a day to day system so my memory is flaky
do not know enough to compare a policy that applies to firefox to how windows/mac handles it
@@YumekuiNeru Apparently, the "strict" policy was merged into the "targeted" policy in Fedora 9. I'm still not very knowledgeable about it all, though lol
Webkit exploit can get a RCE
you forgot one more important hack that can be done just via one click link that you havent put in the video 😊
What is it?
And it only works on ms edge/internet explorer & is only .net correct? 😊😊
@@b.h.8137I assume fake download button
@@b.h.8137 bs
Why? What happened?
WELL XSS IS A THING STEALING COOKIES
Good old exploit.