Telegram Has Been Hacked
Vložit
- čas přidán 15. 04. 2024
- Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥CZcams ALGORITHM ➡ Like, Comment, & Subscribe!
Yes please. I would love a video that does a deep dive on the *Metaspyclub* project
Metaspyclub gang in the house! Thanks for the analysis!
Metaspyclub anticipation is building to a fever pitch! 😥
I'm not afraid of a calculator! Bring it on!
Everybody gangsta till the calculator app starts to ask permissions for camera, microphone and location 💀
💀
Oh it will be problems! Count on it!
At 8:14 that evil laughter Muaahhh!! lol
@@yukiplaysFr**salutes to the therian**
Ma'am how can I help you ma'am
too much rce exploits bro 💀💀💀💀💀💀💀
What are others?
Xz utils, rust, palo alto
@@amaankhan8436 Palo alto?? My company uses that lul
@@sunbleachedangel there was a rust rce CVE-2024-24576, aint that effective though
Rust already released a patch its java that said they ain't fixing it. Tbf .bat codes running aren't used anywhere so who really cares
RCE after RCE, I hope kids wont have to learn about the year of the vulnerabilities, 2024, in the future
Thy Digital Apocalypse is drawing nearer by the day
This is literally cybersecurity history.
No it will be certainly eclipsed by the number of them in 2025
I wonder whether the whole AI hype will make even more RCEs show up. Either by improving exploit code or by reducing code quality in the attacked app because people trust AI code without questioning it.
@@SLZeroArrow seriously. I dedicated my whole life to computers and now they looking like they wanna kill us (ai). Ai is phuggin everything up. Its kinda scary tbh
TL;DR
The exploit disguises as a fake video that when played executes python code, requires python to be installed for it to work.
saved me about 10 mins bro ty
Me, an it student, got "hacked" like that...🤣
I just got a SNYK sponsored ad by John Hammond before his own video
Fr
I did too
It's rigged!1!1!1!1!1
Saaame
Wait ... we can hack those spammers that are sending us the messages to text them?
Bet the three later agencies are punching air rn. All their exploits getting found.
While reading your comment. lol
You think every exploit exists because of "three later agencies"? 😂
@@MrCobaltgiven the past of their involvement with 0days, I wouldn’t be surprised if they were aware of maybe 1 of the RCE vulnerabilities discovered this year
@@MrCobalt theres no way this was an unintended oversight
They should have a list of trusted extensions instead of a list of untrusted ones.
Very bad idea
@@zeteyawhy?
@@rafayahmed6259 Many reasons, one being a good extension can turn bad one day, but an extension that was bad to begin with will never turn good.
This just shows how blacklist are ineffective as a security tool
Thanks for the news!
Thanks John you explained that very well
3:55 Not me watching the John Hammond video and getting an ad with John Hammond in it. Some may say it's a 2 for 1.
Taking it up the a** without lube. lol
Interesting shiz John. Liked and subbed, stay safe
Wow good job I want more info ❤
This one RCE was indeed fun to use, gotta find more ;)
hello vro
im gonna touch u vro ♥
I'm glad that I migrated to Debian + KDE two months ago. I still have my Windows on my drive, but never want to boot it anymore.
The KDE environment in Linux is just much better than Windows.
who asked?
Welcome to the family.🐧
@@HyBlock the implication was that I'm not affected by windows RCE anymore.
I've tried making Ubuntu and Linux mint my daily driver many times. Can't do it.
But for home labbing and running servers it's perfect.
it's just so much more superior, once you try it you never go back lol
Hello john . I am a big fan of your content can you make a roadmaps for us form when need to start 😅❤
Oof, this is why blacklists can be problematic, with a whitelist they would not have had this problem.
Except perhaps for the problem of naming this list as "white" 😁
@@BaggerPROblock allow lists?
@@joshallen128 , Yeah, it looks like it's fashionable to call these lists that way now :)
A block list is usually shorter than a white list, but it's just a matter of decision.
@@BillAnt Deny list because block sounds like black with an accent
I got an ad from you on this video
The scrum meeting: "Yeah, an approve list is too short, let's write out every single extension that could execute code instead of just choosing some image and video formats that we support."
A whitelist can get annoying tbh.
@@user-hp2dr5qc8p Ah yeah, you're right, much more annoying than a 0 day. Also a blacklist had to have been annoying from the very start.
They are identifying files by extension. Nice.
The fuzzing begins ❤
LPL has entered the chat, fuzzing locks are fun. hehe
@@BillAnt...we're getting an SQL injection on three, oh it's binding. A little malware on four, and we're set. Going back to three, gained root access to run our query, annd now we're in.
@@AuxiliaryPanther lol that took like 30 seconds.... not a very secure lock. :D
Great Content ...
Nice Video!
Oooff... thank you John... cant believe im one of those 0.01% .. slackin
every vulnerability whether or not its trivial, can and will be leveraged
Hate the red border on the thumbnails, I assume I've already watched and scroll past half the time
Amo tus videos
the title of the video is not that nice because i thought it would be a vulnerability that accurs right now.
anyways.
Thanks for sharing.
How do u register for that forum?
Having a whitelist instead of a blacklist would prob. be more secure and reliable. Basic security not?
I was thinking the same
@@tablettablete186 governed by implicit deny. Also agree.
nah, its not think again
depends on size
Part of whyI never share diagnostic data with devs.
It’s so nosey now
calculator opens in my nightmares.
Who's idea it was to hardcode bunch of files there. They'll just keep updating it every timea new file type that can execute code comes? Sounds like horrible idea.
“It is not by default installed”
**laughs in Linux**
I find it very bizarre that you can execute a file in the first place. That seems like a bad idea in many ways.
How do you suggest to open a .txt file?
@@user-hp2dr5qc8p .txt file should be read, not executed.
Requires Python to be installed in the local path as a global environment variable.
it requires the file extension to be registered to the python interpreter, not anything to do with environment variables
3:28 lol. They backed themselves into a corner with that statement.
They might have been logging something like "There is no any program to open this file-type/mime-type" perhaps? Or they just RCE'd to everyone... Who knows?
@@allxrise I’m more inclined to believe they were just fabricating a number as an attempt at damage control
Tis the season to find folly, tra la la la la, la la la lol
Music to my ears
Haha so specific but I would've been at risk
👍Nice.
1:48 macOS has it installed by default, last I checked at least
Does mac have a similar concept of file extension associations as on windows, so a pyzw file will open with python by default?
Not anymore, used to have Python 2.x
Surely some communities would have a very high hit rate for python being installed on a windows machine right?
Yup. All data science and AI nerds.
Anybody even slightly interested in programming has a decent chance of having it installed on their computer. I refuse to believe less than 0.01% of users were affected.
@@Bromon655a) is the 6th most downloaded app - is your grandma programming?
b) die this you must use it on your PC. how many people just have it on their phone?
Hey how can i get an xss is account? i tried and always the same when i create an account "Your account has been declined."
The red bars in the thumbnail made me think I already watched this video.
Right, I thought so too!
yeah but it updates every hour so it's chill
"Google Photos would like to make Phone calls"
Me as python developer and windows user💀
I like cats. Btw we can all be farmers. No tech no rce problems 😎
Такое чувство, что на безопасность всем насрать, только ты можешь себя обезопасить, не кликая на всякое говно
Если человек наивный, то его никакая защита не спасет) Однажды мой знакомый запустил подозрительный tampermonkey скрипт в дискорде, говорит "2FA стоит же, чего бояться?". В конечном итоге украли его токен и смогли получить доступ к аккаунту.
But, isn't pyzw supposed to be a zip-archive? That contains a __main__.py? I'm actually surprised this runs at all.
what is "flair"
2024 is on fire with RCEs🤞🏾
I got a SYNK ad with John right before the video and was confused why there was a skip button 😂
Bad stuff for many. One of the reasons I always tell people to NOT use this medium.
Everybody be acting gangsta until calculator auto launches
oh no.. now i feel so dirty i cant wash it off
There is always a way in😉
CRAZY
Ohh no
With a bit of social engineering this could have been pretty terrible
Good, they banned my account for no reason.
A lot of noodles will be leaked for sure.
This is why you should use whitelists instead of blacklists.
i found this exploit 2 years ago... never posted anything about it
But was it a typo :D
Linux users are way more likely to have python installed out of the box so i wouldn't call this a "very specific" exploit.
I have Python installed on Windows computer... It helps with learning Python programming, idk why people are so against it.
Yea, not sure why he made it seem like something extremely unusual. I think most people that do any kind of programming and use Windows will have python installed.
Why would you learn python if you could not use it? :D
@@Slada1 wdym not use it? You can use it to create various programs.
tf is going on .. rce 💀
Yeah uae does not like private messaging.
😅😅
@@rafayahmed6259 Do you know uae connection with then twitter ? Or the documentary about state hackers of usa training uae agents.
That documentary is so interesting
I think the problem is Windows. It runs everything too fast without permission.
"Certified rce moment" 💀
bro, youtube just showed me your ad, on your own video. theyre wasting your ad money
Good thing I run it in a vm on a vps
vm escape + pyzw = your vps gets owned
Is it safer just makes a user that is not admin user? So if code ran its needs admin user right as default user windows always user are admin?
What is happening lately? 💀💀
Hey, nice video, but just one thing. Your audio and video dosent seem to be perfectly in sync and its getting on my nerves
python on windows, not that unnatural
this is such an interesting rce tho... lol
You can add an extra dot at the end. Windows -> Run -> 'calc.exe.' -> Enter opens calc. Does that work to bypass.
Why do they blacklist file types they believe are unsafe. They should be whitelisting filetypes that are safe. If some new software comes along that belongs in the unsafe catagory they have to know about the related filetype and then add it to the blacklist...
whitelist would take too long.
@@wafinashwan8242got any quote from a developer?
"Reimplemeent file open confirmations" has a noWarning list, so I think that's done now.
@@wafinashwan8242how so?
@@wafinashwan8242 how come
Ive heard this is on discord also
it is not
echo y | format c:
You should watch Telegrams owners interview with Tucker Carlson. They have like 30 employees and have never spent a dime on advertising. 😂
Why are you laughing though?
hello world
Anf i thought wiiu wansthe only thing that has rce 😂
This was surely done by purpose. Believe me not.
Sometimes you guys are very clever with tech but not so clever with people…
how do RCEs still exist in 2024 bro 😭😭😭😭😭
They are found in everything
"Windows that has python installed" you claim is extremely odd.
That... Is an extremely odd statement.
Less then 0.01%.... yeah idk why im having a hard time believing that 😂 its not that uncommon to have Python installed on ur system
I've never liked the idea of "allow" and "deny" list... just deny all and allow the user to specify.
can you stop using the word "stupid" so frequently and often?
How is this RCE? It's just running the code that someone sent to you. There's no difference between that and opening an exe.
😊
Code please