This GitHub CSS Exploit Is WILD
VloĆŸit
- Äas pĆidĂĄn 10. 06. 2024
- GitHub's latest exploit is a bit absurd, but also beautiful. Throwback to the old MySpace days. CSS exploits are fun
THE RESEARCHERS
x.com/xyz3va
x.com/cloud11665/
x.com/vmfunc
Check out my Twitch, Twitter, Discord more at t3.gg
S/O Ph4se0n3 for the awesome edit đ - VÄda a technologie
Honestly GitHub should make this a feature.
No,
Then it would be regulated by decision board not users
No.
But most of all, Samy is my hero.
Github-MySpace edition.
"Without further ado" followed by more ado
Trash CZcamsr, disliked can't unsubscribe since never was subscribed
And with further ado, ...
yeah, he can be a mumbler sometimes... đ đ
âYappatron đ„±cool exploit but I'd rather watch skibidi toilet and jork my pingasss
Oh nahh we bout to get Github Nitro before GTA 6 đđđ
xdddd
Heck of a comment! đđ
Damn sad that it got patched, i wanted to turn the background into C A T
I gotta say, the LEGO explanation made no sense whatsoever. Really interesting exploit though.
Yeah sounds like they asked chatgpt 3.5 to make it 'simpler to understand'
it was clearly ai generated
what was that LOL
They must have been trolling lol. That metaphor made it more confusing
Cool a throwback from a time when the internet was for the people and wasn't ridiculous corporate.
Github homepage ricing sound so fun.
the github markdown is pretty strict but you can still make some cool stuff with it
Github should embrace this and make this a feature
Emm if you can inject css you can inject url in background and these urls could have javascript executing. it's crazy.
â@@justafreak15able No, you can't because of CORS.
No.
â@@justafreak15able Just block all non-GitHub links and limit the GitHub links to images or something.
@@Kane0123yes*
and its also found on friday lol where developer should be running in a flower garden in amsterdam they fixed the github coz some anime developer decided to change their github profile background lol
Yeah it's incredible what lengths corpos go to to prevent user customization these days
â@@doyouwantsli9680 yes and no cause XSS attacks were also possible
Gotta prevent weeb degeneracy.
FYI IP grabbers aren't out of the question for this exploit because of CORS. The thing that prevents IP grabbers from working on Github are their CSP rules. CORS by default only blocks responses from being read, it doesn't prevent the request from being sent as long as the request is considered "simple," which an IP grabber request could totally be. Non-simple requests are the ones that have preflight requirements
at that point visitor counters through loading images through the markdown image syntax would work the same, after that, css injecting has been introduced as an official feature on codepen for years and it's not been even used for exploiting, cors can secure this enough
GitHub has an image proxy though, so your image would only be requested once (by the proxy)
with so much negative energy in the tech industry (and the world) recently, sometimes we need these wholesome videos.
3:54 This summary is CLEARLY written with AI lmao đđđ€Šđ€Š
This also worked on PR comments (and probably issues) and you could just block all interactivity with it.
00:26 yackcine lmfaoooooo
based yacine
Theo is becoming more wholesome day by day.
this is textbook 100% improper disclosure. The fact they had to sweat a late Friday night to get it patched is proof positive this is really inappropriate. You really musty email them, then wait for 2 weeks for a response; that's the minimum, and gives them time to actually put out a PROPER fix, rather than a rushed patch job.
Myspace all over again
LaTeX was totally not a "tool" tool. Even if you didn't use any math, not having to fight the stupidity that is MS Word to structure your paper was a Godsend. If you used a lot of math it was even better, because MS Words equation editor also blows. I even used LaTeX for my resume, lol. All of my papers looked so much better than those of everyone who used Word, and having to spend zero time faffing around trying to manually structure things was a huge time-saver.
Absolutely nobody thought I was cool for using it, either. Most of my fellow engineering students were MS and IDE lock-ins.
As for why an embedded C guy is watching this, I guess you can blame Primeagen.
Iâm always happy to blame Prime for things
Its been a while, but so far no other solution comes close to fomatting insane lines of matrices and equation as nicely as LaTeX does.
LaTeX is fantastic, I'm in Grade 12 and I don't know how any of my notes would make sense without it.
If people exploit something like this, there is obviously a need for custom profiles. So add it then.
They will monetize it.
People *want* custom profiles, but that doesn't mean they *need* custom profiles.
the first "code" i ever wrote, before i was properly programming, was styling up my myspace page. It was a great time đ
@2:06 this is called "clickjacking"
doesn't come up often, but yea can be a real big security problem for the user.
css customising was what brought me to love myanimelist
3:20 You're damn right I did that. Honestly didn't take long to get some very nice looking PDFs out of it too.
I remember when something like this happened with someone's stream. -I don't remember the specifics but they somehow (assuming it wasn't self-hosted chat, had a separate renderer for the chat that displays on stream) let users set custom CSS for their messages or something and it quickly got out of hand.-
Oh it was was full blown javascript/HTML code injection via an unsanitized bot (which makes more sense).
I used to write essays in Latex because I started using a dedicated old wordprocessor computer (just did word processing, old green screen thing) then moved on to WordStar, so I got used to seeing all the formatting codes on the screen, so I didn't trust MS Word or other WYSIWIG word processors and liked to see where the formatting instructions were.
i found something like this for caard once, but instead of injecting css it was straight up JavaScript. but when i reported it, instead of it getting fixed, it was fixed *and* they banned me. how nice :)
.... How does using Latex make one a tool? I use it to format my exams and homework assignments for my students
....i had the same reaction. why was i called a tool for using latex T_T
And its the easiest way to format pages and pages of matrices so far in my books. I don't know any alternate way that would look that good. T_T
I wrote my Masters thesis for finite element method with it. I feel so personally attacked for all the wrong reasons lol
LaTeX renders so beautifully
TBF this needs to be a feature
Github dashboard deserves a redesign ... The current one isn't that useful...
Speak for yourself. My github has a ton of stuff @Ober3550
People have never been so determined to bring back the old internet
Wait until they start digging into the newer non-standard html tags. I did some experimenting and they seem hyper exploitable in ways most people wouldn't consider at surface level, but ream thier ugly head when "used". For example, I worked with a JS-based report engine that is part of a hosted ERP system and a couple years behind on report-engine updates. If I used newer html tags (of which there are many poorly / almost-completely-non-documented), I could force rendering differences, not only with the page, but subequent PDF conversions (that also rely on the reporting html engine under the hood), to change yet-again (as adobe acrobat didn't understand the tags). This, combined with the fact that you can both write to SQL and have interactable elements, means I could send someone a PDF report that, when clicked, deletes thier CRM database entirely. Shit like that is... not good... We use it in production.
Hacker furries and weebs are the chaotic neutral that is more interested in exploiting cyber security for the lulz rather than doing anything with it lol
0:27 , OMG TO LUĆčNY
dingboard community mentioned
This has to be a feature. This would be so cool.
Theo, I just noticed the other day that you're coming to Open Sauce! I hope I can find you and say hi :)
I participated in updating my profile to show the Svelte wallpaper background. Looked nice while it lasted....
I see longcat in the thumnail, I click
Iâm simple like that
MySpace!
I took an intro level psychology course in my last semester just to get enough credits to graduate, and so i used LaTeX to format my paper đ€ they mandated times new roman font, so it didnt even look like latex
ah those "Defaced" old days :)
man, sad i wasn't around when the exploit was live, i wanted to have a silly style on my profile like that
Proper myspace vibes
Crazy Mad Man
github needs to make this a feature!!!
i dont get it, is it like using the inspect element to temporarily change the look of the page or directly changing from the server to change the whole site
You're setting styles on the page. You're not changing the whole site, but the server is sending the the bad code to the client.
This was explained pretty well in the vod but... you know what CSS is, right? Usually, when you inspect a page, it'll have somewhere at the top. That's what changes how things look. People found an exploit to basically insert those things through GitHub profile READMEs. Through a specific LaTeX (language for writing math stuff, think of typing "x^2" and it gives you an image of x with a small 2 at the top) command that utilized CSS styles, people were able to exploit it to use their own custom CSS instead.
GitHub sends you a bunch of code. Inside the code, there is a section of your custom text, and a section of their styles.
Your computer reads the styles section, put the custom text in, and renders it.
Someone found a way to write a custom text to jump out of that section and change the style which the client computer promptly reads and renders
great, YT apparently just auto-deleted my comment once again. quick definitions: CSS changes how elements on the page look. LaTeX is a way to write math ("x^2" becomes an image of x squared). People found an exploit through a specific LaTeX command that utilizes CSS, and exploited it to use user-created CSS instead.
Simply put, the difference between inspect element (or any other client side CSS changes) and this, is that the server sends the page to the client (browser) to render, so anyone visiting an affected page will see it, unlike client side CSS changes which only you would see.
This is how websites used to be! It was awesome.
this is known as a polyglot attack
the good days days..
4:14 Well that's an embarrassing one. I know hindsight is 20/20 but that seems like the most obvious thing to think of on a list of things to forbid from a text box
omg maybe now someone will actually try to fix fix math rendering in markdown! It's super broken in so many contexts. pdoc the python documentation tool has so many wierd edge cases with math in markdown in python doc domments its not funny.
This is a really cool exploit but what's funnier to me is that seemingly every professional hacker out there is a massive weeb which honestly ăăă§ăšăăăăăŸă
Why did they fixed it?
You can tell Theo grew up on Instagram by the amount of times he says "links in bio" instead of "links in description"
This is so it can be chopped up into short which are cross-posted to insta and tiktok.
@@borstenpinsel how many links are in his bio?
still don't understand why people put video specific links in bio
Big fan
Imagine if HTML-compatible way of embedding math existed... Definitely not a thing... They had to use latex
The intersection between programmers and weeb culture is wild
Everyone should design websites like geocities pages again
LaTeX â€
Posting about it on twitter is "A+" responsible disclosure in Theo's book? What isn't responsible disclosure then?
That breakdown is terrible too. It starts explaining the basics of basics like we are 5 instead of github users, and then when it comes to the meat, it takes escaping and context for granted.
@@someman7 this isn't an educational video, they wouldn't go so far as to explain what escaping means and even if they did, it'd serve little purpose as it isn't necessary to understand what happened here (maybe not _why_ it happened but that's different).
Also, posting in on twitter gives it very fast exposure leading to relevant people taking notice of it. Sure, there are better ways to achieve that if you have the means but generally big companies like these rarely take reports from your average joe seriously so the only way to get them to understand the severity is to see people playing around with it, it wasn't something hazardously exploitable anyway so it wouldn't have snowballed into something terrible
Remember when you could set your youtube background and shit? Those were the days.
That chatgpt post made me cringe though
They should turn this into an actual feature
Do a Coolify review and walkthrough tutorial
Myspace!!!
Profile pages are so boring nowadays. You're lucky if you get to use a custom banner
Escape sequence with backslash. Manipulative DOM to call JS. Label JS as inline and manipulate its origin during call retrieval.
Whoa 0,o
Ahhh apparently all the anime people freaked out once it patched as per vx đ€Łđ€Ł
They fixed it ;-;
Well, mathjax has nothing to do with latex....
Who the fuck invented math and why do we need it?!!? SMH
RIP MySpace lol
Dang... yacine is a psycho lol
But codepilot is so good, they say, so it should be fixed in minutes, right?
i use catppuccin userstyles through stylus extension, is it also bad??
no
Does it still work?
Nope
how to added to the group chat:)
on the pict profile, we know one thing, they are all weebs
My Lesbian Experience with Lonliness by Kabi Nagata. Anyone else catch that?
I've always hated how social media platforms removed pretty much all customization
it's not a bug it's a feature
I nearly got this on my profile, but in the few minutes between editing my page and committing it was patched, meaning I had it on the edit page but not after that... âčâč
Not gonna lie, I do hate how the Web has gotten so samey, orderly and non-personalized. Personally, I believe flat UIs look like shit, and much preferred the skeuomorphic era, especially things like the iOS 6 version of iBooks, which resembled a real bookshelf.
If this is the alternative, I much prefer the chaos of the MySpace era.
spacehey
Agreed
Ive had custom userstyles for github for years⊠I really like my po**hub style github logo restyle đ
Its a feature
This begs the question. Why is it not already a feature.
I like how the smartest devs usually have anime profile pictures.
smartest or too much free time, who's to say đ€·ââ
Unironically, it would be nice to have a presence on the web that isn't bland corporate nothingness. Let me be cringe, goddamnit!
No cringe allowed. Especially not weeb cringe.
Github should see this and say hey this is a great oppurtinity to add some more customization options.
I am sorry, but that Lego analogy is...poor.
Really scared me for a moment. Then figured out how to disable javascript and be able to report that person. So I got them banned form github - took a whole day for github to do that, not a good turnaround.
The world is kept running by weebs and kept safe by furries.
ngl should leave this
CZcams comments section was like this once.
when you used latex for years and still read it as if it's written lateC or lateK and not as lateX :/
yes, you really are a tool in that case.
It's a feature not a bug
tried it.
get to the main point ghaddmit quickly.