All Apple Products are Vulnerable to New Password Stealing Hack
Vložit
- čas přidán 19. 05. 2024
- 👉 Free $100 Cloud Computing Credit
seytonic.cc/linode
0:00 iLeakage
3:43 North Koreans Infiltrating US Companies
5:54 Annoying New Flipper Zero Hack
7:49 Google FAILS on Malvertising
Sources:
arstechnica.com/?p=1978389
ileakage.com/
www.bleepingcomputer.com/news...
therecord.media/doj-seizure-w...
www.justice.gov/opa/pr/justic...
www.darkreading.com/careers-a...
www.ic3.gov/Media/Y2023/PSA23...
www.justice.gov/opa/pr/justic...
techcrunch.com/2023/09/05/fli...
techryptic.github.io/2023/09/...
www.bleepingcomputer.com/news...
/ cyf5y2eta_v
• Flipper Zero Apple iPh...
lockup spam demo • Flipper Zero Apple iOS...
www.mobile-hacker.com/2023/10...
arstechnica.com/?p=1977141
www.bleepingcomputer.com/news...
www.malwarebytes.com/blog/thr...
===============================================
My Website: www.seytonic.com/
Follow me on TWTR: / seytonic
Follow me on INSTA: / jhonti
=============================================== - Zábava
In 2023, advertisements are STILL a vector for malware. An ad-blocker is essential for security.
The FBI approves this message
Google knocking your door in ..in 5 ..4...3...
GIVE US THE AD REVENUE
Reader has the one you use as some can contain malware
Google did things like this and they ask why people use ad blockers
Great... Just after I get my first iPhone in 10 years. 😂
What happens on your iPhone, stays on my iPhone
Just don’t visit malicious websites and don’t hang out with prankers.
Though I would give the same advice to android users, so nothing new just annoying.
Should have stayed with what you had
Why tf would you get an iPhone after 10 years
Your fault for going apple
It’s close to a full year since the first news broke about malware in Google ads, and it’s for Free software again! At what point do we call this lack of action to fix the problem malicious on its own? I think now is a good time.
>At what point do we call this lack of action to fix the problem malicious on its own
It has been the case for decades. There are many verified leaked documents about how the NSA stalks, harasses and threatens software engineers (including, for example, those in committees responsible for shaping networking standards) in order to force them to make their software/standards vulnerable, so that governments can hack you whenever they want.
Malware ads have been around since pretty much the invention of Internet advertising
Frauds and scams are the bread and butter of advertising. Ad pay is directly correlated to gullibility. Why do you think "adult content" pays so much...
It’s been close to 2 decades since this concept has existed, deal with it.
Man, I feel bad for you. Pretty much all replies are missing your point or dismissing it outright
To be fair, I read the paper, the practical application of such an exploit is incredibly difficult, it takes forever to steal strings, and it took years to a research team to obtain something, I'd say we good, majority of threat actors nowadays are kids that make DDos attacks or RaaS to make a quick buck
Even if it is incredibly difficult, that is barely a hindrance to state actors; They have the best talent and infinite resources.
perfect for country funded hacking teams
hahahhaha so true about the majority of the threat actors part
@@inthefadeno such resource on earth is infinite, water, time, food, electricity, people.
But they do have a helluva lot in terms of CySec.
@@inthefade I mean on that level let's be honest, state level threat actors probably have a huge supply of zero days and surely they don't need a year old exploit, let's remember that counties are the main customers of the NSO group
With regards to the keepass thing, the reason why that special K would get around that domain check might be quite simple - it boils down to how you deal with string comparisons. Different languages function differently, and I'm not going to pretend that i know what Google is doing, but here's what I think is going on. In a lot of cases you don't want to consider all the weird ways in which people might mess with text, so you get the option to ignore certain things when doing a string comparison.
As a quick example, here's some Romanian letters: Aa Ăă Ââ. The first pair is just a normal A, but the other ones are slightly different. When you do a string comparison, you don't really want a strict comparison. Keyboards don't come with those letters out of the box, and most people will never even bother knowing how to type them (i copied them from Wikipedia). To deal with situations like this, you get a not so strict comparison going. In this case, my guess is that Google is using that not-so-string comparison when checking the domain name, leading to that issue.
There's a lot of conference talks about text encoding, and they go into a bit of detail on how things work, how things are broken, and depending on what you look at how it can break things further. A lot of them are fun to watch, so if anyone's interested give it a search.
Not to mention there are many letters/symbols which even look exactly identical but are actually different. For example A and А are not the same letter: the second one is from the cyrillic alphabet and looks different in binary.
So it’s like the tilde in Spanish. It’s supposed to be there but people don’t type it a lot of the time. You don’t want to tell Simón that Simon is not his name.
Simon will be the name in his ID in fact, but his school diploma will say Simón.
Like matching Pokémon and Pokemon for easier searchability?
Is this the unicode thing again? That the visible glyph isn't the same as the encoding
A nice word you might be looking for is "homoglyph"
Apple have been battered with CVE’s in the last 1-2 months. Time have changed
iOS is probably the most common operating system if you look at single code stack.
Android while having more phones has more code stacks and hardware stacks, so exploits can be limited in scope.
That's nothing new, they have been for years now. Look at the iOS security patch notes.
@@redbakery8943 Whilst that is true, If you look specifically at macOS, there has been a large amount of patch releases for macOS Monterey and Ventura, plus the additional Safari patches.
@@jimmypatton4982yeah android phones are much safer
1-2 years
Awesome video, I like that you’ve gone back to the multiple topic videos. It’s great to be able to watch one video and get an overview of important cybersecurity issues. As always, keep up the great work.
Thanks :)
finally... i really need these videos to be more frequent, even if you're covering dumb things
Let's wait until ChatGPT reads the paper... lol
It refuses harmful tasks
The media is already blowing this out of proportion. I am already imagining all of the tiktoks people will make.
Amazing video as always, Mr. Hedgehog
I spent all morning learning about WGPU and WASM and then immediately learn WASM is being used for hacking, because of course it is.
Tbf AFAIK all code gets used for hacking at some point
9:34 I find hilarious combined with CZcams's war on Ad Blockers
Good news: Lockdown Mode can mitigated this kind of Safari attack. 🎉
Dude I love your video.its amazing
To be fair, a router with "Free Apple WiFi" would allegedly net a shitload of apple ID creds :/
I wonder if anyone with an amplified Bluetooth signal would sit near Apple HQ till they fix the bug?
it's not really fixable
@@U20E0
What’s the reason for that?
@@MelaninMagdalene This exploit via WebKit may possibly be fixed, but the underlying bug is in the hardware.
@@SpookySkeleton738 the original comment was not about the speculative execution part of the video
@@stayblueee 💀
Google owns CZcams? CZcams doesn't want me to use an ad blocker lol.
3:19 I can hear people in the reversing community say, “challenge accepted”
Another good reason to never allow auto password fill by password manager s. On my ios device, I specifically have to press a login for it to be autofilled.
Does that solve the problem?
Cyrillic lettering on the flipper case, why am I not surprised... 😂
Looks like there is a fix inplace for iLeakage at least on my MacOS the feature flag for "Swap Processes on Cross-Site Window Open" was enabled for me. now checking if iOS Safari has this
Yep enabled in iOS too, so they fixed this when?
This sounds similar to the Intel skylake flaws where threats could only be largely mitigated with a hefty performance penalty. This should be fun to watch play out.
We tried the ddos bluetooth attach at work, it doesnt seem to work against samsung devices, and only the HP laptop in the office got the notifications. The Apple branded devices were hosed by this.
Duh, don't use a tab that YOU didn't open YOURSELF - either by using a saved bookmark or typing the URL. The only exception is if your browser is set up to open previously open tabs or certain tabs at startup. Popups are NEVER to be trusted unless it's spawned by the website you are using; for example, you click sign-in on your bank's page and a popup opens. That's pretty much internet safety 101. The weak link in internet security is almost ALWAYS the loose nut behind the keyboard.
The pop up is spawned by the website you're using... the attack looks exactly like OAuth, which is required to sign into tons of legitimate websites and your password is never supposed to be readable from it, which is the security vulnerability that's being talked about.
I cannot believe Apple is being defended already. It is not "internet safety 101" to not trust a website that has the green lock icon, is HTTPS, you've verified certs for, and has the correct URL. It is not uncommon for a site to open a popup to complete OAuth. This is Apple's fault, plain and simple. Under no circumstances should another tab have access to the contents of another when the site is completely different and not under their control. By design, this is supposed to be impossible with how the WWW operates, and it should be fixed by Apple, and not just be a "well now this is how it is so be more cafeful". If this is how it is now, then literally nothing can be trusted. So yeah. Apple needs to fix, end of story.
Source: CASP+ certified
Ever used sign in with google?
@@DanielQwertynot even remotely the same thing
@@OGNord To the average person who has no idea about internet security it would sure seem like it.
It's been a year without a patch, doesn't mean Apple isn't working on a fix. As pointed out it's a CPU issue so they're probably working on a balanced solution that doesn't completely eliminate the benefits of speculative execution but still try and mitigate the exploit. 🤔
That annoying flipper zero packet looks like it would be hilarious to use against people in public
Wow. Never thought I’d be effected by malware but yup... I fell for it. 😢
Yo I spotted the flipper zero thing in the wild😂
Speaking of "understanding research papers" - most people will simply discard it as too long to read. But don't underestimate those who are determined. Determination is a powerful drive, and while it may take a longer time (a bit risky as it may be patched during this time), somebody might as well be able to piece it all together and start exploiting it.
It looks like Apple doesn't want to fix it.
YESSS THE WEEK WEB IS BACK
This is why we can’t have nice things
I remember the spectre and meltdown Intel 'bug'. I disabled the patch and my computer felt like I upgraded.
And now a script kiddie can have full access to your computer memory
that is a bad idea. Modern CPUs are actually optimized to run those patches, and the security implications of turning them off are.... apocalyptic.
I would only recommend doing this in aging systems with no critical data as you have just left your probably critical computer open to pretty much all remote attacks
Turn that on or refrain from angering anybody on the internet.
@@mollthecoderyou clearly haven’t read the PoCs for them 😂
@@TheOfficialOriginalChad I have, what are you referring to in particular?
This is why I subscribe.
He had his coffee right before recording "Hello World"
love yor channel.
intel used to struggle with the same vulnerability, but they appearantly fixed it and it appearantly doesnt really cost measurable cpu performance. I tested it
New cpu are built against meltdown so it's not an issue anymore. The update windows did in 2018 did lower CPUs vulnerable performance by a measurable amount however. Most people might not tell, but it wasn't insignificant
@@aronm5329 I haven't seen any performance difference with my haswell cpu with or without spectre and meltdown mitigation.
Finally, I can tell everyone who swears by the security of apple's products that they can suck it. At least till they find a patch.
This hack is not new. This has been around since 2017 or 2018. It was found on Intel CPU’s. It is the same method though. The CPU does what it think you’re about to do before you do it by your habits. It memorizes your habits over time and try’s to save small amounts of time for you.
1:23 - I didn't knew `speculative execution` was a thing and CPUs jumped into the if statement just to later evaluate it's value: this is massive security issue imho
Just another name for prefetching, it is originally employed to improve cpu performance, security wasnt really a big thing back then.
I find it baffling that apple has its own specter vulnerability.
Looks like I am save with my iPhone 8.😅
Why does this exploit with apple kinda sounds like specter. Both exploit the specular execution and then read data from memory, even though the languages normally don't have features for this.
Ironic, cannot even open CZcams with ad blocker installed but ads turn on
Interesting that the FBI recommends using an ad blocker while youtube is at all out war with ad blockers.
the flipper zero thing sends a packet that is the same as the apple tv packet with the last few characters randomized
My work only uses Apple cause the owner and IT guy says that Apple has no vulnerabilities 😅 glad I'm the only one on PC
Someone literally used that Bluetooth attack on me today and crashed my phone too
Bye bye iCloud Keychain?
It doesn’t matter if keychain or manually typing. As far as I could tell they are putting in long to execute statement to have as much data pre-gussed generated. Grabbing the data and then repeating if possible or just giving up.
I think what matters is adding code to prevent the exploit from leaking one source of data to previous site.
Shoutouts to cars where their stereo/speaker system only accepts Bluetooth pairing, no headphone cable for you, pisses me off. I can't wait for modern-day manufacturers to regret that choice due to Flipper0 nonsense & general security holes. Never liked Bluetooth, both as a consumer (pairing annoyances, battery-life to deal with, etc.) & as a security-minded fella. The only way you can disrupt wires is by wear & tear, and/or the chord being cut in two. AUX4Life, & oh yeah, same goes for modern smartphones too, courage my ass.
Bu...but Apple products can't be hacked or get viruses, the cool hip guy in the commercial said so, only those PC nerds can get those! XD
😂
9:12 Microsoft edge also has that!
The need to reverse the decision to allow other characters than a-z
Pegasus like 🤤
kinda ironic that the example password is: thinkdifferent
Oh no
Wait so intel based macs are safe?
I'll wait to see what the Security Now guy has to say about this on Tuesday before I get too concerned. There have been a stream of "sky is falling" stories about Apple vulnerabilities lately, but when you get a report from someone who actually read and understands what the researchers found, you typically find that you have to be a target of a nation state to worry about it and/or it's easily blocked.
This would also be the first time in 6 years that a Spectre/Meltdown-type of vulnerability had an impact on anything other than a web server.
Is the ileakage only works for Apple or third party password managers. Since they didn’t mention passkeys. Reply if it also works for passkeys. Because this is new to me.
iLeakage allows you to access any data that's present on the page you opened. Passkeys are not susceptible to being stolen this way because the website first needs to send you an authentication request and your browser responds to that requests. The response, even if intercepted, can't be replayed in the future. However, any resulting authentication tokens (bearer tokens, cookies, etc) can be stolen which could grant the attacker access to your account.
DAMN. i gotta warn my mum
don't worry, i told her already
How on Earth can JS access something that low-level?????
It doesn't. WASM was used.
@@LetrixAR WASM is a simulated stack machine in a nutshell, so there should still be no way for it to access something so low-level.
@@atirutwattanamongkol8806What's WASM?
It's a timing based attack
@@atirutwattanamongkol8806 If you watch the video it includes an explanation. Hope this helps :)
8:30 Ohhhh I rub the screen 😅
Speculative execution is starting to be a seriously challenger to buffer over- and underflows as "the most common security vulnerability".
Isnt it similar to spectre attack on intel cpus?
Also for android fans, you can steal data much easier from android and you don’t need those exploits.. 2:05
Sure sounds like it, which is probably why there is no fix for it yet. Didn’t the spectre fix cause a performance drop in some cases?
Yes. In fact I think it would fall under Spectre (also noted by the iLeakage paper) which affected all major CPUs; Intel, AMD and ARM.
However, it also seems Safari is a big piece in this in how it apparently shares some memory between tabs when it shouldn't-both Chrome and Safari employs tab isolation, where each tab is assigned its own process-but it seems Safari may still leak some memory, or it could be the OS as well, given that processes should never be able to share resources as they should be in their own memory space.
If it's so easy then how do you do it?
@dealloc but this seems to be tied to webkit. How does a rendering technology affects a policy of tab isolation?
@@LetrixAR
Was it exploited on other WebKit-based browsers that didn't use tab isolation? So far I've only seen reports on Safari specifically (on macOS).
On iOS you can't use WebKit directly,. You use a wrapper API like UIWebView (or rather, the newer WKWebView).
It's also not possible for browsers on iOS to spin up additional processes So these restrictions could make it possible for browsers on iOS to be affected by this too due to these limitations.
0:13 I misheard Malaysia's😅
Thanks im gonna use this lol
How unfortunate
Uh-oh!
How Unfortunate!
I'm going to do a sneaky thing, and throw a new contender into the ring!
*A New Challenger Has Appeared!*
Didn't intel have to deal w this stuff back i 15?
I recently purchased a MacBook then saw this video 😂
I guess I'm never getting berated again for disabling JavaScript..
A graduate of Clickbait Academy.
The broken URL garbage situation is why only ASCII text should be allowed in URL's and it should be stringently checked by *everyone*, especially the browser. It's not that hard to run through a 64k character string once to check that each character falls within a given range by simply using a table based approach. You can do direct calculation on the accepted range and use SIMD to parallelize it if you really feel it's necessary even though it'll only be checked when changing addresses. Oh well, I'm still hoping that HTML/CSS/JS get erased and replaced.
This is tricky, but it looked like the actual URL was all ASCII, but the address bar interpreted the Unicode characters and displayed those characters rather than the straight ASCII. The browsers should stop doing that with any URL and problem would be gone.
@@stevebabiak6997 Do you know what ASCII is? The character in question which was shown in the video was ķ. It's described as "Latin small letter K with cedilla" with the code U+0137, UTF-8 0xC4 0xB7. That is most decidedly outside the range of ASCII characters.
Imagine being dumb enough to enable autofill 🤣🤣🤣
Dude I am so paranoid that I don’t even let my browser open new tabs. I’ll just start a new session and type in the address myself.
So, a workaround is to use Firefox?
No Safari on macOS and no browser in iOS.
Ok I’m screwed then
Bowser is taking over
So the exploit relies on java?
Great… so it’s just a matter of time
"even if filled in by a password manager"
holy brainwashing
Gheez that sussy K
North Korea really pulled itself up by the bootstraps
FBI recommending adblock? take that youtube.
Send to apple now
droid gang how you feeling
Okay so I’ll just blacklist it from my router. 🎉
Hi!
Ad blockers, aka, scam blockers.
so just turn off auto fill and watch for redirects?...
Or just don't use Safari
wow
Linode got bought by Akamai?
You didn’t know, it’s been a while already
I leakage lol that's great
Spectre for Apple wtf
Cool
All devices have an exploit for passwords bt design: Looking at someone typing.
I'm glad I never use Safari.
you lost me at “it uses Javascript”
😂😂😂
under that same context, all devices are always vulnerable when a dumb user click a link
Techryptic isn't the guy who found the bluetooth DoS. He stole the work of the Flipper Zero Xtreme dev team. Please, credit the right people. If you wan't, I could link you a blog post from the Xtreme team proving it all
If all the NK money is sent back for missiles...shouldn't they have a way larger arms program by now..?
420 000 sub special?