Watch how this is going to become a year-long series into fuzzing webp, just like the sudo exploit.
@olivezz
11 сағат бұрын
this video's url contains no lowercase letters
@DxBlack
11 сағат бұрын
What in the fu--
@joshuatatum8519
11 сағат бұрын
Maybe they're running out of namespace lol
@lucidattf
11 сағат бұрын
@@joshuatatum8519i assure you they are not
@pwall
10 сағат бұрын
@@joshuatatum8519 Go see the tomscott video on the topic
@luna_rants
9 сағат бұрын
With some quick mafs (((64-26)/64)^11), we get a probability of around 0.323%.
@twistedsim
6 сағат бұрын
that’s just a theory, a hacking theory
@remiheneault8208
10 сағат бұрын
Your analysis is very accurate, and your assumptions logical and fair. Great video! I, however, have a hard time believing that - in such a niche space - there is no overlap between open-source contributors and for-profit "security" companies researchers. Supply chain attacks have become so common, my spider sense "tingled" when I saw that commit with unassuming title, huge list of changes and no mention of the table size change. This really looks like an attempt to cover a mistake, or a previously opened backdoor.
@anteshell
8 сағат бұрын
Making baseless assumptions is never good in security. You don't mention at all if you checked the code before the update, whether or not it contained anything exploitable or anything else pointing towards an existence of a backdoor. You simply assume as much and leave it at that. The tingling you have is just the spiky top of the Dunning-Kruger curve. Or if you actually know something more about this, you hide it very well, for which I cannot see any point of doing because it just makes you sound like a run-of-the-mill tin foil hatter.
@fizzlefritz9782
7 сағат бұрын
@@anteshell I don't understand how you can hate from outside the club; you can't even get in!
@anteshell
7 сағат бұрын
@@fizzlefritz9782 That sounds like a roundabout way to ask advice on hating. I'm sorry but can't help you. I'm old enough not go clubbing anymore and never was a hating type, so I wouldn't know how to advice you.
@kevinwydler7305
4 сағат бұрын
@@fizzlefritz9782 All he is saying is that it's not as simple... While supply chain attacks are a thing of course, the fact that the code is open source also makes it very easy for security researches to find your backdoor (if you were an "evil" adversary implementing it). So I personally don't think they are practical in the long run (just look up the liblzma attack CVE-2024-3094). If there is a way to exploit the bug... sure, by all means get out the pitchforks. But you have yet to prove that point. And also we must remember that BLASTPASS is not simply a single exploit that will simply let you install malware on iOS. It is in fact an exploit chain which requires multiple bugs within various components which could't all have possibly been introduced by a supply chain attack. I think the people behind such vulnerabilities just take the time to study these formats and/or systems in depth and know them better then most developers that just use them. They may even have contributed to such projects at some point, but to say that there are people everywhere infiltrating repos has yet to be proven by more than just some "wired commits".
@remiheneault8208
3 сағат бұрын
@@anteshell The weakest link in security is always people. Assuming everyone is honest would be more dangerous than showing skepticism. You don't need to put a full reverse SSH shell in the code to open a door. You're welcome to challenge my point but please do so with less arrogance.
@_plamp_
10 сағат бұрын
These types of videos are fun. Would also like to see more fuzzing content
@dadogwitdabignose
11 сағат бұрын
We’re so back
@spicybaguette7706
5 сағат бұрын
The commit you found could be squashed, that is, many commits merged into one. He might have possibly found this because MSVC complained about some kind of out-of-bound access or something
@impostorsyndrome1350
6 сағат бұрын
After seeing Linus' friends hacking his phone, it is scary how much stuff can be hacked.
@togamid
4 сағат бұрын
Yeah, though that attack and the exploit discussed in this video don't have much in common besides both involving a phone
@mrpopsicle3339
11 сағат бұрын
not first its cringe
@roguesecurity
9 сағат бұрын
This is why I love this channel❤
@spicybaguette7706
6 сағат бұрын
The Return of the King
@muzamilshaikh838
9 сағат бұрын
Big Brain🔥
@stonemannerie
19 минут бұрын
Why is project zero so concerned with ios and not solely android/Google projects?
@almatsumalmaadi8103
10 сағат бұрын
Will be great if this libwebp series turned like sudo vulnerability series, from fuzzing to full working exploit.
@metalpachuramon
4 сағат бұрын
Finally! My man got his password back
@alexanderdell2623
7 сағат бұрын
Wow the moment of searching for same code in other projects felt like "eureka!"
@Smokeyyy337
11 сағат бұрын
why don't they report the vulnerability to Apple? don't they have a bug bounty program
@garrygarrygarry1
11 сағат бұрын
apple's bug bounty program payouts are tiny in comparison to the actual value of these exploits.
@Tjkrusinski
10 сағат бұрын
Organizations want the vulnerabilities to do bad things. They don’t want the vulnerabilities reported.
@ahmadshami5847
9 сағат бұрын
@@Tjkrusinskispy agencies*
@sasjadevries
Сағат бұрын
If you find such a zero day, you could either report to apple, and get pennies, or sell it to some govt-funded security firm, such that they can "deal with" some of their enemies.
@bean_TM
8 сағат бұрын
Love your new glasses! What are they called?
@Zizo8182
6 сағат бұрын
amazing one as usual, thanks for sharing
@ceilingfun2182
11 сағат бұрын
Yes, I did miss you. I will check it out.
@EmperorShang
9 сағат бұрын
If it ain't broke, FIX IT!
@null-calx
3 сағат бұрын
waited so long for this one
@M0h4mud
10 сағат бұрын
Bro he’s back 🗣️🔥
@quakc
10 сағат бұрын
Just in time for xmas
@littleblack111
11 сағат бұрын
ur back!!
@itsdakideli755
11 сағат бұрын
Early 🎉
@tg7943
9 сағат бұрын
Push!
@kevinwydler7305
4 сағат бұрын
YESSS
@attention_shopping
8 сағат бұрын
oooo
@VinayKumar-sy3oj
11 сағат бұрын
😀
@celesian7372
11 сағат бұрын
first
@HolyAdilokGames
10 сағат бұрын
Liveoverflow is alive! Heart, Pin, First!;;; Watching you since 4 yrs
@almatsumalmaadi8103
11 сағат бұрын
Finally you're back
@WalterSamuels
2 сағат бұрын
Here's a discovery path: Vulnerabilities are put into software like this on purpose to be sold to the highest bidder for a few years, by the developers themselves.
@ErkiEberg
11 сағат бұрын
First!
@Brawlstriker89
6 сағат бұрын
Let’s make the video as long as possible with filler and bluff. Could’ve been answered in a minute or 2. Not 15
@LiveOverflow
5 сағат бұрын
Could be answered in 0 seconds if you knew already everything
@skibidisj
11 сағат бұрын
Bro fell off 93 views in 2 mins
@siomek101
11 сағат бұрын
93/2min = 46.5/1min 2790/1hour 66960/1day still more than you would ever get.
Пікірлер: 73