Can you get Hacked by just clicking a Link?

แชร์
ฝัง

ความคิดเห็น • 466

  • @epiolin
    @epiolin หลายเดือนก่อน +915

    Short answer: No.

    • @Chrizzy_Official
      @Chrizzy_Official หลายเดือนก่อน +53

      Short answer : Yes. It's called XSS, CSRF, Spoofing, etc etc

    • @Skailed
      @Skailed หลายเดือนก่อน +173

      @@Chrizzy_Officialfluent in a programming language ❌fluent in yappanese ✅

    • @24h_on_yt
      @24h_on_yt หลายเดือนก่อน +2

      beef-xss and browser spoofing and csrf lol its kinda ez to

    • @Chrizzy_Official
      @Chrizzy_Official หลายเดือนก่อน +7

      @@Skailed Whatever you say Mr Anime Bedwars TH-camr

    • @Chrizzy_Official
      @Chrizzy_Official หลายเดือนก่อน +2

      @@Skailed Also what I said isn't programming, its just vulnerability pentesting, but sure

  • @Leahi84
    @Leahi84 หลายเดือนก่อน +542

    Having a link that was legitimate before become compromised and screw me over when clicking it is a huge nightmare scenario for me. Thankfully it's never happened and I've been online since the mid 90s.

    • @cremapastelera00
      @cremapastelera00 หลายเดือนก่อน +49

      holy shit u joined 19 years ago... respect

    • @aronm5329
      @aronm5329 หลายเดือนก่อน +26

      It's called a watering hole attack. Not super common though, because it would be discovered quickly on a well trafficked site, usually, so they design it in a way only to target specific ips when they visit a particular site

    • @balsalmalberto8086
      @balsalmalberto8086 หลายเดือนก่อน

      If you browse facebook, they promote ads that have scammers and all kinds crap like fake sites which is very common. before CORS/CSP was mature these link hijacking types of attacks were far more common

    • @funsbtr
      @funsbtr หลายเดือนก่อน +4

      @@cremapastelera00lmao

    • @eps-nx8zg
      @eps-nx8zg หลายเดือนก่อน +2

      happened to me 16 years ago from ads on some website u could play games on

  • @LeetHaxington
    @LeetHaxington หลายเดือนก่อน +149

    I love all the news agencies that say scanning a qr code is a clickless fully automated no action no awareness hack that also immediately does identity theft. And they say literally nothing about the geocities page that just asks them to manually type their info in for no reason and hit submit.

    • @tetee6789
      @tetee6789 19 วันที่ผ่านมา

      Yeah I think they say this to keep people on their toes, to avoid getting scammed. I see news in my country: CLICKING THIS LINK WILL STEAL YOUR DATA AND MONEY. Turns out they had to download and run an exe file, just visiting it does nothing

  • @arianwen27
    @arianwen27 หลายเดือนก่อน +196

    5:55 that edge virtualisation thing is still there. You just need to enable it in a few places. It works like it used to, except it now uses the chromium based edge

    • @epic_journey.
      @epic_journey. หลายเดือนก่อน +5

      how to enable it?

    • @arianwen27
      @arianwen27 หลายเดือนก่อน

      @@epic_journey. "turn windows features on or off, microsoft defender application guard, also enable hyper v and the vm stuff. Open windows security, app and browser control, isolated browsing, install. When it's installed, change application guard settings, enable advanced graphics. Open edge, press the 3 dots, you'll now see "new tab, "new window" "new InPrivate window" and finally, "new application guard window", hit the last one, wait for it to load, done

    • @balsalmalberto8086
      @balsalmalberto8086 หลายเดือนก่อน +15

      Why is it disabled in the first place... Alas they force useless AI crap that wont definitely not be abused, and file encryption which also won't definitely not be abuse but the most common "trickery" is affective with ignorance so why not make file extensions still hidden by default. that "docuemnt.xlxs.exe" document certainly has what I'm looking for.

    • @arianwen27
      @arianwen27 หลายเดือนก่อน

      @@balsalmalberto8086 The average user won't have a clue what a vm is, never mind know when to use one and what they can do. The actual purpose of the virtualised browser is for enterprise. You install a chrome extension that checks what websites you visit, if you visit an unknown website, the website is blocked and instead loaded in the vm browser. All the vm stuff in windows is disabled by default. Partially due to the fact it's a power user thing, partially due to it needing virtualisation to be enabled in the motherboard and partially because virtualisation can be unstable on some systems. Eg, if I enable edge virtualisation on my laptop, I bluescreen boot loop till I disable it in safe mode. Your parents and granny will just use the edge like normal, it's only a very small section of the userbase that would actually know what it does and use it

    • @arianwen27
      @arianwen27 หลายเดือนก่อน

      @@epic_journey. I wrote a reply but it seems to have gone into the ether. So here's the short version. Enable the vm stuff in "turn windows features on or off", "microsoft defender application guard" is the option that actually enables the browser vm. Then open windows security, go to app and browser control, on "isolated browsing" hit enable. Fiddle with the settings, then you'll see a fourth option when you hit the 3 dots in edge

  • @monkaSisLife
    @monkaSisLife หลายเดือนก่อน +21

    Its crazy to me people still act in 2024 as if clicking a link will install a virus on your computer without you doing anything.
    As long as you don't actually open the file you accidentally download because of the malicious link, you should be fine.
    Its always so funny to me seeing the shocked face of my coworkers when i tell them i don't use an anti-virus, because my anti-virus is common sense and actually knowing what i'm doing.
    As to this day, i have never had a virus on my computer.

    • @TheMinkaGod
      @TheMinkaGod 19 วันที่ผ่านมา +1

      Anti virus is like lawyer, even if you know you are innocent and have proof it's still better to get one since it doesnt cost anything

    • @monkaSisLife
      @monkaSisLife 18 วันที่ผ่านมา +3

      @TheMinkaGod nope. Waste of money. (For me)
      Don't download sketchy stuff and ESPECIALLY don't run it.
      I've been using windows my whole life, I know exactly what I'm doing

    • @MetroAndroid
      @MetroAndroid 18 วันที่ผ่านมา +6

      I accidentally clicked a link from someone messaging me on Steam once, and they got access to my account just from me opening a seemingly blank web page for a second, then immediately closing the page and browser, and restarting my computer. Never entered anything, downloaded anything, or told anyone account details.

    • @matthewlee8618
      @matthewlee8618 11 วันที่ผ่านมา

      @@TheMinkaGodwindows defender is free and is the only thing worth using yeah may as well have it

    • @fldom4610
      @fldom4610 6 วันที่ผ่านมา +2

      @@MetroAndroid maybe a vulnerability in steam?

  • @BattyBest
    @BattyBest หลายเดือนก่อน +30

    If you really are worried about this, a DNS blocker like pihole can also block malicious dns', meaning your request never gets to their servers in the first place since pihole shoots it down.

  • @zincunio
    @zincunio หลายเดือนก่อน +64

    I remember xss exploits back in the day getting abused on vbulletin boards, allowing exactly for what you've described in the video - to take over the logged in session on the board. Those were fun days...

    • @4pThorpy
      @4pThorpy หลายเดือนก่อน +1

      B33f

    • @seansingh4421
      @seansingh4421 หลายเดือนก่อน +1

      @@4pThorpyPork. 😂😂but I know what you meant dawg

  • @real_frozled
    @real_frozled หลายเดือนก่อน +360

    babe wake up Eric Parker just uploaded

    • @OmniscientReadr
      @OmniscientReadr หลายเดือนก่อน +4

      I’ve literally kept up with his videos for some time now. He never misses! 🎯

    • @ӶҬҴ
      @ӶҬҴ หลายเดือนก่อน +1

      Same

    • @BurnTheDemon1
      @BurnTheDemon1 หลายเดือนก่อน

      real

  • @Capiosus
    @Capiosus หลายเดือนก่อน +32

    the reason that the mullvad fingerprint is unique is because the canvas render is fucked up on purpose

    • @Daniel15au
      @Daniel15au หลายเดือนก่อน +3

      I thought the point of the Mullvad browser was supposed to protect against fingerprinting though? The fingerprint being unique means it's failing at that purpose.

    • @Capiosus
      @Capiosus หลายเดือนก่อน +14

      @Daniel15au This is wrong, it’s random, so you will never have the same fingerprint twice.

    • @Daniel15au
      @Daniel15au หลายเดือนก่อน +3

      @@Capiosus oh! Well that's interesting! Thanks for the info/correction.

  • @AkneeGrow
    @AkneeGrow หลายเดือนก่อน +23

    Answer : 8:28

  • @mamertens99
    @mamertens99 หลายเดือนก่อน +1

    Another thing that I might have overheard at ~ 10:00 : If you don't want to, or maybe even can't install NoScript, you can also deactivate JS by default in any common browser. Then, you have to also allow list the site, when you are opening it to run it. An Icon might be viewable in the browser address bar or go via the Site Settings on the left of the address bar

  • @unknown-di4fv
    @unknown-di4fv หลายเดือนก่อน +1

    As a web application developer, the answer is yes, you can get hacked by a link, but not in the way you might think. Hackers can access your cookies if they are not secured, but only for the page they hijack. For example, if you visit an unsecured website and create an account or enter any credit card details, they can be stolen. In the middle of the communication between the website and its server, the data can be intercepted and transferred to the hacker's server. A hacker can inject code into the website through a malicious link. However, most modern websites use SSL (HTTPS) encryption and huge operations often have firewalls and many other security measures in place.

    • @unknown-di4fv
      @unknown-di4fv หลายเดือนก่อน

      The vulnerability is called Cross-Site Scripting (XSS), if you want to read about it to secure your website.

  • @KSPAtlas
    @KSPAtlas หลายเดือนก่อน +47

    About your linux security remark, it seems that the Linux kernel is adding more built in security features like mprotect, but they seem to be opt in

    • @EricParker
      @EricParker  หลายเดือนก่อน +37

      In theory yes, in practice it's extremely underdeveloped. You can get decent security with profiles on apparmor, but very distros want to package all of it.
      This may start to change if the market share grows high enough.

    • @samuel87723
      @samuel87723 หลายเดือนก่อน +9

      @@EricParker Do flatpaks and appimages protect like you said Windows and MacOS does?

    • @wixlogo
      @wixlogo หลายเดือนก่อน

      ​@@EricParkerThat's why it's recommended to use Flatpak versions if available, as the packages are itself sandboxed from the OS. Browsers such as Brave, Firefox, Librewolf, Ungoogled Chromium, and even ones like Zen and Floorp, are now available as native Flatpak package officially, I believe Browser companies should be focusing more on working towards their flatpacks. Btw what package do you use your main system Eric? I know you are on Linux..

    • @firestormjupiter
      @firestormjupiter หลายเดือนก่อน

      @samuel87723 I’m not familiar with macOS but flatpaks seem similar as they sandbox apps and offer granular control over permissions.

    • @JmbFountain
      @JmbFountain หลายเดือนก่อน

      ​@@samuel87723flatpaks, if configured correctly, put you on a similar level to MacOS.

  • @lightingthelatenight9942
    @lightingthelatenight9942 29 วันที่ผ่านมา +4

    But why is everyone in the comments acting like zero-click exploits do not exist? Exceedingly uncommon in the wild but absolutely possible

  • @YuNgLeX-o4y
    @YuNgLeX-o4y หลายเดือนก่อน +19

    Hey eric, Can you make A vid abt TLauncher (the cracked launcher)? its kinda weird of ppl saying its a malware

    • @Pandacier
      @Pandacier หลายเดือนก่อน +6

      O yeah that would be great
      Btw in case Eric is seeing this : I would strongly advise you to watch TheMisterEpic’s 2 videos on the subject, he tells a lot about TLauncher

    • @mysticstylezz9557
      @mysticstylezz9557 หลายเดือนก่อน +4

      TLauncher is potentially unsafe because it was stolen from original creators.
      OG creators made TLegacy or something. I’m not sure if it’s safe, so check that info anyway

    • @amogusguy2004
      @amogusguy2004 หลายเดือนก่อน

      @@mysticstylezz9557 It used to be called TLauncher Legacy, now it's called Legacy Launcher

  • @krcsirke
    @krcsirke หลายเดือนก่อน +2

    2:34 PCs are more easily to get fingerprinted, regarding mobile devices, there are less unique information, so it is a little harder to do so. For example, latest and previous iPhone can generate high amount of the hit, and there is a really high chance, you will have more than 1 device under same fingerprints.

    • @Kilogya
      @Kilogya 23 วันที่ผ่านมา

      Smartphones and tablets are more traceable, therefore more unique in terms of personally identifiable information especially if you don't degoogle or eat the apple. In terms of secure environments, for malware, phones have a large attack surface, but because they sandbox applications they're more secure in that manner and maybe less exploitable. When it comes to fingerprints, phones are way more giving of information unless you are able to root the device and control it.

  • @cooolgamer-vanced
    @cooolgamer-vanced หลายเดือนก่อน +25

    Thanks you for doing that because I was really wondering about that!

    • @danielhn93
      @danielhn93 หลายเดือนก่อน +1

      Same here, also with clicking anywhere on a website and a strange pop-up comes up, loads for a few seconds, then self-exits.

  • @kyand920
    @kyand920 หลายเดือนก่อน +18

    There is a way to have a binary be downloaded and ran on your system by just opening a link. It's an actual feature on Microsoft Edge and Internet Explorer.

  • @RAMB3E
    @RAMB3E หลายเดือนก่อน +15

    Haven't watched yet but a good idea is to enable 'ask browser where to save file' setting in whatever browser you're using because some links can make you auto download a file, however if you have that enabled it will ask where you want to save it every time, instead of just auto downloading to the default place

    • @alfamari7675
      @alfamari7675 หลายเดือนก่อน +4

      I'm curious how much damage a virus can do if it gets downloaded but you don't manually execute it?
      My browser changed this setting and I changed it back cause I like the option to choose the location or cancel, didn't even connect how it can also improve security as opposed to not notifying you of downloads, yikes and thanks! I'll be sure to be mindful of this setting on my family's computers.

    • @bankaihampter2802
      @bankaihampter2802 หลายเดือนก่อน

      ​@@alfamari7675None

    • @EAEAAAEAEE
      @EAEAAAEAEE หลายเดือนก่อน

      @@alfamari7675 I think generally speaking most viruses wont cause you any problems unless you execute them but there’s more advanced ones that do. This is just from memory though

    • @paladin9876
      @paladin9876 หลายเดือนก่อน

      @@alfamari7675nothing - if the application isn’t run it never does anything. You can park a car in your garage but it won’t just turn on by itself, you gotta do it.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      @@alfamari7675 Zero. What CAN do damage is if your browser has a zero-day and it's exploited, but then they would have to be really stupid to leave traces (the downloaded file) behind them...

  • @aTaryum
    @aTaryum หลายเดือนก่อน +5

    Dumb question about linux, is that why it's always recommended you never give root access to users? Also wouldn't that basically stop any attack (unless you're extremely unlucky and just used a sudo command before getting attacked)?

    • @traveller23e
      @traveller23e หลายเดือนก่อน +3

      Not really, the main reason not to give root access to users is so that commands run as the user cannot damage the system (either due to user error or malware/bugs). However if the js in the browser gets access to do anything your user can do the could for example upload all your private documents somewhere as most people are not going to have those in a root-access folder. Likewise it would be possible to delete those documents.
      In short, root is about protecting the system but will not do anything to stop programs from accessing your private data. If you need data protection, your options are to use a separate user for accessing that data (note: anyone with root access can still get to it), encrypt the data and only decrypt when needed (note: storing the encryption password in a plaintext file is like storing your house key under the doormat so be careful where you keep it), or avoid storing the data on the system at all for example by putting it on a (potentially encrypted) flash drive or something. If at a certain point in time you can read some data, that means that any program run by you can in theory read it too.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      Actually, on Linux you technically don't have any user other than root with root access, contrary to the Administrator accounts on Windows; instead, you have a group (let's say "sudoers") and a program (let's say "sudo") that runs as root no matter who starts it via the "setuid bit" in its executable's permissions, and checks sudoers to see if you are in that group before exec-ing the other program you told it to as root, hence implementing something like admin accounts. The key part of sudo's operation is the setuid bit, and the fact that it's owned by root (setuid means always run as the owner); other things that also have setuid on include networking facilities, in fact, hence it's a matter of whether those have a security vulnerability that can be triggered by the browser, given that the browser itself allows it to go through. However, in practice this isn't as feasible as it sounds.

  • @KSPAtlas
    @KSPAtlas หลายเดือนก่อน +27

    Haven't watched yet, spectre was explotable from js right

    • @EricParker
      @EricParker  หลายเดือนก่อน +19

      It is in theory. JIT escapes have also happened.

  • @Kurtea00
    @Kurtea00 หลายเดือนก่อน +4

    What if my browser on Linux is installed as a flatpak?

  • @lyxcheats
    @lyxcheats หลายเดือนก่อน +9

    hey Eric, i remember there was a website that once you went on it it would log you out everything you were logged in ur browser but if you run it in a private window nothing happens, remember which website it was?

    • @imaginepercentage-th4ki
      @imaginepercentage-th4ki หลายเดือนก่อน +1

      Don't know the site, but I'm curious now

    • @lyxcheats
      @lyxcheats หลายเดือนก่อน

      @@imaginepercentage-th4ki unfortunately i forgot about the url of it :/

  • @basic1279
    @basic1279 หลายเดือนก่อน +25

    Happened to me once on 4chan 10 years ago. Someone posted a link to a fake reddit page.

    • @basic1279
      @basic1279 หลายเดือนก่อน +8

      It was a JavaScript exploit

    • @EmotiCommenter
      @EmotiCommenter หลายเดือนก่อน

      @@basic1279 thats crazy

  • @sparda_
    @sparda_ หลายเดือนก่อน +3

    holy shit, your vpn was set like 25 minutes away from where i live, that scared me for a second for some reason

  • @RichTeaChannel
    @RichTeaChannel หลายเดือนก่อน +7

    Request for a video on Portmaster (recommended settings, use cases, demystifying features, etc). Cheers!

  • @martianingreen
    @martianingreen หลายเดือนก่อน +7

    6:30 I don't really think this would be an issue when using a flatpak? Since those are sandboxed. And if you don't give them more permissions/file access then you need they can't really do that much.

    • @the-answer-is-42
      @the-answer-is-42 หลายเดือนก่อน

      Depends on their default permissions would be my guess. If they allow read and maybe write access to the home directory, that might be all that's needed to get hacked.

    • @Daniel-hz6pt
      @Daniel-hz6pt หลายเดือนก่อน

      Flatpaks don’t really help when the Linux kernel has as many holes as Swiss cheese (when you’re talking about the kind of 0day attacks mentioned in this video) if someone can afford/build a chrome chain, they’ll have a Linux kernel PE too

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      @@Daniel-hz6pt LOL imagine talking about Linux holes, when Windows literally lets anything run beside the kernel (hence Crowdstrike, hence anti-cheat scandals, hence buggy drivers bringing the whole system down, etc.) 😂 Linux being monolithic is actually a plus.

    • @Daniel-hz6pt
      @Daniel-hz6pt หลายเดือนก่อน

      @@erikkonstas That's not how it works, drivers have to be validly signed and you can tweak your code integrity options to enforce only specific signers or WQHL certified drivers which go through automated fuzz testing

  • @retuc1o
    @retuc1o หลายเดือนก่อน +1

    There was a vulnerability in Safari's WebKit back in iOS 10 which allowed for arbitrary kernel-level code execution, which allowed for jailbreaks like TNS (Totally not Spyware), which you could use with a simple flick of a slider in its webpage.

  • @Tsafy
    @Tsafy หลายเดือนก่อน +1

    I've been wondering about this topic for a while now, thank you.

  • @normalchannel2185
    @normalchannel2185 หลายเดือนก่อน +3

    I've noticed that many times a button to download stuff can be disguised as a link. Thankfully till date it just downloads stuff and that pops up, so i can instantly cancel and bin it.
    Also technically Pegasus and other super advanced no click methods exist, but idk if those are for mobiles or laptops

    • @Bhoppings
      @Bhoppings หลายเดือนก่อน +7

      downloaded files wont do anything unless executed. this isnt 1999

    • @normalchannel2185
      @normalchannel2185 หลายเดือนก่อน +1

      @@Bhoppings Yes, i understood that. Thats why i'm so confused why everyone is still harping on about don't download anything from sketchy websites.

    • @Bhoppings
      @Bhoppings หลายเดือนก่อน +2

      @@normalchannel2185 cause people are old af and still think shi like that can happen in the big 24

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      @@Bhoppings Being old IS actually a correct reason, but it's not just them thinking stuff can happen, it's because many of them have cognitive decline and stuff, and it's much easier to tell them "don't download without me" rather than "see this thing you just downloaded, please remember to run a scan on it before double-clicking it" ("remember" being the key word here)...

  • @DarkBlue81
    @DarkBlue81 หลายเดือนก่อน +3

    Thanks Eric for the explanation, that was very interesting

  • @matafuadgh
    @matafuadgh หลายเดือนก่อน +2

    new upload = happy

  • @subk1981
    @subk1981 หลายเดือนก่อน +3

    Ps vita jailbreak is best demonstration of this. Going to link not only does code execution but also at kernel level.

  • @the-answer-is-42
    @the-answer-is-42 หลายเดือนก่อน +1

    For us Linux users, how would the snap and flatpak versions of browsers (Firefox, Chrome, etc) fare in case of a 0-day vulnerability that could allow browser sandbox escape?
    Also, I'm transitioning into using VMs for when I'm going to an untrusted site, is there anything you need to know when setting them up? Like what network configurations are safer and so on.

  • @SM-1010
    @SM-1010 หลายเดือนก่อน +14

    There’s always browser sandboxing but that isn’t fool proof

    • @SpaceCadet4Jesus
      @SpaceCadet4Jesus หลายเดือนก่อน +8

      If you use a browser sandbox, it blocks the fool on the other end but not the fool who uses it.

    • @SM-1010
      @SM-1010 หลายเดือนก่อน +2

      @@SpaceCadet4JesusMost browsers such as chrome have them enabled by default

    • @Sammysapphira
      @Sammysapphira หลายเดือนก่อน +1

      The browser is a sandbox

  • @thatoneglitchpokemon
    @thatoneglitchpokemon หลายเดือนก่อน +2

    mic check needed at 7:06

  • @toquita3d
    @toquita3d หลายเดือนก่อน +3

    I'd like to see you test the code execution on Linux theory, both with distros that use AppArmor/SELinux (which are most of them), and the very few distros that don't, like Arch.

  • @HoonzoDarkspawn
    @HoonzoDarkspawn หลายเดือนก่อน +6

    NoScript sound like a very good solution, but the use of it seems quite complicated. I know you dont really do the "tutorial" kind of stuff, but i think it would be interesting to do a NoScript vid since you're the tech man!

    • @Daniel-hz6pt
      @Daniel-hz6pt หลายเดือนก่อน +1

      Noscript relies on origin whitelisting which is quite a weak way of doing it, you just find an XSS on a white listed origin and you can deploy your payload

  • @BHSilver
    @BHSilver หลายเดือนก่อน +4

    What I'm about to say will be completely off-topic, but kinda not at the same time...I hope replying to scam emails is safe. I always reply to them with some not so nice things.. I typically will forward the email to the real company as well, in hopes they'll be able to do something about it.

    • @meki___6881
      @meki___6881 หลายเดือนก่อน +10

      It should be safe in itself but shows them the email is real and in use so it could make it a bigger Target

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน +1

      It is safe yes, but it will also signal to them that behind your email address is a human, i.e. the frequency of scams in there can increase.

    • @BHSilver
      @BHSilver หลายเดือนก่อน

      ​@@erikkonstas its honestly cute how hard they try to scam me. It'll never happen :)

    • @BHSilver
      @BHSilver หลายเดือนก่อน

      ​@@erikkonstas I just love wasting scammers time. Wish there was a funnier way for me to do it.

  • @diymaster101
    @diymaster101 หลายเดือนก่อน +2

    Very interesting I always wondered about this thanks for this video!❤

  • @_Lumiere_
    @_Lumiere_ หลายเดือนก่อน +1

    About configuring selinux on linux, some distros ship with that already set up, like Fedora. How does ex Fedora's default selinux profile compare to the security of Mac and Windows?

    • @YumekuiNeru
      @YumekuiNeru หลายเดือนก่อน +2

      from what I recall fedora mainly uses the targeted policy rather than the strict one where targeted only applies to certain high-profile processes related to for example web servers (apache) while the strict policy applies to every process (and thus is way more tedious to use on a desktop machine since there are more labels to deal with the permissions of)
      idk if firefox is/was included in the fedora targeted policy though and it has been a while since I tried using a strict policy on a day to day system so my memory is flaky
      do not know enough to compare a policy that applies to firefox to how windows/mac handles it

    • @_Lumiere_
      @_Lumiere_ หลายเดือนก่อน +1

      @@YumekuiNeru Apparently, the "strict" policy was merged into the "targeted" policy in Fedora 9. I'm still not very knowledgeable about it all, though lol

  • @SapkaliAkif
    @SapkaliAkif หลายเดือนก่อน +2

    I was wondering this due to the new age ads that can open new tabs, or open the page you want in a new tab while opening an ad in the previous tab.
    Thanks for the video :)

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      "new age"...? 😂 I remember these from years and years ago, mainly where we watch movies that's completely legal...

  • @ttrqs
    @ttrqs หลายเดือนก่อน +3

    downloaded mullvad and had 0.00% on canvas aswell (not on a vm), why?

    • @Bhoppings
      @Bhoppings หลายเดือนก่อน

      Ok

  • @balsalmalberto8086
    @balsalmalberto8086 หลายเดือนก่อน +1

    Would flatpaks and appimages protect linux like you said Windows and MacOS does?

    • @the-answer-is-42
      @the-answer-is-42 หลายเดือนก่อน

      Not sure about flatpaks, but appimages by themselves wouldn't since they aren't sandboxed.

  • @briocheman21
    @briocheman21 หลายเดือนก่อน +4

    How do you sound british and canadian at the same time

  • @dudepandayt
    @dudepandayt หลายเดือนก่อน +7

    You should take a look at when people would send these fake Roblox links that would steal the cookies of the person who clicked them. I think it would be interesting dissecting those links.

  • @Uglier.
    @Uglier. หลายเดือนก่อน +1

    makes sense now why I’m subbed to random accounts I’ve never heard of

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน +1

      Uh... it's most likely not your browser being taken over 😂 TH-cam channels renaming suddenly isn't exactly rare.

  • @academicalisthenics
    @academicalisthenics หลายเดือนก่อน

    Is Linux less secure if the browser is installed using snap, flatpak or appimage instead of baremetal? They're containerized after all...

  • @s-qc9ns
    @s-qc9ns หลายเดือนก่อน

    Does brave browser stop fingerprinting as effectively as mulvad?

  • @karolbomba6704
    @karolbomba6704 หลายเดือนก่อน

    what about drive-by downloads? there was one that had to do with a malware called 'azure stealer'. IIRC generally those work by injecting shellcode into memory

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      That's what "zero-day in the browser" means, any kind of "shellcode" working means the browser has a gaping security hole waiting to be exploited.

  • @uuu12343
    @uuu12343 หลายเดือนก่อน +4

    The most typical hack most would get from visiting sketchy websites would be cookie sniffing/stuffing where they would take your browser sessions and cookies from accessing the site
    Its similar to how LMG got their credentials stolen

  • @noid3571
    @noid3571 หลายเดือนก่อน +2

    Had a guy claim he could take over someones pc just by having them open a link so like any normal person I clicked his link and tried to investigate this potential 0-day he had on his hands
    I was severely dissapointed to learn that he was just a brain damaged script kiddie trying to act smart because he thought I was IT illiterate 😭

    • @kyand920
      @kyand920 หลายเดือนก่อน +1

      It is actually possible without using any exploit. There is a feature within microsoft edge and internet explorer that WILL download anything AND run it on your system, without user interaction.

    • @fldom4610
      @fldom4610 6 วันที่ผ่านมา

      @@kyand920 Even if it downloads it, it will never run it. Also who tf uses internet explorer?

  • @Hari-tv
    @Hari-tv หลายเดือนก่อน

    Im want to ask?
    When i browsing some sit force me directly to other links with some fishy trick, like making button invisible or covel whole web invisible barier. Just click what ever in screen force you to browsing other site.
    How can i stop this direct method? I currently use brave browser with feature anti force direct. But still many site finds hole to jump my shield block.
    I found they use javascript for smoothly force me to other links. So turn off javascript is wise choose, but many site are broken without java now

  • @nezu_cc
    @nezu_cc หลายเดือนก่อน

    Chrome on Linux is also using sandboxing. Not sure how effective it is, but Linux had the ability to restrict syscalls and drop privileges way before Windows did. Don't quote me on this, but I'm pretty sure unless you're doing something stupid like disabling the sandbox or running it as root (that effectively disables the sandbox) then it should be comparable to what's being done on Windows.

  • @adiadic4722
    @adiadic4722 หลายเดือนก่อน

    why are LTS (long term support) versions of web browsers not used more often? Firefox and Chrome has LTS versions. The only difference is Chrome has backdoors while Firefox doesn't.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      To claim that anything is "bug-less" so confidently is quite the bold move, just saying...

    • @adiadic4722
      @adiadic4722 หลายเดือนก่อน

      @erikkonstas i know that nothing is bugfree, but that's not a reason to use software that was made just now and tested for only a few minutes. LTS means it doesn't get new features anymore but only receives bugfixes. Before something gets proclaimed LTS it first has to get tested for months and months, and even after that it still receives bugfixes.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      @@adiadic4722 I never said that, although the versions we usually use are the stable versions, not the nightly ones anyway. The part I was referring to was "The only difference is Chrome has backdoors while Firefox doesn't."

  • @bonsoir65
    @bonsoir65 หลายเดือนก่อน

    Inconito mode wont disable XSS Exploits its wrong it just prevents tracking , but still can inject Javascript code in the browser from the server. So the browser doesnt have any privileges but can still trick user in a few ways.

  • @spriteman1925
    @spriteman1925 หลายเดือนก่อน +2

    yes but its very rare you would need a vulnerability

  • @alfamari7675
    @alfamari7675 หลายเดือนก่อน

    I saw a video where Mcaffee said just by clicking on a link, it could execute javascript (and frequently apparently, like any adult nsfw site) to root your mobile phone to install a keylogger. I am very skeptical.
    Im also curious about what if you download a virus but don't execute it? Do they need to be downloaded AND executed to do damage?

    • @kyand920
      @kyand920 หลายเดือนก่อน

      Not too sure about mobile & javascript, that sounds like some exploit that brakes out of the mobile browser's sandbox (which is possible, but unlikely). Although, on microsoft edge it is totally possible to simply open a link and have a binary be downloaded AND executed on your system without any further interaction.

    • @alfamari7675
      @alfamari7675 หลายเดือนก่อน

      @@kyand920 Thanks for answering. :)

    • @jde12
      @jde12 หลายเดือนก่อน +2

      @@kyand920 "Although, on microsoft edge it is totally possible to simply open a link and have a binary be downloaded AND executed on your system without any further interaction."
      Source?

    • @kyand920
      @kyand920 หลายเดือนก่อน

      @@jde12 Google ClickOnce msdn and you'll see the official documentation

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      "McAfee" 😂😂😂 you should've stopped reading right then and there, any claim of theirs is to be treated as noise...

  • @rice_gd
    @rice_gd หลายเดือนก่อน

    You use virtual machines? if yes, what software do you use to run the vm's?

  • @StefanReich
    @StefanReich หลายเดือนก่อน +11

    It's great to watch a whole video on a question just to not get that question answered

    • @14ajencks
      @14ajencks หลายเดือนก่อน +13

      He answered the question in under a minute, the answer is no, but they can still harvest a lot of information about you because you visited their website.

    • @StefanReich
      @StefanReich หลายเดือนก่อน +1

      @@14ajencks Well, shouldn't the answer be, sometimes yes? There are zero-day exploits at times

    • @14ajencks
      @14ajencks หลายเดือนก่อน +2

      @StefanReich excellent question, but no, as the video says, browsers haven't supported arbitrary code execution from a web page in decades. There are things you just can't do from a web page because of language restrictions and api support.
      Also most of the time scam websites you go to are for social engineering and not actually malicious. Thinking scammers might actually hack you is giving them too much credit, they're just about all script kitties.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน +2

      Said question has many interpretations to be fair, if you mean "should I be deathly afraid of clicking a link?" the answer is no, but if you mean "is it teeeeeeechnically, through some possibly as of yet undiscovered zero-day, possible?" then the answer is yes.

    • @14ajencks
      @14ajencks หลายเดือนก่อน +1

      @erikkonstas well said

  • @Templarfreak
    @Templarfreak หลายเดือนก่อน

    based off this video, it kind of depends on what you mean. the link in of itself hacking you? no. where the link points to? what code the website the link goes to has? 100% yes, that link will load whatever that website has basically instantly. just dont click (ph)fishy links!

  • @MoreInsane96
    @MoreInsane96 หลายเดือนก่อน +1

    Proof that Windows 11 is just 10 with new Graphics ... it doesn't even have its agent

  • @ContraVsGigi
    @ContraVsGigi หลายเดือนก่อน

    Well, on Ubuntu Linux, by default, Firefox and Chromium are snap packages, which means they are sandboxed. Which means zero access to important resources.

  • @sergeivanov-x7q
    @sergeivanov-x7q หลายเดือนก่อน +6

    just got my dinner and u posted

    • @LyritZian
      @LyritZian หลายเดือนก่อน +1

      You got an entire diner? lol

    • @Bhoppings
      @Bhoppings หลายเดือนก่อน

      @@LyritZian ?

    • @LyritZian
      @LyritZian หลายเดือนก่อน

      @@Bhoppings he edited the comment

  • @BradleySmith1985
    @BradleySmith1985 หลายเดือนก่อน +12

    that strange size window can still be tracked!

    • @schwingedeshaehers
      @schwingedeshaehers หลายเดือนก่อน

      how? many mullvad browser users have it

    • @BradleySmith1985
      @BradleySmith1985 หลายเดือนก่อน

      @@schwingedeshaehers When you visit a website, it captures a snapshot of your browser size, operating system, keyboard format, and the browser being used to render the page. If your browser window remains the same size each time you visit, the site can use this information to fingerprint your traffic. Once you log in to that website-say, Facebook-the site can identify you based on your login information.
      A VPN can help maintain anonymity only if you never log in and use a new VPN connection for each website you visit. Simply changing your screen size won’t improve privacy; it may only indicate an unusual screen size, which isn’t standard. A more effective solution would be to spoof the system details and screen size completely. However, the moment you log in to any website, tracking becomes possible.

    • @BradleySmith1985
      @BradleySmith1985 หลายเดือนก่อน

      Furthermore, like me, I block VPN services because 90% of the time that somebody is coming onto my website using a VPN is trying to do something nefarious. So its not beneficial for me to allow VPN services accessing my servers.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน +1

      @@BradleySmith1985 TBF I can actually stand behind that, if you have empirically determined that, in your specific case, VPN IPs mostly cause trouble.

    • @BradleySmith1985
      @BradleySmith1985 หลายเดือนก่อน

      @@erikkonstas I block VPN IPs on my hosting servers because 99% of them are bots attacking my websites. VPNs were originally designed for businesses to securely connect remote computers to their internal networks, simulating local network access over different ISPs. Today, VPNs often mislead users by claiming complete protection, which only works if used correctly. Most users fail to do so. To maintain privacy, each VPN location requires a unique identity. Logging into the same accounts across multiple VPN locations or devices allows tracking. While VPNs prevent man-in-the-middle attacks, they don't hide activity from services like Facebook, which can still track users. VPNs may even invite targeted attacks like social engineering. True anonymity requires using one device, connection, VPN, and account, with no overlap or shared activity across platforms.

  • @seedney
    @seedney หลายเดือนก่อน

    Ok, why Linux doesn't do something like openbsd does with only 'Downloads" folder allowed to view from the browser? Is there any step-by-step guide to do a profile like that?

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      What do you mean by "to view from the browser"? Because "file://" can also be described as that, but this doesn't mean some random website can see your entire filesystem.

    • @seedney
      @seedney หลายเดือนก่อน

      @@erikkonstas that means that some scripting can?

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      @@seedney ?

    • @seedney
      @seedney หลายเดือนก่อน

      @@erikkonstas Imagine me as some script kiddie, and I'm going to copy and paste some viral scripts from my bad actor friend to my web browser... Some script can do a listing of my files, copy ssh keys, my photos, when I can view them - they can too... And they can do more then I'm comfortable with... maybe website can't.. but why I'm able to do this in web browser - I don't need to - so I want to harden it... ok?

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      ​@@seedney Uh... maybe just don't paste random untrusted stuff in the console then? No kind of sandbox can save you from a cookie-stealing script that promises "free virtual currency" that you've copied and ran yourself...

  • @fdsknjlsfnubk3e7hi8sx
    @fdsknjlsfnubk3e7hi8sx หลายเดือนก่อน

    if you dont have a vpn than get a proxy with in and out firwall. a proxy and a vpn is overkill

  • @JotaleaGG
    @JotaleaGG หลายเดือนก่อน +2

    3:22 I'm right there 😀

  • @v0xl
    @v0xl หลายเดือนก่อน

    creep js is pretty awesome for testing fingerprint resistance

  • @saganandroid4175
    @saganandroid4175 หลายเดือนก่อน

    5:33 and low integrity is good because why?

  • @ats-3693
    @ats-3693 หลายเดือนก่อน

    If I ever want to go to a link or download something I'm a bit sus on I just open up Vmware Workstation Pro fire up one of my VMs then use the VM to do it, if anything goes wrong just shutdown the VM and restore it back to the last snapshot that I took of it.

  • @elliottclaus7584
    @elliottclaus7584 หลายเดือนก่อน

    is it worse clicking a link in a downloaded pdf?

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      No, it's the same risk as opening the downloaded PDF actually, if it's one of those "smart" PDFs with JavaScript in them (e.g. where you can type in fields and click on checkboxes).

  • @the_dark_build8318
    @the_dark_build8318 หลายเดือนก่อน

    what do you think about librewolf?

    • @EricParker
      @EricParker  หลายเดือนก่อน +1

      It's roughly equivalent to firefox with the telemetry manually disabled. I guess the benefit is it doesn't execute once.

  • @edrikhtg
    @edrikhtg หลายเดือนก่อน +2

    Hi, can anybody answer this?
    Got supposedly "hacked" once through clicking a link. It was one of those steam chat "poll for my team in this website" type of thing. I don't really remember the details of it but whoever did it got ahold of access of my steam chat and was sending chats to one of my steam friends.
    Nothing happened tho, got the password changed and everything but i'm just curious on how it happened. Did it happen through these methods or is it different?
    Appreciate the replies. Thx!

    • @Lucasbc
      @Lucasbc หลายเดือนก่อน

      Tbh you didnt got hacked by clicking the link, you must have opened an malicious executable or smth earlier

    • @jde12
      @jde12 หลายเดือนก่อน

      Did you enter your steam login on the site?

    • @edrikhtg
      @edrikhtg หลายเดือนก่อน

      @@jde12 i didn't iirc

    • @upsxace
      @upsxace หลายเดือนก่อน

      if they "got access" to your steam chat or anything like that, it 99% of the time means they found a way to steal your cookies(which allows others to authenticate as you without any password or anything like that). Now the question is how?
      By clicking a link, that is only possible through a zero-day exploit, which is very unlikely that u ran into one of those, so you probably messed up in another way that you don't remember.

    • @edrikhtg
      @edrikhtg หลายเดือนก่อน

      @@upsxace yeah maybe i did put my login to the site when i tried to recall it again. It's a long ago and all i remember was just clicking the link and went into this website and clicking some more until a pop up came out and just closed right away. idr much tbh but that's a reply i'm looking for, thanks!

  • @goingcrazy-mg9sf
    @goingcrazy-mg9sf หลายเดือนก่อน

    Depends on what you got installed. Used to java drive-by pre-eoc rs with a simple link

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      "Java" or "JavaScript"? Because Java applets were quite the malware festival back when they were a thing, but were in fact not exactly "within" the browser...

  • @danialonderstal3564
    @danialonderstal3564 หลายเดือนก่อน

    Legend content, keep it up my good sir

  • @elevatedmm2
    @elevatedmm2 หลายเดือนก่อน

    Short answer: yes
    long answer: its complicated (very very very rare)

  • @marcs8325
    @marcs8325 หลายเดือนก่อน

    I've wondered about the virtual machine thing. It feels much safer to run a browser in a sandbox or virtual machine. But apparently that's not a thing anymore?
    I'm on Windows btw.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      VMs will never "not be a thing"... every CPU that should be considered appropriate for a PC in 2024 has special virtualization instructions, actually (Intel calls it VT-x).

  • @destrix-12
    @destrix-12 หลายเดือนก่อน +2

    Why are you using edge?? 😭😭

    • @maxz69
      @maxz69 หลายเดือนก่อน +1

      Guess some people just like edging 🙄

  • @el-3omda476
    @el-3omda476 หลายเดือนก่อน

    Isn't JavaScript have unlimited access to browser data ? , I mean the site can grab the saved passwords in your browser

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      Normally no it shouldn't, there's stuff like SOP that prevents that.

    • @upsxace
      @upsxace หลายเดือนก่อน

      nop. only certain types of data. there is stuff that is encrypted, and there is stuff that can only be accessed in specific ways

  • @Relix0529
    @Relix0529 หลายเดือนก่อน +1

    2:50 how is it infamous in a good way lol. Wouldn't you just been correct in saying famous or popular?

    • @Relix0529
      @Relix0529 หลายเดือนก่อน

      Very educational video overall. Thank you for your content. Just thought that moment was funny lol.

  • @BrainDamageIV
    @BrainDamageIV หลายเดือนก่อน

    Now this, this is cinema

  • @sadBytes
    @sadBytes หลายเดือนก่อน

    I was thinking of exploiting another app using thier custom uri scheme. Although the exploit will not occur in the browser, it will be still just a link that a victim would need to click.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      And that's why the browser asks you before opening the program... hence no gotcha.

  • @pelaajahacks8358
    @pelaajahacks8358 หลายเดือนก่อน

    what about librewolf? is it better than mullvad browser?

  • @WalmartVaxei
    @WalmartVaxei หลายเดือนก่อน +2

    are you spying on me? i googled that like an day or two ago and couldnt find anything useful, really hehe

  • @xNarRL
    @xNarRL หลายเดือนก่อน

    Is cyberflow your channel? Because he stole almost everything you talked about even the words he just changed the edit

  • @jxeyu
    @jxeyu หลายเดือนก่อน

    It has happened to me on internet explorer. I got a screen locker and couldn't power off or use my keyboard.

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      If not even Ctrl + Alt + Del (the one keystroke Windows shouldn't allow to be overridden) works, use the physical switch on the back of the PC...

    • @jxeyu
      @jxeyu หลายเดือนก่อน

      @ It was a laptop. I didn't know how to remove the battery back then.

  • @TheRealMangoDev
    @TheRealMangoDev หลายเดือนก่อน

    theres no user agent for 11. i knew that microsoft themselves hated what they've created. people should give awards for worst os of the year

  • @blenderglow6117
    @blenderglow6117 หลายเดือนก่อน

    Happy to find this channel sad that it's to late

    • @erikkonstas
      @erikkonstas หลายเดือนก่อน

      Too late in what regard, that your browser was exploited...?

  • @CaPr-uf3kw
    @CaPr-uf3kw หลายเดือนก่อน

    Accurate and free information for everyone. Thank you.

  • @abiyar7799
    @abiyar7799 หลายเดือนก่อน

    is downloading not executable files like jpg or mp4 dangerous

    • @fastmclarencarlewisandseb
      @fastmclarencarlewisandseb หลายเดือนก่อน +1

      yes, it can contain js that can execute via terminal hidden.

    • @EricParker
      @EricParker  หลายเดือนก่อน +5

      Depends if it's really a jpg or mp4. There's a method with unicodes to create a fake extension.

    • @wixlogo
      @wixlogo หลายเดือนก่อน

      Always do right-click on the file then open with the photos app. And if you want to be hundred percent safe (like remember there was a vulnerability within WebP format?) better just upload the Google Drive which is not your real account and open it in from drive online,

    • @abiyar7799
      @abiyar7799 หลายเดือนก่อน

      @@wixlogo i want to understand you talking about the webp format that i download from the browser directly like right-click and save it or downloading webp compressed in rar or zip.

    • @abiyar7799
      @abiyar7799 หลายเดือนก่อน

      @@EricParker and it appears in the extension .mp4/.jpg ? and open the image normally?

  • @zombieshoe
    @zombieshoe หลายเดือนก่อน

    Regarding arbitrary code execution: how does this change with the rise of web assembly? I've seen complete C programs compiled to web assembly and run inside the browser, including full video games. I feel like this makes it a lot easier to run malicious code on browser page load, right?

  • @TeeChemist
    @TeeChemist หลายเดือนก่อน

    What about beEF/Browser Exploitation Framework? I mean it could be another possibility too, righ?

  • @sirintegrafairbrookwingate4033
    @sirintegrafairbrookwingate4033 หลายเดือนก่อน

    Why? What happened?

  • @FALLEN-ilv
    @FALLEN-ilv หลายเดือนก่อน

    Click the link in the description and find out!

  • @thoqqu
    @thoqqu หลายเดือนก่อน +11

    Can you get hacked by opening an image? In theory and in practice.

    • @EricParker
      @EricParker  หลายเดือนก่อน +30

      In theory: if the image viewer is coded in a spectacularly moronic manner anything is possible.
      In practice: Probably not. ALthough there was an exploit with webp fairly recently.

    • @SpaceCadet4Jesus
      @SpaceCadet4Jesus หลายเดือนก่อน +9

      Yes, not in all cases, it's rare anymore. Hackers can embed malicious code within an image file, and if you open it using a vulnerable image viewer, the code can be executed. I've seen it work decades ago, but with all the patches and security fixes, not anymore.

    • @Bhoppings
      @Bhoppings หลายเดือนก่อน +1

      no.

    • @Joomluh12
      @Joomluh12 หลายเดือนก่อน +5

      ​@@EricParkerYou should dive into steganography some time. The most basic way to pull it off is with the "cat" command. Sort of. I'd more so call this a pseudo form of it, but cat can be used to spoof RAR archives as images that will load in an image viewer. Not sure if it's possible to do this with something like an SFX, but I'm sure something could be cobbled together.

    • @Daniel-hz6pt
      @Daniel-hz6pt หลายเดือนก่อน

      @@EricParkerI think it’s dumb to say “moronic way” the people that wrote libwebp weren’t morons, C/C++ is just very hard bordering on impossible to write without undefined behaviour

  • @Jaydxe-4k
    @Jaydxe-4k 3 วันที่ผ่านมา

    best browser to use?

  • @lemonade305
    @lemonade305 หลายเดือนก่อน +1

    Webkit exploit can get a RCE

  • @Hunoa44
    @Hunoa44 หลายเดือนก่อน

    I literally download the free stuff you recommend cause the info you provide is easily comprehensible and accurate to what i saw in the internet

  • @factswithlouis
    @factswithlouis หลายเดือนก่อน +2

    get ur popcorn ready eric just posted!

    • @SpaceCadet4Jesus
      @SpaceCadet4Jesus หลายเดือนก่อน

      Make sure it's a small bowl because it's only a short video.