Too often sites don't require reauth to change account settings. Huge fail! If they can't change passwords, email, phone numbers, or delete accounts you at least have the ability to get your account back. Also TH-cam.. don't allow video deletion without reauth!
That's for the user's convenience frankly. Users don't want to reauthenticate for everything. Users don't want to have to fill in the password for everything. It does lower the security when sites don't require you to reauth for more dangerous tasks, users don't care tho. I personally wouldn't mind to reauth, afterall, I understand that changing my password is something that an attacker could do when they acquire an access to the account, so I'm grateful for an added layer of security. But I am educated in cyber security. Ordinary user often is not, and reauthing may be seen as a burden, not a safety feature.
@@dealloc That's true. The thing about this is that everything like this requires you to click on something. If something smells fishy, be extra careful. This is super fishy.
Knowing this can happen from a simple file download is is actually insane. Seriously more people need to know about this. Appreciate your attention to detail and clear explanation. I would LOVE to see more videos on this topic of vulnerabilities and online privacy/security. I subscribed
There are legitimate problems with session tokens, but this isn't one of them. If the attacker has code execution, stealing the session token is a matter of convenience. They could just remote control your browser session.
I'm highly surprised that Reddit doesn't match secondary data to their sessions. In eCommerce and secure application practices, sessions must be matched to things like GeoIP data. I've been exporting cookies and keeping them on a flashdrive to use my sessions on other computers since I was a teenager. Interesting to see it hit the mainstream.
Now I'm wondering about the precision and policies surrounding that GeoIP data. 🤔 Let's say a bad actor is logged in to the public wifi of a fastfood restaurant nearby, or has infiltrated your neighbours network. And I'm not even mentioning ISPs with dynamic IP adresses.
@@sasjadevries VPNs changing your GeoIP is an example of changing location. Many things such as USPS' website does not support VPNs for example. Some location services use multiple network data to refine your location; and can provide more precise unique network location fingerprints.
@@mitospha Yeah I know, they usually block ip adresses of known VPNs. But if an attacker uses his botnet for proxying his traffic, then that traffic is still coming from residential buildings.
Cool video, even if the scenario seems a bit contrived(just assume ACE on the victims machine, lol). But from what I can learn about Flare I don't see them doing anything useful. The idea is to scrape publicly-available information from paste sites, forums, etc. and "the dark net"(just more forums probably), and then analyze that using simple string pattern matching and "AI" to "warn" their customers. But such data is very often not uploaded immediately to such freely available public sources because the hackers want to use the data themselves or sell it(can't sell it if you've already given it away). They basically get to see the data that is so low-value to hackers they give it away for free. At that point you've already been thoroughly hacked, the hackers have made their money, and have gotten away with it. This tool might help you "mop up the floor" a bit afterwards. It does nothing to actually protect you, and detects threats only after they've been fully exploited. Investing in additional actual IT security(-worker, education, programmer time, etc.) seems more prudent.
it definitely doesn't its a clickbait af video. yes this is what info stealer malware does. yes you can take over accounts with it. but obviously you can take over an account if you have the cookies this does not warrant a video and the title makes it seem like something more significant
@@ytuseraccount The entire point of the video is to show that people use malware like RedLine to steal cookies from people and that this bypasses even good, strong passwords, 2FA and browser fingerprint. What is the clickbait? You're just saying "oh yeah, that's a info stealer, I already know what this kind of malware does", but other people don't.
@@ytuseraccount I haven't watched that far but was expecting something like that. I don't think this is really clickbait, if it attracts a wider audience to learn about CS that's a good thing. It does violate the Reddit terms of service, as by using the cookie info you are: "modify, prepare derivative works of, disassemble, decompile, or reverse engineer any part of the Services or Content; or" As I said, I'm still watching, but they actually could be annoyed if there's not a disclaimer that this is not specific to Reddit for those who don't have an understanding of how cookies/info stealers work. But I'm guessing he explains that in the video. I still think it would be silly of them to get annoyed about it.
@@holobolo1661 its good that it attracts a wider audience but i was expecting maybe an ATO he'd reported to reddit and gotten disclosure for or something like that.
Is there a way to make Windows programs more like Android where when an app wants to do something to your files that aren't related to that specific app (for example, reading web browser cookies) it has to ask for permission first?
I started to watch this video and was like "no way you can easily steal sessions", and I was right. If your victim is ready to click on random applications, it's not "easy", you can only steal from complete idiots
Not really. This was just a demo, a real attack would require sophisticated techniques. It won't be a random application, it will be something made for you to trust it is legit. It could be a game you download, an executable disguised as image, hidden in a code. Possibilities are endless, and they would just need the right one to catch you.
You seem to be a bit unexperienced in this field my man, there are plenty and I mean PLENTY of people stupid enough to do that. And also this does not only apply to people who run infostealers, using sessions like this is extremely common when conducting XSS attacks where you make the victim run JavaScript to send their entire session over to somewhere else. Educate before being so ignorant about informational videos.
@@computeroid6162 I Like to try that things my selve without typing evrything over from a paused YT video. I dont no how a cookie grabber looks like (code) and i like to learn it for cyber sec.
What if the person is using Incognito? Or if they clear cookies before closing the browser? Because when the browser is open, the files which contain the cookies are locked until you close it.
The thing I don’t understand is- how we supposed to get the Shortcut on their computer without having to release it as a “Program” to expose it to multiple victims (then become a criminal)? Let’s say we have 1-2 victims we want to investigate, how to trick only those 1-2 into this trap like they’ve done to me before? Seems pretty “ethical” to me. 💯
Can we import the whole cookies file that containt more than different websites to gologin and it will works? or it should be one website on the file ?
"now that we control windows user machine from our hacker machine" - and you lost me. Seriously - its practically "now that the biggest, most difficult hurdle is done for, i can do some silly stuff". With that kind of access what prevent you from overwriting browser and allowing user himself to transfer himself all the money from his bank account to you? xD
Sorry, but it captures the cookie itself, it's beautiful in practice, it shows me you making a network sniffer in vps, capturing the network packets without any, client-side failure! And capturing session cookies, on an onion network for example! Baby script I am too
Too often sites don't require reauth to change account settings. Huge fail! If they can't change passwords, email, phone numbers, or delete accounts you at least have the ability to get your account back. Also TH-cam.. don't allow video deletion without reauth!
That's for the user's convenience frankly. Users don't want to reauthenticate for everything. Users don't want to have to fill in the password for everything. It does lower the security when sites don't require you to reauth for more dangerous tasks, users don't care tho. I personally wouldn't mind to reauth, afterall, I understand that changing my password is something that an attacker could do when they acquire an access to the account, so I'm grateful for an added layer of security. But I am educated in cyber security. Ordinary user often is not, and reauthing may be seen as a burden, not a safety feature.
Circumvent it with 'I forgot password'... Chances are if they have your session for one thing, they likely also has it for your mail.
Epic fail *does dart tounge noise* 👎
@@dealloc That's true. The thing about this is that everything like this requires you to click on something. If something smells fishy, be extra careful. This is super fishy.
Github has this feature and I liked it
Knowing this can happen from a simple file download is is actually insane. Seriously more people need to know about this. Appreciate your attention to detail and clear explanation. I would LOVE to see more videos on this topic of vulnerabilities and online privacy/security. I subscribed
you can't steal mine *aint got one*
Neither do I! 😎😎
*Are you sure?*
I just made you one
There are legitimate problems with session tokens, but this isn't one of them. If the attacker has code execution, stealing the session token is a matter of convenience. They could just remote control your browser session.
John Hammond's next video: How I social engineered myself.
(For educational purposes only)
i'm weak asf
🤣
Take a shot every time he says “infostealer malware”
Thats the hardest part actually😂 gettin infostealer to your OWN computer
I'm highly surprised that Reddit doesn't match secondary data to their sessions. In eCommerce and secure application practices, sessions must be matched to things like GeoIP data. I've been exporting cookies and keeping them on a flashdrive to use my sessions on other computers since I was a teenager. Interesting to see it hit the mainstream.
Things like ACM or Advanced Cookie Manager, and similar tools have been around since 2010. And there were tools for this in the 90s
Now I'm wondering about the precision and policies surrounding that GeoIP data. 🤔
Let's say a bad actor is logged in to the public wifi of a fastfood restaurant nearby, or has infiltrated your neighbours network.
And I'm not even mentioning ISPs with dynamic IP adresses.
@@sasjadevries VPNs changing your GeoIP is an example of changing location. Many things such as USPS' website does not support VPNs for example. Some location services use multiple network data to refine your location; and can provide more precise unique network location fingerprints.
Its been mainstream for a long time lol
@@mitospha Yeah I know, they usually block ip adresses of known VPNs. But if an attacker uses his botnet for proxying his traffic, then that traffic is still coming from residential buildings.
Cool video, even if the scenario seems a bit contrived(just assume ACE on the victims machine, lol).
But from what I can learn about Flare I don't see them doing anything useful. The idea is to scrape publicly-available information from paste sites, forums, etc. and "the dark net"(just more forums probably), and then analyze that using simple string pattern matching and "AI" to "warn" their customers. But such data is very often not uploaded immediately to such freely available public sources because the hackers want to use the data themselves or sell it(can't sell it if you've already given it away). They basically get to see the data that is so low-value to hackers they give it away for free. At that point you've already been thoroughly hacked, the hackers have made their money, and have gotten away with it. This tool might help you "mop up the floor" a bit afterwards. It does nothing to actually protect you, and detects threats only after they've been fully exploited. Investing in additional actual IT security(-worker, education, programmer time, etc.) seems more prudent.
This is, as usual 90% informative and entertaining, and 10% scary 😅
I think it gets even scarier when you start looking at mobile platforms
This is scary man!
A bit worried this violates the Reddit ToS even if only a demo. Hope they don't mind. Would be silly of them to care anyway.
it definitely doesn't its a clickbait af video. yes this is what info stealer malware does. yes you can take over accounts with it. but obviously you can take over an account if you have the cookies this does not warrant a video and the title makes it seem like something more significant
Reddit is very respectful of hackers. I just checked their scope on HackerOne for you and he was well within their scope, so all is well. ❤
@@ytuseraccount The entire point of the video is to show that people use malware like RedLine to steal cookies from people and that this bypasses even good, strong passwords, 2FA and browser fingerprint. What is the clickbait? You're just saying "oh yeah, that's a info stealer, I already know what this kind of malware does", but other people don't.
@@ytuseraccount I haven't watched that far but was expecting something like that.
I don't think this is really clickbait, if it attracts a wider audience to learn about CS that's a good thing.
It does violate the Reddit terms of service, as by using the cookie info you are:
"modify, prepare derivative works of, disassemble, decompile, or reverse engineer any part of the Services or Content; or"
As I said, I'm still watching, but they actually could be annoyed if there's not a disclaimer that this is not specific to Reddit for those who don't have an understanding of how cookies/info stealers work. But I'm guessing he explains that in the video.
I still think it would be silly of them to get annoyed about it.
@@holobolo1661 its good that it attracts a wider audience but i was expecting maybe an ATO he'd reported to reddit and gotten disclosure for or something like that.
Most websites use a double check if you login from a different IP address, so you might need to proxy of vpn to that country
Is there a way to make Windows programs more like Android where when an app wants to do something to your files that aren't related to that specific app (for example, reading web browser cookies) it has to ask for permission first?
I started to watch this video and was like "no way you can easily steal sessions", and I was right. If your victim is ready to click on random applications, it's not "easy", you can only steal from complete idiots
With the amount of idiots that have access to IoT devices, it is very easy 😂
Not really. This was just a demo, a real attack would require sophisticated techniques. It won't be a random application, it will be something made for you to trust it is legit. It could be a game you download, an executable disguised as image, hidden in a code. Possibilities are endless, and they would just need the right one to catch you.
You seem to be a bit unexperienced in this field my man, there are plenty and I mean PLENTY of people stupid enough to do that. And also this does not only apply to people who run infostealers, using sessions like this is extremely common when conducting XSS attacks where you make the victim run JavaScript to send their entire session over to somewhere else. Educate before being so ignorant about informational videos.
thank you for your answers! i was negative because i lack confidence, in fact, this is a very helpful video in a lot of ways.
@@АлексейЛогинов-ж1ц never stop learning 👍
Wow, thank you for sharing this information. I love this kind of stuff that show the vulneravilities
Can you pls share your script's so we can do it for our selves pls?
For testing on myself only.
hoaxshell.
@@lerenstuderenopschoolriiiiiight, for sure bro
Nice try script kiddie 😂
@@computeroid6162 I Like to try that things my selve without typing evrything over from a paused YT video. I dont no how a cookie grabber looks like (code) and i like to learn it for cyber sec.
The best keyboard and mouse combo ❤❤ awesome content as usual!!!
What if the person is using Incognito? Or if they clear cookies before closing the browser?
Because when the browser is open, the files which contain the cookies are locked until you close it.
The thing I don’t understand is- how we supposed to get the Shortcut on their computer without having to release it as a “Program” to expose it to multiple victims (then become a criminal)? Let’s say we have 1-2 victims we want to investigate, how to trick only those 1-2 into this trap like they’ve done to me before? Seems pretty “ethical” to me. 💯
You can simply paste that into another browser using a plugin n you have successfully done the same
Yes, you can also insert it using developer tools.
Was your windows defender enabled? Would it stop the payload from downloading on the system?
Enabling Device Bound Session Credentials in Chrome (Flags) does not help to prevent cookie theft?
Awesome!!! Thanks Hacker
Bro you're the real hacker.
Great 😃
Where do these infostealer logs come from?
Can we import the whole cookies file that containt more than different websites to gologin and it will works? or it should be one website on the file ?
Seems that we all view windows as a joke rather than an OS. lol
I like how the hacker is so leet, that it says leet in the name twice.
Hello from Argentina !!!!!
of course it's cookies. but nice user name tho
John Hammond please talk about app bound encryption and how Hacker bypass it by opening chromium browser on debugging mode
Was Windows Defender turned on?
and again, it needs a stupid one on the other side, as, 99% of all techniques
Could of sworn you were wearing overalls at first
i stole my own reddit account too. i just input a password and it works
umm, what's the purpose? (also I don't have a Reddit Account so you can't hack mine)
I don’t use Reddit
Ok.
"now that we control windows user machine from our hacker machine" - and you lost me. Seriously - its practically "now that the biggest, most difficult hurdle is done for, i can do some silly stuff". With that kind of access what prevent you from overwriting browser and allowing user himself to transfer himself all the money from his bank account to you? xD
well as a pro hacker firstly stop USING WIRELESS MOUSE
I lost my account
Great video.
Buzzword buzzword
Running out of video ideas? 😂
Hi
Now its my time to unsub, this was the worst clickbait ive ever saw.
ohhhh ahhhh
shorts
h8
I would be surprised but Reddit has always had bad programming. Any programmer with a brain can tell.
This problem is in all sites that let you in your account after page refreshes
🎉🎉🎉
🎉
mic way too loud hurts the earholes no need to shout dude!
...turn your volume down?
This video is on the same level as any other video I have watched in the past week...
CPP book malewear analysis name show mi
Sorry, but it captures the cookie itself, it's beautiful in practice, it shows me you making a network sniffer in vps, capturing the network packets without any, client-side failure! And capturing session cookies, on an onion network for example! Baby script I am too
Can you write a cookie grabber script?
Wow 😂
First!
If you pin this than you are a legend (actually already).
First here !
I need your help bro please tell me where can i contact