This GitHub CSS Exploit Is WILD

Подписаться 338 тыс.

Просмотров 142 тыс.

50% 1

GitHub's latest exploit is a bit absurd, but also beautiful. Throwback to the old MySpace days. CSS exploits are fun
THE RESEARCHERS
x.com/xyz3va
x.com/cloud11665/
x.com/vmfunc
Check out my Twitch, Twitter, Discord more at t3.gg
S/O Ph4se0n3 for the awesome edit 🙏

Опубликовано:

27 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 222

@johnhershberg5915 3 месяца назад

"Without further ado" followed by more ado

@HUEHUEUHEPony 3 месяца назад

Trash RU-vidr, disliked can't unsubscribe since never was subscribed

@Hexcede 3 месяца назад

And with further ado, ...

@silentsushix3 3 месяца назад

yeah, he can be a mumbler sometimes... 😅😂

@need59 3 месяца назад

Yappatron 🥱cool exploit but I'd rather watch skibidi toilet and jork my pingasss

@spooky4655 3 месяца назад

Oh nahh we bout to get Github Nitro before GTA 6 💀💀💀

@DRSDavidSoft 3 месяца назад

Heck of a comment! 😂👍

@WlodekM3 3 месяца назад

Damn sad that it got patched, i wanted to turn the background into C A T

@axMf3qTI 3 месяца назад

Cool a throwback from a time when the internet was for the people and wasn't ridiculous corporate.

@xetera 3 месяца назад

FYI IP grabbers aren't out of the question for this exploit because of CORS. The thing that prevents IP grabbers from working on Github are their CSP rules. CORS by default only blocks responses from being read, it doesn't prevent the request from being sent as long as the request is considered "simple," which an IP grabber request could totally be. Non-simple requests are the ones that have preflight requirements

@Cuwubiq 3 месяца назад

at that point visitor counters through loading images through the markdown image syntax would work the same, after that, css injecting has been introduced as an official feature on codepen for years and it's not been even used for exploiting, cors can secure this enough

@omduggineni 3 месяца назад

GitHub has an image proxy though, so your image would only be requested once (by the proxy)

@CoolestPossibleName 3 месяца назад

Github should embrace this and make this a feature

@justafreak15able 3 месяца назад

Emm if you can inject css you can inject url in background and these urls could have javascript executing. it's crazy.

@mollthecoder 3 месяца назад

@@justafreak15able No, you can't because of CORS.

@Kane0123 3 месяца назад

No.

@uSkizzik 3 месяца назад

@@justafreak15able Just block all non-GitHub links and limit the GitHub links to images or something.

@Relonde 3 месяца назад

@@Kane0123yes*

@trietang2304 3 месяца назад

Github homepage ricing sound so fun.

@hidoryy 3 месяца назад

the github markdown is pretty strict but you can still make some cool stuff with it

@SuperQuwertz Месяц назад

@@hidoryy You can always load svgs, but styling the whole page is so cool :D

@JC-jz6rx 3 месяца назад

with so much negative energy in the tech industry (and the world) recently, sometimes we need these wholesome videos.

@razzeeee 3 месяца назад

This also worked on PR comments (and probably issues) and you could just block all interactivity with it.

@anonymous49125 3 месяца назад

this is textbook 100% improper disclosure. The fact they had to sweat a late Friday night to get it patched is proof positive this is really inappropriate. You really musty email them, then wait for 2 weeks for a response; that's the minimum, and gives them time to actually put out a PROPER fix, rather than a rushed patch job.

@williambos4410 3 месяца назад

00:26 yackcine lmfaoooooo

@386enhanced 3 месяца назад

based yacine

@8BitShadow 3 месяца назад

@2:06 this is called "clickjacking" doesn't come up often, but yea can be a real big security problem for the user.

@EdwardSavin 3 месяца назад

Myspace all over again

@mettle_x 3 месяца назад

Theo is becoming more wholesome day by day.

@MsHojat 3 месяца назад

I remember when something like this happened with someone's stream. -I don't remember the specifics but they somehow (assuming it wasn't self-hosted chat, had a separate renderer for the chat that displays on stream) let users set custom CSS for their messages or something and it quickly got out of hand.- Oh it was was full blown javascript/HTML code injection via an unsanitized bot (which makes more sense).

@whamer100 3 месяца назад

i found something like this for caard once, but instead of injecting css it was straight up JavaScript. but when i reported it, instead of it getting fixed, it was fixed *and* they banned me. how nice :)

@MichaelKaiser-er2jm 3 месяца назад

like rolling up to the police, reporting a crime with solid evidence and being put into jail for it 🤣

@enkiimuto1041 3 месяца назад

Hacker furries and weebs are the chaotic neutral that is more interested in exploiting cyber security for the lulz rather than doing anything with it lol

@Bobbias 3 месяца назад

3:20 You're damn right I did that. Honestly didn't take long to get some very nice looking PDFs out of it too.

@cerulity32k 3 месяца назад

This has to be a feature. This would be so cool.

@myoboku9455 3 месяца назад

People have never been so determined to bring back the old internet

@F38U 3 месяца назад

TBF this needs to be a feature

@someman7 3 месяца назад

Posting about it on twitter is "A+" responsible disclosure in Theo's book? What isn't responsible disclosure then?

@someman7 3 месяца назад

That breakdown is terrible too. It starts explaining the basics of basics like we are 5 instead of github users, and then when it comes to the meat, it takes escaping and context for granted.

@javierflores09 3 месяца назад

@@someman7 this isn't an educational video, they wouldn't go so far as to explain what escaping means and even if they did, it'd serve little purpose as it isn't necessary to understand what happened here (maybe not _why_ it happened but that's different). Also, posting in on twitter gives it very fast exposure leading to relevant people taking notice of it. Sure, there are better ways to achieve that if you have the means but generally big companies like these rarely take reports from your average joe seriously so the only way to get them to understand the severity is to see people playing around with it, it wasn't something hazardously exploitable anyway so it wouldn't have snowballed into something terrible

@someman7 2 месяца назад

@@javierflores09 Why start with the utmost basics then? But I'm pretty sure this whole channel is edutainment. Posting on twitter is irresponsible. Anything that doesn't afford enough time for the fix to be develop before the exploit is. This one was a miss from Theo, if you ask me.

@LukasSmith827 3 месяца назад

dingboard community mentioned

@danielvalle8875 3 месяца назад

LaTeX renders so beautifully

@TheHermitHacker 3 месяца назад

I participated in updating my profile to show the Svelte wallpaper background. Looked nice while it lasted....

@forivall 3 месяца назад

I took an intro level psychology course in my last semester just to get enough credits to graduate, and so i used LaTeX to format my paper 🤓 they mandated times new roman font, so it didnt even look like latex

@CodingThingsIRL 3 месяца назад

MySpace!

@Sammysapphira 3 месяца назад

I've always hated how social media platforms removed pretty much all customization

@andru5054 3 месяца назад

Does it still work?

@excelinaccounting8094 3 месяца назад

i dont get it, is it like using the inspect element to temporarily change the look of the page or directly changing from the server to change the whole site

@JaekSean 3 месяца назад

You're setting styles on the page. You're not changing the whole site, but the server is sending the the bad code to the client.

@fcantil 3 месяца назад

This was explained pretty well in the vod but... you know what CSS is, right? Usually, when you inspect a page, it'll have somewhere at the top. That's what changes how things look. People found an exploit to basically insert those things through GitHub profile READMEs. Through a specific LaTeX (language for writing math stuff, think of typing "x^2" and it gives you an image of x with a small 2 at the top) command that utilized CSS styles, people were able to exploit it to use their own custom CSS instead.

@cubed.public 3 месяца назад

GitHub sends you a bunch of code. Inside the code, there is a section of your custom text, and a section of their styles. Your computer reads the styles section, put the custom text in, and renders it. Someone found a way to write a custom text to jump out of that section and change the style which the client computer promptly reads and renders

@fcantil 3 месяца назад

great, YT apparently just auto-deleted my comment once again. quick definitions: CSS changes how elements on the page look. LaTeX is a way to write math ("x^2" becomes an image of x squared). People found an exploit through a specific LaTeX command that utilizes CSS, and exploited it to use user-created CSS instead.

@Natsulus 3 месяца назад

Simply put, the difference between inspect element (or any other client side CSS changes) and this, is that the server sends the page to the client (browser) to render, so anyone visiting an affected page will see it, unlike client side CSS changes which only you would see.

@zwatotem 3 месяца назад

Imagine if HTML-compatible way of embedding math existed... Definitely not a thing... They had to use latex

@gomo5628 3 месяца назад

ah those "Defaced" old days :)

@sectorrrrr 3 месяца назад

github needs to make this a feature!!!

@shastri3303 3 месяца назад

Its a feature

@profikid 3 месяца назад

Proper myspace vibes

@theoDSP 3 месяца назад

Why did they fixed it?

@cybernerddante 3 месяца назад

Myspace!!!

@astral6749 3 месяца назад

The intersection between programmers and weeb culture is wild

@screamingfungus_ 3 месяца назад

Profile pages are so boring nowadays. You're lucky if you get to use a custom banner

@JLarky 3 месяца назад

You can tell Theo grew up on Instagram by the amount of times he says "links in bio" instead of "links in description"

@borstenpinsel 3 месяца назад

This is so it can be chopped up into short which are cross-posted to insta and tiktok.

@JLarky 3 месяца назад

@@borstenpinsel how many links are in his bio?

@RedStone576 3 месяца назад

still don't understand why people put video specific links in bio

@astronemir 3 месяца назад

RIP MySpace lol

@SjurWarEagle 3 месяца назад

But codepilot is so good, they say, so it should be fixed in minutes, right?

@mfaizsyahmi 3 месяца назад

The world is kept running by weebs and kept safe by furries.

@thephoenix215-po2it 3 месяца назад

Ahhh apparently all the anime people freaked out once it patched as per vx 🤣🤣

@khuramshahzad9089 3 месяца назад

0.3 what is written, i am curious

@iamvladw 3 месяца назад

Crazy Mad Man

@marymissmary 3 месяца назад

LaTeX ❤

@bilatungdulang9708 3 месяца назад

on the pict profile, we know one thing, they are all weebs

@JoeJoeTater 3 месяца назад

Unironically, it would be nice to have a presence on the web that isn't bland corporate nothingness. Let me be cringe, goddamnit!

@spankyjeffro5320 3 месяца назад

No cringe allowed. Especially not weeb cringe.

@SuperLlama88888 3 месяца назад

I nearly got this on my profile, but in the few minutes between editing my page and committing it was patched, meaning I had it on the edit page but not after that... ☹☹

@StreamMan247 3 месяца назад

all websites now look so lame and same, no themeing for your own channel/page, I hate this dystopian walled garden modern internet so much its unreal

@mikescholz6429 3 месяца назад

Ive had custom userstyles for github for years… I really like my po**hub style github logo restyle 😉

@ShimoriUta77 3 месяца назад

They fixed it ;-;

@3lH4ck3rC0mf0r7 3 месяца назад

Not gonna lie, I do hate how the Web has gotten so samey, orderly and non-personalized. Personally, I believe flat UIs look like shit, and much preferred the skeuomorphic era, especially things like the iOS 6 version of iBooks, which resembled a real bookshelf. If this is the alternative, I much prefer the chaos of the MySpace era.

@erroroliver 3 месяца назад

spacehey

@j-twd930 3 месяца назад

Agreed

@TheOfficialStapler 3 месяца назад

Big fan

@PetarVukmanovic 3 месяца назад

Whoa 0,o

@razzeeee 3 месяца назад

Really scared me for a moment. Then figured out how to disable javascript and be able to report that person. So I got them banned form github - took a whole day for github to do that, not a good turnaround.

@404maxnotfound 3 месяца назад

Github should see this and say hey this is a great oppurtinity to add some more customization options.

@TomNook. 3 месяца назад

It's a feature not a bug

@MisterObvious0 3 месяца назад

ngl should leave this

@Brumry 3 месяца назад

I like how the smartest devs usually have anime profile pictures.

@ultru3525 3 месяца назад

smartest or too much free time, who's to say 🤷‍♂

@soul_maestro 3 месяца назад

when you used latex for years and still read it as if it's written lateC or lateK and not as lateX :/ yes, you really are a tool in that case.

@nanopi 3 месяца назад

RU-vid comments section was like this once.

@loganyt8818 3 месяца назад

get to the main point ghaddmit quickly.

@trickster2060 3 месяца назад

swearing as you did at the end no longer interested in your channel

@markcruise 3 месяца назад

Anyone exploiting should have their GitHub account terminated. Stop being assholes. It’s not your playground.

@onetwoval 3 месяца назад

is bro seriously getting mad at gigabrain teenagers for having fun?

@404maxnotfound 3 месяца назад

You should have your account terminated. As you basically said "Stop being an asshole"

@404maxnotfound 3 месяца назад

If all it takes for someones account to be terminated is being "assholes" then it should apply to you. How dare they visually show a harmless use of an exploit they found as a way to get github to do something about it. How dare they care about github security smh.

@ArnoldsKtm 3 месяца назад

Found the snowflake

@curoviyxru 3 месяца назад

ahahahha wait you serious?

@theherk 3 месяца назад

I hope this video pops off. Interesting technical information. Consumable by everybody. Relevant to a big website. Mentions TEX. Fun mostly harmless fun. All around good vides. I'm glad it got patched, but I wish the fun had lasted a bit longer.

@boredguy1663 3 месяца назад

Honestly GitHub should make this a feature.

@ApeironPortal 3 месяца назад

No,

@ApeironPortal 3 месяца назад

Then it would be regulated by decision board not users

@Kane0123 3 месяца назад

No.

@yuri0001 3 месяца назад

But most of all, Samy is my hero.

@Ultrajamz 3 месяца назад

Github-MySpace edition.

@MsHojat 3 месяца назад

I remember when something like this happened with someone's stream. -I don't remember the specifics but they somehow (assuming it wasn't self-hosted chat, had a separate renderer for the chat that displays on stream) let users set custom CSS for their messages or something and it quickly got out of hand.- Oh it was was full blown javascript/HTML XSS via an unsanitized bot (which makes more sense).

@LeonBlade 3 месяца назад

I gotta say, the LEGO explanation made no sense whatsoever. Really interesting exploit though.

@zincnims9514 3 месяца назад

Yeah sounds like they asked chatgpt 3.5 to make it 'simpler to understand'

@NithinJune 3 месяца назад

it was clearly ai generated

@skld-xm 3 месяца назад

what was that LOL

@LAFLAME1111 3 месяца назад

They must have been trolling lol. That metaphor made it more confusing

@kokngonose 3 месяца назад

and its also found on friday lol where developer should be running in a flower garden in amsterdam they fixed the github coz some anime developer decided to change their github profile background lol

@doyouwantsli9680 3 месяца назад

Yeah it's incredible what lengths corpos go to to prevent user customization these days

@konan1286 3 месяца назад

@@doyouwantsli9680 yes and no cause XSS attacks were also possible

@spankyjeffro5320 3 месяца назад

Gotta prevent weeb degeneracy.

@theairaccumulator7144 2 месяца назад

As he said it could be used to make scam pages so it wouldn't be good

@NithinJune 3 месяца назад

3:54 This summary is CLEARLY written with AI lmao 😭😭🤦🤦

@thurston04 3 месяца назад

.... How does using Latex make one a tool? I use it to format my exams and homework assignments for my students

@ark_knight 3 месяца назад

....i had the same reaction. why was i called a tool for using latex T_T And its the easiest way to format pages and pages of matrices so far in my books. I don't know any alternate way that would look that good. T_T I wrote my Masters thesis for finite element method with it. I feel so personally attacked for all the wrong reasons lol

@neniugrava 3 месяца назад

LaTeX was totally not a "tool" tool. Even if you didn't use any math, not having to fight the stupidity that is MS Word to structure your paper was a Godsend. If you used a lot of math it was even better, because MS Words equation editor also blows. I even used LaTeX for my resume, lol. All of my papers looked so much better than those of everyone who used Word, and having to spend zero time faffing around trying to manually structure things was a huge time-saver. Absolutely nobody thought I was cool for using it, either. Most of my fellow engineering students were MS and IDE lock-ins. As for why an embedded C guy is watching this, I guess you can blame Primeagen.

@t3dotgg 3 месяца назад

I’m always happy to blame Prime for things

@ark_knight 3 месяца назад

Its been a while, but so far no other solution comes close to fomatting insane lines of matrices and equation as nicely as LaTeX does.

@cerulity32k 3 месяца назад

LaTeX is fantastic, I'm in Grade 12 and I don't know how any of my notes would make sense without it.

@marekbee 3 месяца назад

Github dashboard deserves a redesign ... The current one isn't that useful...

@oblivion_2852 3 месяца назад

Speak for yourself. My github has a ton of stuff @Ober3550

@monkaSisLife 3 месяца назад

If people exploit something like this, there is obviously a need for custom profiles. So add it then.

@Rust_Rust_Rust 3 месяца назад

They will monetize it.

@alexholker1309 3 месяца назад

People *want* custom profiles, but that doesn't mean they *need* custom profiles.

@cannedwither8494 3 месяца назад

That chatgpt post made me cringe though

@DMONSKULL 3 месяца назад

this is known as a polyglot attack

@TecnologiaeClasse 3 месяца назад

Who the fuck invented math and why do we need it?!!? SMH

@EngineerNick 3 месяца назад

omg maybe now someone will actually try to fix fix math rendering in markdown! It's super broken in so many contexts. pdoc the python documentation tool has so many wierd edge cases with math in markdown in python doc domments its not funny.

@MizManFryingP 3 месяца назад

This is a really cool exploit but what's funnier to me is that seemingly every professional hacker out there is a massive weeb which honestly おめでとうございます

@shadowxdgamer 3 месяца назад

it's not a bug it's a feature

@MalwareCube 3 месяца назад

This is how websites used to be! It was awesome.

@Wilsons-World 3 месяца назад

My Lesbian Experience with Lonliness by Kabi Nagata. Anyone else catch that?

@R0CK3T_DEV_ 3 месяца назад

They should turn this into an actual feature

@camwha5904 3 месяца назад

I see longcat in the thumnail, I click I’m simple like that

@lbgstzockt8493 3 месяца назад

I am sorry, but that Lego analogy is...poor.

@tvojejbabkydedko 3 месяца назад

have you grown up now and are you done with your delusions with "gta youtuber that no one cares about" ?

@Onyaga 3 месяца назад

css customising was what brought me to love myanimelist

@lootclan5842 3 месяца назад

the good days days..

@_Guigui 3 месяца назад

man, sad i wasn't around when the exploit was live, i wanted to have a silly style on my profile like that

@starleaf-luna 3 месяца назад

0:27 , OMG TO LUŹNY

@damienbyrne6984 3 месяца назад

I used to write essays in Latex because I started using a dedicated old wordprocessor computer (just did word processing, old green screen thing) then moved on to WordStar, so I got used to seeing all the formatting codes on the screen, so I didn't trust MS Word or other WYSIWIG word processors and liked to see where the formatting instructions were.

@JohnDoe-yi5hx 3 месяца назад

Escape sequence with backslash. Manipulative DOM to call JS. Label JS as inline and manipulate its origin during call retrieval.

@williamdrum9899 3 месяца назад

4:14 Well that's an embarrassing one. I know hindsight is 20/20 but that seems like the most obvious thing to think of on a list of things to forbid from a text box