CreatorsOk
LiveOverflow

LiveOverflow

patreon


LiveOverflow posts

Finding The .webp Vulnerability in 8s (Fuzzing with AFL++)

A guide on how to do fuzzing with AFL++ in an attempt to rediscover the libwebp vulnerability CVE-2023-4863 that was used to hack iPhones.

Watch webp Part 1: https://www.youtube.com/watch?v=lAyhKaclsPM

Grab the code: https://github.com/LiveOverflow/webp-CVE-2023-4863

View Post

A Vulnerability to Hack The World - CVE-2023-4863

Citizenlab discovered BLASTPASS, a 0day being actively exploited in the image format WebP. Known as CVE-2023-4863 and CVE-2023-41064, an issue in webp's build huffman table function can lead to a heap buffer overflow. This vulnerability is very interesting and I'm excited to share with you what I learned.

View Post

Request hextree.io Invite

Around 6 months ago I explained to you why I decided to create an paid online training platform. If you missed this, checkout this video: https://www.youtube.com/watch?v=nDiXoeeAMWM

Because y...

View Post

Reinventing Web Security

Follow me down the rabbit hole into the wonderful world of IT security.  

Tweets:
https://twitter.com/LiveOverflow/status/1720734431659376995 https://twitter.com/LiveOverflow/status/1720799912181284864 2023-11-20 19:12:43 +0000 UTC View Post

The Circle of Unfixable Security Issues

Not every security issues can be fixed. There exist (what I call) "unfixable" bugs, where you can always argue and shift the goal posts. The idea is to only report these kind of issues to create an endless stream of bug bounty money!

View Post

Hacker Tweets Explained

Let me explain to you what you can learn from these tweets. Did you know the name trick?

Quote Tweet: https://twitter.com/avlidienbrunn/status/1697869590569582932
Original Tweet: https://twitter.com/Rhynorater/status/1696862832841916679

View Post

Zenbleed (CVE-2023-20593)

Let's explore the "most exciting" CPU vulnerability affecting Zen2 CPUs from AMD. 

In case you missed it, here is part 1 about fuzzing CPUs: https://www.youtube.com/watch?v=neWc0H1k2Lc

View Post

The Discovery of Zenbleed ft. Tavis Ormandy

How did Tavis Ormandy fuzz CPUs to discover Zenbleed? In this video we learn about the techniques to make this work!  

https://security.googleblog.com/2023/08/downfall-and-zenbleed-googlers-helping.html  

Asking Android Developers About Security

Watch me go out of my comfort zone and talk to strangers O.O...

I attended droidcon Berlin 2023 and interviewed some developers about what they know about Android security. Thanks again to everybody who answered my questions, and thanks Egidijus for the dcbln23 ticket!

View Post

HospitalRun Local Root Exploit

Let's talk about a "security flaw in hospital software that allows full access to medical devices". This issue was disclosed on LinkedIn and included a full exploit code. Let's use this app as an example on how to find a macOS privilege escalation and learn how local root exploits can work.

Print BINGO sheet: https://twitter.com/liveoverflow/status/1682650394227351552


View Post

Secrets of an Android App Bug Hunter

Sergey Toshin tells us the story of how he became a top Android bug hunter and how he finds critical vulnerabilities. He also shows us a really cool vulnerability found in the Google Android Snapseed app. I didn't know this crazy attack vector exists!

View Post

Generic HTML Sanitizer Bypass Investigation

I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass?

Hacking Google Cloud?

Every year Google celebrates the best security issues found in Google Cloud. This year we take a look at the 7 winners to see if we could have found these issues too. Will I regret not having hacked Google last year?

View Post

Trying to Find a Bug in WordPress

I stumbled over some WordPress code involving caching. Immediately I had this idea about MD5 collision and how this could affect the implemented logic. I started going down a rabbit hole exploring the feasibility and eventually setting up a PHP debug environment. Only to realize that the idea was flawed from the start. So while this ends up being failed security research, we still learn a lot along the process.

View Post

Authentication Bypass Using Root Array

Lots of #bugbountytips get posted on twitter, but some of them are ... weird. Let's explore the technical details of one tweet to understand where this tip came from, why this tip was wrong, and eventually learn about the real underlaying vulnerability. This is a surprising turn of events!

The #bugbountytips tweet: https://twitter.com/beginnbounty/status/1526795822687346688

View Post

My YouTube Financials - The Future of LiveOverflow

In this video I show you my YouTube financials and tell you about a new project I have been working on: hextree.io

FYI to all Patreon members, I have not charged you for this video because it's just a channel update.

View Post

Securing AI - Prompt Injection Defense

After we explored attacking LLMs, in this video we finally talk about defending against prompt injections. Is it even possible?

Watch the complete series: https://www.youtube.com/playlist?list=PLhixgUqwRTjzerY4bJgwpxCLyfqNYwDVB

Language Models are Few-Shot Learners: https://arxiv.org/pdf/2005.14165...

View Post

Accidental LLM Backdoor - Prompt Tricks

In this video we explore various prompt tricks to manipulate the AI to respond in ways we want, even when the system instructions want something else. This can help us better understand the limitations of LLMs.

Video Part 1: https://www.youtube.com/watch?v=Sv5OLj2nVAQ 

The OpenAI API cost is pretty high, thus if you want to play the game, use the OpenAI Playground with your own account: View Post

Attacking LLM - Prompt Injection

How will the easy access to powerful APIs like GPT-4 affect the future of IT security? Keep in mind LLMs are new to this world and things will change fast. But I don't want to fall behind, so let's start exploring some thoughts on the security of LLMs.

View Post

Defending Our Jobs Against AI!

Copilot, ChatGPT and other AI models become a threat to hackers. We rely on insecure code, but when all developers moved over to code generated by AI, we will lose our job. We need to act fast! 

This is an april fools project about how threat actors could start manipulating AI for the future.

View Post

Cybercrime is Not Hacking!

In the news, cybercrime is often mentioned in connection to "hacking". Also when accounts get stolen, people say "my account got hacked". But is this really hacking? How does cybercrime actually look like?

View Post

Attacking Language Server JSON RPC

While auditing a VSCode Extension + Language Server I noticed something interesting. This turned into the research question "can we attack the extension from the browser?". After a bit of preliminary research I decided to do it again on stream, and eventually made this video. This is how security research can look like.

Full Live Stream: https://www.youtube.com/watch?v=jc7S6TtLK_c

View Post

Stealing Cheats from Cheaters (Teleport Hack)

There exists a pretty cool teleport hack that I couldn't discover myself. So I decided to steal it and share it with you all!

View Post

VPNs, Proxies and Secure Tunnels Explained

What is a secure "tunnel"? When I started to learn about computers the name confused me. I couldn't imagine how it works on a technical level. In this video we build upon knowledge from the previous videos, to develop an intuition for what a tunnel, VPN or proxy is.

1. Server Explained: https://www.youtube.com/watch?v=VXmvM2QtuMU
2. Protocol Explained: 2023-02-17 15:13:09 +0000 UTC View Post

Velocity Exploit on Paper?

In this video we investigate the comments' claims that there exists an arbitrary velocity exploit in Minecraft. We look into the code and see if that is true.

View Post

Computer Networking (Deepdive)

In this video I try to explain computer networking with pieces of paper. This hopefully explains why in some universities the OSi layer model is taught. While I find the OSI model kinda useless, "thinking in layers" is extremely important. Blackboxes of layers allow us to focus on what matters, and ignore anything else.

View Post

Revisiting 2b2t Tamed Animal Coordinate Exploit

Everybody told me the cat coordinate exploit/leak was already known. However this does not seem to be true, I tested it by logging packets.

View Post

What is a Protocol?

The term "protocol" can be really confusing. In this video I try to explain to my former self what it means to have a protocol.

View Post

Minecraft Reach Hack

Let's talk about how we can implement a reach hack in minecraft. After knowing how it works, it seems so obvious. But it took me over 14h to figure out myself :D

View Post

Don't Trust Cats

I tried to hide a new base far away, but players quickly found it. Let me tell you how they did it.

View Post