What is a Security Vulnerability?

When is a vulnerability actually a vulnerability? I can’t answer this question easily, and thus we look at a few examples in this video.

-=[ 🔴 Stuff I use ]=-

→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb

US Store Front:* https://www.amazon.com/shop/liveoverflow

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/

-=[ 📄 P.S. ]=-

All links with “*” are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

50 Comments

  1. Weizhou Wang on June 5, 2020 at 9:56 am

    Security is all about context.

  2. vedi0boy on June 5, 2020 at 9:57 am

    Can someone explain SSL stripping to me? I’m a computer science student and my telecom teacher told me it was possible to intercept https requests at the connection stage, use the SSL data to establish a connection between the client and the MITM, whenever the client makes a request to the server, it is passed through the MITM, who decrypts the message and sends the request to the actual server and getting a response. It seems like it’s essentially a proxy that decrypts your data.

    An someone explain to me if it is possible? He said he did it once for an assignment, but something tells me he is wrong (something with CAs and keys makes this seem impossible but I don’t know enough).

  3. diti :p on June 5, 2020 at 9:59 am

    i’d define it as the ability to perhaps access or modify something you’re not meant to.
    so, bypassing the no-touchy-touchy code.

  4. Jakob Wachter on June 5, 2020 at 10:00 am

    I think a security vulnerability is just a piece of code or implementation that allows for something to go against (or beyond) its intended use. Here’s why I think this (rather broad) definition fits in every case:

    Case 1: The software designer (the guys who made Python) dispute this vulnerability, because this "vulnerability" is actually just a misunderstanding of what virtualenv is supposed to do. It’s a matter of people not knowing how software works. I don’t think this one counts.
    Case 2: This one sounds like a vulnerability, even if the minter disagrees–they’re taking the program they’ve got out of its original confines and creating unlimited supply where there shouldn’t be any.
    Case 3: Where we draw the line, in this case, is really a matter of how hard it would be to bruteforce it (given how long an average session lasts, who’s using it when, etc. etc.). Does this one count as a security vulnerability? The act of copying cookies doesn’t because you need to know the cookie first, and if you know the cookie, well, it’s just working as it should. The issue comes from when the code itself is breakable–which if the ‘intended use’ is a week-long session, you’d best make sure your cookie can’t be bruteforced in a week.
    Case 4: Sounds like a matter of the object preventing said vulnerability being too weak to actually prevent anything from working out-of-line. Patching a hole in a leaky boat with jello isn’t going to do much of anything. It’s a matter of being a bad fix to an already existing vulnerability. Granted, they didn’t do much to try and fix it in the first place and just said: "Let’s let Chrome do it for us".
    Case 5: I’m with you on this one. The second layer of protection didn’t work as intended and basically allowed a hacker to resolve it to a point where it might as well have just been SSL again. That’s a layer of protection gone which might come in handy later.

  5. 小张同学 on June 5, 2020 at 10:03 am

    ‘definetly’ is a vulnerability, it should be spelled as ‘definitely’

  6. ConTRoniiX on June 5, 2020 at 10:03 am

    you should do more of these explaining videos of basics. its great for people trying to get into this hobby

  7. Marius Tancredi on June 5, 2020 at 10:06 am

    Instead of removing the XSS auditor, Chrome can show "vulnerable" in the address bar and disable all input fields on the webpage. This way, it protects the users while forcing the website to fix their vulnerability.

  8. Rodrigo Silva on June 5, 2020 at 10:06 am

    Another amazing video, but… redstar os? why?

  9. thought2007 on June 5, 2020 at 10:06 am

    There are no vulns, only bugs.

  10. Daria Lyubaeva on June 5, 2020 at 10:08 am

    I know it when I see it

  11. Recycle Bin on June 5, 2020 at 10:09 am

    AIDS

  12. Ceos3c on June 5, 2020 at 10:10 am

    Secret:Vaccines Work. I see what you did there my friend (:

  13. Abażur on June 5, 2020 at 10:11 am

    can you help me?
    I wanted to reverse enginner my keyboard software, I explained everything in this post:
    https://www.reddit.com/r/hacking/comments/at7zcu/fwc_files/

  14. Chaosmagican on June 5, 2020 at 10:11 am

    Did you mean: *definitely* 😀

  15. anubislol on June 5, 2020 at 10:17 am

    The biggest issue I imagine is that people think vulnerbility is the same thing as risk

  16. dram on June 5, 2020 at 10:18 am

    I can go to a computer and log in as some account, and go to another computer to log in to the same account using the same username and password! It’s a session hijacking vuln!

  17. Arthur K on June 5, 2020 at 10:20 am

    Can we randomly generate session ids until we get a valid one and hijack that account?

  18. Joel Kreider on June 5, 2020 at 10:20 am

    My computer security course at uni defines a security vulnerability to be a property of a system, which under certain circumstances, may be exploited to perform a function that goes against the security policies put in place for the system. For example, even though many passwords cannot be brute forced by computationally bounded parties, under the circumstances of a computationally unbounded system, a password may be brute forced. Therefore no matter how trivial and useless, all passwords technically do yield a security vulnerability.

  19. nosirrahx on June 5, 2020 at 10:23 am

    This reminds me of a really stupid vulnerability I found on a forum way back in the XP days. I’m never going to remember the exact details now but involved combining a perma-link and quote shared by an admin. You could right click the post title and open it in a new window and then become that user. It ended up looking like the user was replying to themselves even though it was a 3rd party making the post.

  20. Maulana Iskandar on June 5, 2020 at 10:23 am

    I think why business need CVSS is because in risk management term they knew about Risk Rating, which relates between SLE (Single Loss Expectancy) with ARO (Annualized Rate of Occurence).
    And vulnerability is tight coupled with risk so… Yeah maybe that’s why they need CVSS.

  21. DP2G on June 5, 2020 at 10:24 am

    my job is to torture the it department

  22. Intellectualize on June 5, 2020 at 10:25 am

    Vaccines work.

  23. jydk37 on June 5, 2020 at 10:28 am

    Can someone explain in different words why #3 is not a vulnerability?

  24. MrDoboz on June 5, 2020 at 10:28 am

    if it allows somebody to maybe cause damage by using something a way that it’s not intended, it’s a vulnerability. In fact there is not many things that are more vulnerable than a kitchen knife.

  25. Keldor314 on June 5, 2020 at 10:29 am

    We seem to assume vulnerabilities can only exist in code. But this really isn’t true. Even if we completely ignore the possibilities of social engineering attacks, there are other ways things outside of the code can make it vulnerable. Consider an error in documentation that leads developers to think a given function does some bit of extra check that it actually doesn’t. What if a developer gives it inputs from a source that really needed that extra check, thinking that the function would handle them like the documentation said? Or maybe the documentation was just a bit unclear and ambiguous? This is itself a vulnerability, or at very least a "potential vulnerability", something that if not addressed will cause direct vulnerabilities in the future. Virtualenv would fall into this catagory if the documention wasn’t immediately clear enough that it’s not actually a sandbox like the name suggests it might be.

    The example with the messages being sent through a tunnel, but with a second layer of (flawed) encryption beneath it is also definitely a vulnerability. The clear intent of the developer was to have a second, redundant layer of security, so that if something unexpected happens, like SSL being cracked, their messages will still be safe. However, the flaw in the encryption meant that this design parameter was not being met.

    It is like running a server, and having a backup system. Suppose you find out the backups aren’t working properly. Is this a problem? How could it be when the server is still running just fine? But of course it’s a problem! You would not be making backups in the first place if you didn’t think that you might well need them someday!

    A vulnerability in only a single component of a redundant system remains a vulnerability even if the system as a whole is still secure.

  26. Damian Rusinek on June 5, 2020 at 10:30 am

    1. CVE case: not a vuln.
    You just cannot take CVE "badge" as a proof of vuln. CVEs are assigned by people and we all make mistakes 🙂
    2. Smart Contracts case: a vuln.
    This case is reported as "not following the documentation (white paper)" and as you mentioned, it is a big thing from the investors’ perspective. However, such vulnerabilities can have PR consequences and ruin the project if it is hailed as a scam.
    3. Session case: not a vuln.
    😉
    4. XSS case: a vuln.

    IMO it is a vulnerability. For an argument that it is blocked by XSS Auditor you can reply that not every browser version supports it 🙂

    5. Padding Oracle case: a vuln.
    IMO definitely a vulnerability (low probability but still) for the same reason you mentioned. They added that for purpose.

  27. Kresten Sckerl on June 5, 2020 at 10:31 am

    5:18, I once did that and got mad that the company I was reporting to got mad at me. I was just trying to help… or get recognition xD

  28. OskarZyg on June 5, 2020 at 10:33 am

    I found a vulnerability in my schools network that lets you access anyone’s files with 2 lines of python. I reported it and nobody cared lol.

  29. David De Lille on June 5, 2020 at 10:35 am

    For me, something is a vulnerability if you can do something you’re not supposed to be able to do. In other words, it grants some extra capability that was not intended.

    #1: Virtualenv is not designed to stop execution of system commands, so there are no additional capabilities ==> no vuln
    #2: ICO shouldn’t be able to mint new coins => vuln
    #3: Session tokens are like passwords; if someone knows yours, they can log in as you => no vuln
    #4: You shouldn’t be able to inject JavaScript which is run in someone else’s browser => vuln
    #5: You shouldn’t be able to decrypt the internal payload => vuln

  30. Lewis Johnson on June 5, 2020 at 10:35 am

    “I’m curious what you think about it”, not “how you think about it”

  31. vypxl on June 5, 2020 at 10:35 am

    I found an XSS: if you press f12, and select console, you can enter any javascript on any website!!

  32. Sebirocs on June 5, 2020 at 10:36 am

    i just wanted to say apple bug bounty sucks

  33. FENRIR on June 5, 2020 at 10:36 am

    Wait redstarOS?? I see you are a man of culture aswell

  34. Ayush Ojha on June 5, 2020 at 10:37 am

    In the third example, regarding the session hi-jack, I think you missed to take in account the number of users in the system, which is mostly proportional to the number of active sessions, and increases probability of a successful brute-force. So, a system with many users better have a longer session id to be secure, Am I right?

  35. 殺手Zombie on June 5, 2020 at 10:40 am

    Am i the only one is bug bounty here? 😂

    My H1 profile : https://hackerone.com/man_shum
    Instagram: https://instagram.com/evmannn

  36. Filip's World on June 5, 2020 at 10:40 am

    A vulnerability is a generally expected weakness or flew in software, protocol or algorithm that allow weird things to occur it can be a bug but in just a nature of a machine while bug is bad implementation in software that allows manipulation of calls bytes or packets that allows unexpected or unintended thing to happen exploit it a method of manipulating one or more bugs that do flip software to do very intended things in different way so it can bypass or change beehiver for example authentication, regular procedures, loops, permissions etc.

  37. Dragiux on June 5, 2020 at 10:41 am

    "The client has to fix the issue"

    Praise. We’re in the current mess because tools tend to hand hold developers without proper error reporting instead of slapping them on the face saying you can’t do this shit.

  38. jean François on June 5, 2020 at 10:45 am

    If a bug can be exploited it is not a vulnerability?

  39. Dina Elhanan on June 5, 2020 at 10:47 am

    woops! typo at 0:09 😀

  40. [object Object] on June 5, 2020 at 10:47 am

    15:36 late 2018?

  41. theGrabix on June 5, 2020 at 10:47 am

    I have found a vulnerability.
    Type: *Alternate User Version Injection* – it is the situation when one version of a user commits permitted action that later version of the same user won’t approve.

    Reproduction steps:
    1. Get drunk.
    2. Log in to your Twitter account
    3. Write a tweet where you say that your boss is ********
    What happens: You are fired.
    What should happen: Twitter should block action that wont be approved by future version of a user.

    (In this case alternate version of user have been injected via alcohol)

  42. DaVince21 on June 5, 2020 at 10:48 am

    Nice secret at 12:15.

  43. Shary on June 5, 2020 at 10:48 am

    My definition:
    Something that allows unexpected behavior or result or something that allows to bypass at least one layer of security.

    This cover the bugs that can’t be exploited because of a second layer of security. But "unexpected behavior" is still difficult to define. You still have to explain why session cookies is an expected behavior. And why **from the user’s point of view** the smart contract is flawed.

  44. ►What r U Waiting◄ ☺◘♪☼ on June 5, 2020 at 10:49 am

    definition of vulnerability: exploitable option.

  45. Etop Owertwon on June 5, 2020 at 10:51 am

    Interesting "not security vulnerability" which still can be exploited:
    in most companies if you try to login with incorrect password too many times, the account is blocked. Theoretically it can be used for DoS attack: Bad Guy can sabotage company usual workflow simply by inserting too many incorrect passwords for important people until they are blocked.

  46. Caleb on June 5, 2020 at 10:52 am

    In my opinion CVSS is primarily useful as a vector, not a score. The vector can be mapped to a risk management framework such as Att&Ck to help defenders assess whether they have compensating controls or mitigations for a given vulnerability. The vector tells a story that can be interpreted through the lens of a risk model, basically.

  47. RC-14 on June 5, 2020 at 10:53 am

    Authenticated remote code execution!!!
    1. open terminal
    2. execute this command: "ssh 127.0.0.1"
    3. username: "root"
    4. passcode: "security"

    I need a better passcode…

  48. JonPizza on June 5, 2020 at 10:53 am

    Security Vurn: <script>alert(document.cookie)</script> lol gotem hehehehehehhehe this is gonna work and be so funny lol lmao ha

  49. Silica on June 5, 2020 at 10:53 am

    I FOUND A VNERABILITY RUNNING ARBITRARY CODE RESULTS IN ARBITRARY CODE

  50. Adam M on June 5, 2020 at 10:55 am

    13:13 Secret

Leave a Comment