A vulnerability in the R programming language was discovered. I show how it works as well as other ways that you can be exploited by using features of the R programming language. We go over:
abusing .onLoad()
hiding bad intentions in S3 generics
and how compiled code can hide things
The exploit is because promises can be stored in an rda or rds files. These unexecuted pieces of code can then be evaluated on your computer. But this doesn't surprise me or worry me. There are many other ways that you can be hacked using R.
Twitter: / josiahparry
GitHub: https://github.com/josiahParry
LinkedIn: / josiahparry
0:00 - R 4.4
0:10 - Vulnerability
0:45 - using the exploit
0:55 - explanation
1:25 - avoiding it
2:25 - exploiting .onLoad
3:00 - using http requests
3:30 - hiding side-effects with S3
3:59 - compiled code
4:30 - closing