How Google Analytics was used to Breach Virtually any Website
Рет қаралды 182,936
Күн бұрынIn this video, we take a deep dive into the inner mechanics of Cross Site Request Forgery (CSRF), CSRF Tokens, and how Surgey Bobrov was able to bypass them with a joint Google Analytics & Django web framework exploit / vulnerability. CSRF is the lesser known of the big three web attacks, consisting of SQL injection, and cross site scripting (XSS).
0:00 - Overview
0:48 - Cookies
3:17- Cross Site Request Forgery (CSRF)
4:29- CSRF Tokens
6:42- Exploit / Vulnerability
WE HAVE A DISCORD NOW! / discord
Django patch - www.djangoproject.com/weblog/...
Original report - hackerone.com/reports/26647
Surgey Bobrov - hackerone.com/bobrov?type=user
Double Submit Cookie - cheatsheetseries.owasp.org/ch...
MUSIC CREDITS:
LEMMiNO - Cipher
• LEMMiNO - Cipher (BGM)
CC BY-SA 4.0
LEMMiNO - Nocturnal
• LEMMiNO - Nocturnal (BGM)
CC BY-SA 4.0
#Python #Coding #Programming #Software #SoftwareEngineering #ComputerScience #Code #ProgrammingLanguage #SoftwareDevelopment #Development #Developers #Hacking #Hack #CyberSecurity #Exploit #Tracking #Web #WebDev #SoftwareEngineer #Django #WebFramework #Vulnerability #PenTesting #Privacy #Spyware #Malware #CSRF #CrossSiteRequestForgery #SQLInjection #CrossSiteScripting #XSS #WebVulnerabilities #Cyber #CyberAttack #BugBounties #GoogleExploit #GoogleAnalytics #EthicalHacking
@DanielBoctor 7 ай бұрын
🚨🚨🚨 *UPDATE* 🚨🚨🚨 This was my first cyber video. Am I proud of it? No, it's lame as hell. Should you watch it? No, go watch another one, such as my Microsoft exploit chain: kzfaq.info/get/bejne/gZuHgs59xq23XXk.html Why was my speech weird? I have no idea, I didn't notice it at the time. I get nervous when I record myself. Did I start talking normally in other videos? Yes. Why don't I take it down? Because it's a relic of the past now, and still contains interesting information, but it is NOT up to the standards of my other videos. While your at it, join the discord: discord.gg/WYqqp7DXbm Love yall
@BlueEdgeTechno 3 ай бұрын
You are wrong, It is more interesting that others.
@Nurse_Xochitl 2 ай бұрын
it was fine lol
@aswath1991 7 ай бұрын
Great video. Remember y’all CSFR == CSRF
@fang_xianfu 4 ай бұрын
Seriously, several times in this video he messes it up in the exact same sentence!
@MaZe741 3 ай бұрын
annoyed me too, especially because he should just be pronouncing it "seasurf"
@someguyO2W 3 ай бұрын
Grinds my gears ngl
@hedonist2104 7 ай бұрын
Do you talk in real life, face to face with people, the same way you do in this video? Your intonation is CRAZY!
@dethdeks 7 ай бұрын
glad im not the only one who got annoyed by his voice
@LukeVader77 7 ай бұрын
It's fine imo. He just sounds like NileRed
@DavidStarkers 7 ай бұрын
I closed the video the second time I heard him mispronounce subsequently 😢
@user-lm3hl3cp7t 7 ай бұрын
everythings a question 😂
@vitmaubra 7 ай бұрын
I like his intonation. I feel like I'm watching a movie trailer about hacking
@LesterFernandezIO 7 ай бұрын
Thank you for explaining CSRF. It’s always been a mystery to me and I’ve never taken the time to look into it. This video was very helpful and insightful. Throughout the video my mind was thinking about ways that the tokens should be stored and then you mentioned the double submit cookie method, loved that.
@DanielBoctor 7 ай бұрын
Thank you! I'm glad it was helpful
@TheBrcko1 7 ай бұрын
Great video very interesting. Good quality too. Bit wierd reading when prolonging and upward end of words, but very informative. Thanks.
@kooistradurk 7 ай бұрын
Sassyyyyyy velleyyyy accent
@TheControlMastr 7 ай бұрын
What an amazing video! I finally understood everything this time 🎉 the fact I also learn something new makes this even better! Your analogies are unbelievably simple
@DanielBoctor 7 ай бұрын
LET'S GOOOOOO glad it was helpful! Thank you for the comment
@Mischala 7 ай бұрын
Really great explanation of both a maybe vuln and CSRF mitigation efforts.
@geeknerd763 7 ай бұрын
I'm new to this channel, and I must say what a great video, you explained the coding jargon quite beautifully
@DanielBoctor 7 ай бұрын
Glad you have you aboard! Thank you for your words 😊
@CalebXplores 7 ай бұрын
Thank you for the info!! Just curious is this something you learn as you make? How much research time does it take you to make these videos? Definitely a lot of effort put into these videos!!
@DanielBoctor 7 ай бұрын
I'm glad you liked it! That's a good question lol. It all depends on the topic. Some of them I'm already familiar with before I make the video, and others I'll learn apart of the research process for the video. The amount of time it takes varies a lot video to video, but it does take a lot of effort. I wish I could be uploading more frequently but school is taking up a lot of my time at the moment. I appreciate your comment a lot
@AlbertoHernandez1 7 ай бұрын
well done! its nice having an insight on security breaches :)
@DanielBoctor 7 ай бұрын
Thank you! Glad you enjoyed 😊
@n8guy 6 ай бұрын
Great video. Thanks! Also, I've heard CSRF pronounced as "sea surf". Rolls off a bit more smoothly than pronouncing each letter every time.
@renasoliveira1909 7 ай бұрын
Very interesting and cultivating video ! Keep up the good work.
@DanielBoctor 7 ай бұрын
Thank you!! I'm glad you liked it 😊
@cyberwaves 7 ай бұрын
CSFR or CSRF, I don't know why I heard both.
@AminD0 7 ай бұрын
Great video! Good analogous explainations. Subbed!
@DanielBoctor 7 ай бұрын
Glad you have you aboard! Thanks for watching
@ChandravijayAgrawal 3 ай бұрын
I liked so many one piece references at the start, the wanted poster, whitebeard and chopper
@vchalls 7 ай бұрын
vulnerabiliTYYY in both google analyTIIIICS
@DanielBoctor 7 ай бұрын
LOOOOOOOOL ik everyones roasting me over that now
@user-ll4on9my7h 7 ай бұрын
2:10 this analogy is wrong. It is essentially like what it is. You login and then are given a unique code which identifies you. It is not like a generic wrist band EVERYONE has as every single sessionID is unique.
@DanielBoctor 7 ай бұрын
Good callout - the wristband would need to be unique in this case. Thanks for pointing this out!
@alexaneals8194 7 ай бұрын
I would argue that the analogy is fine. An analogy is like a model, it does not need a 1 to 1 correspondency. A model simplifies the actual process. For example: if I had to explain why using a GUID as clustered primary key was a bad idea, I would illustrate it by using an array. Most database engines use B-Trees for their indexes, but an array is easier for users who do not know the guts of the database engine.
@daztub4901 7 ай бұрын
Actually its better to have a session Id created before you login then regenerate the session then link it to your user parameters , and use a different csrf token if need be. Of course depending on how your traffic is handled you can make a completely new session but usually redundant.
@DrGreerIsRight 7 ай бұрын
I thought this went without saying
@makamaka487 7 ай бұрын
Had to drop a like for seeing LEMMiNO's music credited :)
@DanielBoctor 7 ай бұрын
LOOOOL ik he's awesome for making them available
@LukeVader77 7 ай бұрын
Thanks for the information! This was well explained.
@DanielBoctor 7 ай бұрын
Thank you for watching! Keep on spreading that positivity
@erwor-me 7 ай бұрын
great explanation of csrf, keep it up!!
@DanielBoctor 7 ай бұрын
Thanks! Will do
@1337GameDev 6 ай бұрын
4:13 - Any developer who has ANY foresight at all... will have 2 levels of actions for an account -- ones that can be done for convenience, and ones that require a 2nd challenge for authentication again -- eg: you'll need to enter your password and re-2fa to these endpoints-- and that endpoint will then generate a 1-time use guid for THAT action instance ONLY, and THEN send THAT (usually internally) or a 2nd cookie user token id for that user (and leave the old session active) and then after the operation -- "kill" the provided session. Usually these new sessions will be created, and ONLY populated with values that indicate it's for 2nd challenge requests and to be deleted after (prevents issues where a user's normal session is sent by mistake, or an attacker has hijacked a session).
@DanielBoctor 6 ай бұрын
Yep, this is common practice, essentially making all 2nd challenge requests CSRF proof. The case in the video applies to endpoints without this protection, though in the real world an endpoint that deletes an account would almost certainly have this enabled. Thanks for bringing this up!
@swapneeldas5824 7 ай бұрын
bro hit jack top with this video....congrads..
@NessCS2 7 ай бұрын
I see a lot wrong with the video. He is saying CSFR not CSRF
@dr7049 7 ай бұрын
Very well made!
@DanielBoctor 7 ай бұрын
Glad you enjoyed!! Thanks for watching 😊
@FloydMaxwell 7 ай бұрын
I noticed several rude comments complaining about your "intonation". Your intonation is just fine. I've a single suggestion, regarding the word "subsequent". You are emphasizing the second syllable, when it should be the first that is emphasized. That's it, that's all. Have a great day!
@DanielBoctor 7 ай бұрын
Yeah I get that now, and I appreciate the feedback. Glad you enjoyed, and thanks for the comment
@qmoonp 7 ай бұрын
is session hijacking a risk across multiple browsers? for example if i got a hijacking attempt on opera with no logins or cookies, would my firefox browser where i have logins be at risk?
@DanielBoctor 7 ай бұрын
Generally speaking, no. As long as the websites serve different cookies to the different browsers / sessions, you should not be at risk. Of course, it doesn't mean it's impossible though. If for some reason websites serve the same cookies cross browser, using browser fingerprinting or other means, it could theoretically be possible. Some websites that serve session tokens to unauthenticated users will actually reuse the SAME session token as an authentication token if the user logs in. This means that having an unauthenticated session token stolen could lead to a breach of your account if you authenticate at a later date. In short though, most of the time, cookies are independent across browsers, and your firefox logins would not be at risk.
@daztub4901 7 ай бұрын
Look at same origin policy bro
@qmoonp 7 ай бұрын
@@daztub4901 i'm not very tech savvy. Does "origin" mean browser? "a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin"
@ramimezghani8321 6 ай бұрын
How did the devs in Django not think of this? Were they not aware of the other factors and thought they had it air tight that they did not expect someone to be able to trick the comparison?
@JaySyzdek 7 ай бұрын
The fact that this AI voice uses 3 different CSRF, CSFR, CRSF to explain this really kills the credibility.
@Rob-ky1ob 7 ай бұрын
Wait, its an AI voice? I was seriously annoyed by how the voice sounded, especially how the sentences are ending. It almost sounds like a whiny way of talking. I coudln't finish the video, it annoyed me too much.
@PaLaS0 7 ай бұрын
@@Rob-ky1obseems like it's not AI but for sure annoying
@yoyoma2831 7 ай бұрын
Sounds like AI
@bmeht 7 ай бұрын
No, the guy is just a fraud who doesn't know the topics he publishes videos on.
@BadmintonLogic 6 ай бұрын
@@Rob-ky1ob same fking zesty as f
@MrScoffins 3 ай бұрын
Your /account/delete example only works if the website is stupid enough to do this using a GET request. In reality, most would do this using a POST request, which cannot be triggered by just opening the URL. Very few (if any) would simply delete your account when a specific URL is accessed, this would be a very dumb way to design a website.
@notnoaintno5134 3 ай бұрын
His pronunciation of subsequent makes sense because sequence is pronounced that way
@boltez6507 4 ай бұрын
Websites can mitigate session hijacking through browser fingerprinting.
@VaibhavShewale 7 ай бұрын
well cookie stealing still happens!
@goednieuwskrantje-nl 7 ай бұрын
The google search engine is worse today than it was 10 years ago
@iuse9646 6 ай бұрын
It hides information and tries and keep us in our bubbles + heavily influenced via advertisements and b.s. SEO
@camelotenglishtuition6394 7 ай бұрын
Great video dude
@DanielBoctor 7 ай бұрын
Thank you! You are an awesome fella
@camelotenglishtuition6394 7 ай бұрын
fyi I'm an ethical hacker..happy to share any experiences if you ever need to@@DanielBoctor
@DanielBoctor 7 ай бұрын
for sure! I have a discord server for the channel as well - feel free to join.
@ahndeux 7 ай бұрын
I need to watch this video anytime I have insomnia. Two minutes into it, and you're nodding to sleep. Bueller... Bueller...
@bogmosisjones9382 7 ай бұрын
It's not nonsense, just nonsense to you
@ahndeux 7 ай бұрын
@@bogmosisjones9382 I didn't say it was nonsense. I just said it was boring. Put me to sleep. ZzzzzzzZzzzzzzzzzzzzzzzzzZzz
@tfr 7 ай бұрын
oh! good to know my institute’s website has this vulnerability uh oh
@DanielBoctor 7 ай бұрын
That would only be true if they are still on Django 1.8 & 1.9 though - it was patched in 1.9.10 and 1.8.15
@adamjutras7024 7 ай бұрын
Attackers like Google themselves selling your data or handing it over to authorities?
@N.... 3 ай бұрын
Can't the server just encrypt the cookie CSRF token with a key only the server knows? That would guard against exploits like this one from my understanding, since even if an attacker could overwrite the cookie, they wouldn't know what key to encrypt it with, so they'd be unable to generate a matching pair of CSRF token + encrypted CSRF cookie
@TheRealLeccho 7 ай бұрын
detailled video I like it
@Conorscorner 7 ай бұрын
The up talking was too distracting to finish this video?
@DanielBoctor 7 ай бұрын
yeah I didn't realize it at the time LOL I'll fix it going forward
@DutchManticore 7 ай бұрын
@@DanielBoctorcontent is great but indeed the upward infections are kinda offputting. Just some constructive criticism. Did watch the entire video
@DanielBoctor 7 ай бұрын
Yeah I know, I appreciate all of you bringing it up - I was unaware of it when I filmed it lol. Glad you liked it
@omd_0 7 ай бұрын
thanks for this video ❤
@DanielBoctor 7 ай бұрын
I'm glad you liked it! You are an awesome fella keep on doing what your doing
@ProfessorThock 7 ай бұрын
Hella potential in this channel. There were some auditory distractions though that I see comments about and that I noticed. PLEASE upgrade your mic. Best $150 you can spend on a KZfaq channel. That’ll help a lot. Focus on your words a little more, there were things like you kept switching between “CSFR” and “CSRF”.
@DanielBoctor 7 ай бұрын
ayyyyyy I appreciate it. I didn't think my mic was that bad though, I'm using a HyperX Duocast which I got specifically for this channel. The whole speaking thing I agree with though, I'll try fix it with my future videos. One of my friends called my up-speak 'The Canadian Rise', I didn't even notice it while I was filming lol. I appreciate all the feedback
@oxi2118 7 ай бұрын
interesting watch!
@DanielBoctor 7 ай бұрын
Glad you liked it!
@BOBLAF88 7 ай бұрын
Square bracket Christmas cookies are to be avoided . 🎄
@FuzeTheWholeTeam 7 ай бұрын
More vass please
@jannadel4369 7 ай бұрын
Where exactly do you get 1 million $ from? I dont see him getting awarded that sum, nor that he hacked google
@Dystopian1 7 ай бұрын
not csfr........ CSRF Please dont say CSFR.........
@harshvardhansinha7688 7 ай бұрын
what is up with CSFR 🤣🤣🤣
@matthewkeen6281 3 ай бұрын
nice
@obnoxiousthegod 7 ай бұрын
tons of csrf tokens are rly poorly implemented and not always sent in request bodies see tons in the header
@daztub4901 7 ай бұрын
That's what should be taught first or second in php
@dr.merlot1532 7 ай бұрын
Why does it sound like you keep asking questions with every sentence you say?
@RandomGeometryDashStuff 3 ай бұрын
04:36 why not just use http origin header?
@elmehdioubouhouch 7 ай бұрын
Great video
@DanielBoctor 7 ай бұрын
glad you liked it
@elmehdioubouhouch 7 ай бұрын
🥰🥰🥰@@DanielBoctor
@palm_of_pan 7 ай бұрын
Damn bro chill with the upspeak. Otherwise good vid
@Faeest 7 ай бұрын
Who use django? Like, who? I'm sorry did I missed something? So much language to build web, why django?
@daztub4901 7 ай бұрын
Tell me who tf uses jsp
@codedsprit 7 ай бұрын
Feels like LEMMINO 😮
@DanielBoctor 7 ай бұрын
LEMMiNO is the GOAT
@KasaBlanca007 7 ай бұрын
Couldn’t get past the first 10 seconds
@novadea1643 7 ай бұрын
So the vulnerability was Django being a piece of shit and not following standards? How surprised, the framework should be called Djanky. Also how the fuck does this have anything to do with "Breaching Google"?
@daztub4901 7 ай бұрын
Django is partially at fault. Google should do some testing when using different versions of django. But you are right.
@xeridea 3 ай бұрын
@@daztub4901 Why is google responsible for testing everyone elses code? I would say 1000% Django fault for refusing to follow common standards.
@BenMorse0 7 ай бұрын
Up talk
@memeasism 3 ай бұрын
can someone send a link the the video with someone who talks normal
@macethorns1168 7 ай бұрын
Pro-tip: stop reading every line like a question
@springier6869 7 ай бұрын
very good video
@DanielBoctor 7 ай бұрын
I'm glad you liked it 😊
@1mag1n33dev 7 ай бұрын
i guess i have to switch to django now
@ytg6663 7 ай бұрын
Is django >=4.0 vulnerable?
@saralightbourne 7 ай бұрын
this vulnerability has nothing to do with django, it's related to python. this video is just totally misleading
@DanielBoctor 7 ай бұрын
To answer @ytg6663, it is not. This was patched in 1.9.10 and 1.8.15, and I linked to the release in the description. As for @saralightbourne, the issue was originally a Python issue, yes. The fact that backslashes were being used as cookie delimiters was due to the implementation in a core Python library, which is what Django was using. hg.python.org/cpython/file/3.4/Lib/http/cookies.py#l432 However, Django released 1.9.10 and 1.8.15 as a workaround to the core Python library, and Django was the one that rewarded Surgey Bobrov. The release can be seen here: www.djangoproject.com/weblog/2016/sep/26/security-releases/ And the diff can be seen here: 1.9 - github.com/django/django/commit/d1bc980db1c0fffd6d60677e62f70beadb9fe64a 1.8 - github.com/django/django/commit/6118ab7d0676f0d622278e5be215f14fb5410b6a
@nephteray303 6 ай бұрын
CSRF… CFSR… CRSF… make up your mind! Lol
@Fred-yq3fs 7 ай бұрын
Technical explanations should not be overlaid with music let alone obtrusive music. At least, mix it much lower than the voice. You could also slow down the pace a bit when more complex or new concept. Besides, your intonation is very distracting (ending most sentences with an up tone is not standard by any mean), all things detrimental to understanding. Great content though (apart from CSFR, lol). Lil tweaks...
@DanielBoctor 7 ай бұрын
Definitely going to work on implementing all of the advice you and others are giving me. I'm still new to making videos, and I'm learning and improving with each one. I genuinely appreciate the feedback
@matthewrease2376 3 ай бұрын
You sound like Fireship 🧐
@DanielBoctor 3 ай бұрын
I'll take this as a compliment lol
@m4rt_ 3 ай бұрын
Btw, it seams like you mispronounced CSRF as CSFR a few times.
@DanielBoctor 3 ай бұрын
I know. I'm still new to recording myself and I get pretty nervous. I got a lot better since this video though
@booper54 7 ай бұрын
He says CSFR about half the time. Guy has serious dyslexia.
@andreworlowski9100 7 ай бұрын
I noticed this as well. Great video otherwise!
@DanielBoctor 7 ай бұрын
I couldn't agree with you more LOOOOOOOOOL
@Ayymoss 6 ай бұрын
Why does every sentence end an intonated question?
@zlackbiro 7 ай бұрын
Django is the worst and slowest framework ever built for web.
@YeloPartyHat 2 ай бұрын
You should really cut down on the acronym usage. It makes the video much harder to follow, and you messed up a bit.
@claudeburbank180 7 ай бұрын
CSFR
@evansjahja711 7 ай бұрын
You... switched to saying CSFR mid video
@TB-us7el 7 ай бұрын
I'd like to watch this viDEO, but all your sentences go up aT tHE END, making everything sound like a quesTION? Please stop doing tHAT. (caps for emphasis)
@arnizz5301 16 күн бұрын
Subsieequently
@FainTMako 7 ай бұрын
This story is BS. Sounds like you just learned about csrf and wanted to make a video about it. Your suggested mitigation strategies are weak and this is not an issue...
@daztub4901 7 ай бұрын
Spot on m8. No sarcasm but that could be his way of learning, and if you could do better try it. I personally need more knowledge on stuff like this, but the video is a bit of a waffle.
@FainTMako 7 ай бұрын
I can do quite a bit better. Would you rather listen to a robot spit out random ideas or would you rather hear a professor tell you how it is@@daztub4901
@FainTMako 7 ай бұрын
Saying you need more knowledge on this is actually scary because that means you probably watched this video and learned some bad ideas. Its toxic.@@daztub4901
@behnam93 7 ай бұрын
You keep saying CSFR and instead CSRF and it's making my OCD brain hurt
@ewx8479 7 ай бұрын
is the way you speak a joke
@sadge6430 6 ай бұрын
Igh
@paul454 7 ай бұрын
Good video, but please stop saying subseeeequent.
@ShanMarbaniang 7 ай бұрын
Good but not resourceful... Great knowledge thanks
@ny3atuy6egemot 7 ай бұрын
The most harmless attack I have seen ever 😂. Even simplest websites wait for something like DELETE request when u are trying to delete, or PATCH when edit, so following an API endpoint will not help you, because browser will only send a GET request, and it won't do anything. Second issue, we should force this user to follow link, I have mentioned that nowadays people are very afraid of links.
@daztub4901 7 ай бұрын
What you talking about , CSRF attacks rely on post attacks most if not all the time. Its a rare attack but if exploited and developed it can be dangerous
@BenMorse0 7 ай бұрын
Rf
@mukeshjadhav8798 6 ай бұрын
Your videos are great but you should really consider changing your tone. I ( and many other I believe) just hate listening the tone.
@DanielBoctor 6 ай бұрын
I think I finally fixed my intonation in my most recent video
@mukeshjadhav8798 6 ай бұрын
@@DanielBoctor Thanks a lot sir. Please don't take it negatively, your videos are awesommme ..I'm your fan.
@sadge6430 6 ай бұрын
Kd9v
@ic6406 3 ай бұрын
Hard to understand stuff
@sinopulence 7 ай бұрын
This guy says "CSFR" so many times that it becomes exceedingly frustrating. At least get it right.
@HaxxBlaster 7 ай бұрын
Not to discourage anyone, but things like this takes serious time as many has protection against these types of vulnerabilities. I have looked for similar things countless times and only once i found something i got paid for, 200 dollars for countless hours. Very fun though, but you need a lot of time to do it
@abdelrahmanhafez990 7 ай бұрын
I stopped watching after 21 seconds, I was hoping you would stop ending statements as if they are questions. “The most popular framework on the internet???” It’s annoying and difficult to focus like that. Just a friendly feedback.
@cawkcheck 7 ай бұрын
STOP SAYING CSRF TOKEN
@JCO2002 7 ай бұрын
Good, thanks, but the uptalk is annoying enough when women do it. With a guy, well...
@vfauni5764 7 ай бұрын
I couldn't listen for 5 seconds ??????
@electricengine8407 7 ай бұрын
cool but u said csFR instead of csRF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@matthewrease2376 3 ай бұрын
Common Google L
@GiveThemHorns 5 ай бұрын
Good content, but damn I cannot stand the voice. The elongated vowels at the end of words and how things were pronounced was incredibly distractinggg.
@DanielBoctor 5 ай бұрын
yeah ik, people have let me know about that. I fixed it in my most recent video
@bmeht 7 ай бұрын
A few too many "CSFR"s lead me to the conclusion that you have no idea what you're doing or talking about. Try something else.
@VVVutov 7 ай бұрын
Ok. Good explanation but you have to find somebody else to narate your videos. Or try not end every sentence with that gayish intonation. Is this a man make up tutorial or a tech video?
@arlenegrundy7671 3 ай бұрын
Do you always end your sentence sounding like a question? Please join the rest of the world and speak properly.
@HighscoreGetter 6 ай бұрын
Dot kommmhm
Chill TheSoul Out
Рет қаралды 9 МЛН
10 News First
Рет қаралды 83 МЛН
Low Level Learning
Рет қаралды 1,2 МЛН
Alisher Beisebai
Рет қаралды 1 МЛН