LTT YouTube hacked!

SpyderTracks

We love you Ukraine
I'm rather sad about this.

It's currently just after 9am in Canada, so they will know by now, but this happened overnight to most of their accounts on YouTube, taken over by some Tesla promoter hacker

1679577143001.png



Apparently this is pretty widespread, so be aware
 

Steveyg

MOST VALUED CONTRIBUTOR
This is the second time in less than a year I think, ironically they were talking about dropping Lastpass as one of the sponsors in a Wan show a little while ago
 

SpyderTracks

We love you Ukraine
it now says the account has been terminated for breeching youtube's community guidelines
I reported them as soon as I was alerted to it when they changed the name to Tesla and posted the AI streams of deepfakes.

I'm sure a lot of others would have also. Plus Linus probably has a direct line to YouTube being so big, so would have got it tied down as soon as he was able to.
 

sck451

MOST VALUED CONTRIBUTOR
No doubt it'll be recovered soon. YT make loads of money off it, no chance they don't recover it, probably in the next 48 hours.
 

SpyderTracks

We love you Ukraine
No doubt it'll be recovered soon. YT make loads of money off it, no chance they don't recover it, probably in the next 48 hours.
Yeah, it will be a major priority for them, massive revenue generator, and is it 6 sub channels now?
 

Scott

Behold The Ford Mondeo
Moderator
Ouch, that's a sore one. I ditched LastPass a little while ago. Changed all my passwords when they got done over, it was a nightmare.
 

SpyderTracks

We love you Ukraine
And here's the official video:


Apparently literally a cookie harvest, nasty.

I really admire Linus' admission of liability as the owner, he's a good guy in that respect, and it's not unusual for him to take responsibility.
 
Last edited:

Scott

Behold The Ford Mondeo
Moderator
I'm actually shocked about the way that the hacker got into the account. Not from the youtube side, but from the browser side.

How on earth is a session link, cookie, or anything else allowed to be copied to another browser? This should be entirely unique to the system. I would have thought that would be a very basic thing..... cookies should only be relevant on the system they are from.
 

B4zookaw

VALUED CONTRIBUTOR
Exactly Linus's point, a location change should have invalidated the session and prompted a login. That and the duration of the session, the number of actions allowed without further authentication, etc. It's very interesting to hear the details. An eye opener for how easy this can happen, even in a tech minded company
 

Scott

Behold The Ford Mondeo
Moderator
Exactly Linus's point, a location change should have invalidated the session and prompted a login. That and the duration of the session, the number of actions allowed without further authentication, etc. It's very interesting to hear the details. An eye opener for how easy this can happen, even in a tech minded company

For me this would be after the fact though, IMO it shouldn't be down to Youtube or other platform to check where the cookie has came from (although it would make sense that it also should). Edge, Chrome or whatever browser shouldn't allow the use of the cookie to begin with if it didn't originate from the current browser. I understand that there could be workarounds and custom browser offerings could bypass such a thing, but at least having some sort of security on the cookie origin access should be a no-brainer.

Covering both bases for sure, but to my mind this is basic. I hand on heart didn't realise you could clone a browser history and use it without any sort of difficulty.
 

SpyderTracks

We love you Ukraine
For me this would be after the fact though, IMO it shouldn't be down to Youtube or other platform to check where the cookie has came from (although it would make sense that it also should). Edge, Chrome or whatever browser shouldn't allow the use of the cookie to begin with if it didn't originate from the current browser. I understand that there could be workarounds and custom browser offerings could bypass such a thing, but at least having some sort of security on the cookie origin access should be a no-brainer.

Covering both bases for sure, but to my mind this is basic. I hand on heart didn't realise you could clone a browser history and use it without any sort of difficulty.
I think although don't have any fact to basis it on, that this may be a shortcoming of chrome as a browser. It's very much the same fork as it was 20 years ago, chromium based forks have rectified these security holes in the likes of Brave etc, but I think chrome is rather a mishmash of bolted on updates to an out of date platform.

Don't use chrome IMHO
 

sck451

MOST VALUED CONTRIBUTOR
All that stuff is trivial to spoof, though. Location, browser/system information, all really easy. The key technical problem (which is basically what Google does already with Pay) is that significant actions (whether changing a channel name, making a credit card payment or whatever) should require a confirmation of login.

I don't think browsers are particularly at fault here. It's perfectly easy to log into a website without a browser, after all.
 

Scott

Behold The Ford Mondeo
Moderator
If the session cookie only worked on the browser it was created for, and was hashed as such, it would never have been able to be used to login anywhere else anyway. With all of this stuff I would go to the root cause. The root cause is that the session cookie was duplicated.

From here there are a chain of events, any break in the chain would potentially stop the event from happening. I think that shows that there are many shortcomings still in internet/browser security. I'm not surprised by any of that and I was aware of just about every step in the chain. The one thing that I didn't realise is that any cookie can be opened from any system anywhere as long as you are using the same browser (you can likely even use a different browser). I thought session cookies were more secure, but I guess they just store the session code/identification unhashed..... rather than being secure.

If the session cookie was hashed and linked to the browser that created it to generate the hash, this would never have happened.
If the server recognised or took action from a session being created in one location and then accessed from a different location, this would never have happened.
If the platform requested confirmation of credentials for notable requests/actions, this would never have happened.

All 3 areas should be patched. My point is that I wasn't actually aware of the first. The latter 2 have always been about simplicity and ease of access, different for typical end users though compared to businesses. There should be additional checks for higher profile accounts regardless.
 
Top