Hey Legionnaires! Some of you might be following Linus Tech Tips channel and noticed some suspicious activity on it yesterday morning. It had been hacked and as a result all the videos were unlisted or deleted, the name changed to Tesla and a livestream with Elon Musk talking about cryptocurrencies was broadcasted from it. There were also some scam links posted on it.
Today, a new video was uploaded following the restoration of the channel. Linus explains how he learned about the issue and spent most of his night trying to untangle it.
Obviously, they did have two factor authentication. It is not a bulletproof solution though, and some ways of authentication are less secure than others. For example, SMS authentication, which is one of the most commonly used methods, is susceptible to social engineering targeted at the phone carrier. Notification-based authentication is vulnerable to fatigue attack, where its owner gets spammed by the triggers until they accidentally or absent-mindedly click “allow” in the notification pop-up.
However, this time the hijack was not done using any of these. The attackers simply decided to bypass the log in, passwords and authentication altogether. They used a session token attack.
How does a session token work? It is basically a cookie locally stored on your device that stores that is created once you have logged in and cleared the 2FA if applicable. That way, you don’t have to log in again when you close your browser, because the session is kept alive.
So, how it was obtained? Basically, social engineering happened. I think, this still falls under the definition of phishing, as one of the definitions I found is as follows:
A technique for attempting to acquire sensitive data, such as a bank account number; through fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or a reputable person.
What happened was that an employee in the LTT Media received an email, claiming to be from a sponsor, which had a malware attachment. It was masqueraded as a legitimate source, raising no immediate red flags. The included file was presented in a way suggesting that it was a PDF file including terms and conditions for the sponsoring. Except, that it didn’t work. As it later turned out, in matters of seconds it copied all the data from both browsers installed on the affected system, such as passwords and cookies, including session tokens, for every website that was present in the browser history, and sent them to the destination machine.
Lessons learned there: never just unzip an email attachment without double and triple-checking it, even if it comes from a seemingly legitimate source. Always check the file extensions. If a file doesn’t do what it was supposed to do, that should immediately raise a huge red flag and be a call to action.
If you have a company, as for example a larger streamer, it should be your responsibility to provide appropriate training to your employees, rather than pin the blame to a less experienced employee getting exploited. More rigorous training on security generally pays off and prevents these kinds of attacks. It’s worth noting that methods of attack evolve and change at similar rate as the technology does.
It also turns out sometimes there are drawbacks to using channel managers, they add a layer of obfuscation. Since multiple accounts can manage the channel, it was not easy to establish which one was compromised and responsible for hijacking the channel. Unfortunately, Google’s support can be a mixed bag. They respond rather quickly to big channels, but even then they don’t provide much data on the process of restoring the account. Smaller producers often have to wait a long time to get any help.
Finally, Linus makes a very good point that the Google allows a single session token too much, it should have a decay based on actions done, known as rate limitation. For example it should never be possible to delete thousands of videos on a single token without having to provide any two factor authentication. There is time based expiry, but it lasts very long. In theory, there is also location based expiry, but even in my experience it doesn’t work very well. It should not allow sudden logins from, let’s say, New Zealand, but fairly often it actually does.
Today, a new video was uploaded following the restoration of the channel. Linus explains how he learned about the issue and spent most of his night trying to untangle it.
Obviously, they did have two factor authentication. It is not a bulletproof solution though, and some ways of authentication are less secure than others. For example, SMS authentication, which is one of the most commonly used methods, is susceptible to social engineering targeted at the phone carrier. Notification-based authentication is vulnerable to fatigue attack, where its owner gets spammed by the triggers until they accidentally or absent-mindedly click “allow” in the notification pop-up.
However, this time the hijack was not done using any of these. The attackers simply decided to bypass the log in, passwords and authentication altogether. They used a session token attack.
How does a session token work? It is basically a cookie locally stored on your device that stores that is created once you have logged in and cleared the 2FA if applicable. That way, you don’t have to log in again when you close your browser, because the session is kept alive.
So, how it was obtained? Basically, social engineering happened. I think, this still falls under the definition of phishing, as one of the definitions I found is as follows:
A technique for attempting to acquire sensitive data, such as a bank account number; through fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or a reputable person.
What happened was that an employee in the LTT Media received an email, claiming to be from a sponsor, which had a malware attachment. It was masqueraded as a legitimate source, raising no immediate red flags. The included file was presented in a way suggesting that it was a PDF file including terms and conditions for the sponsoring. Except, that it didn’t work. As it later turned out, in matters of seconds it copied all the data from both browsers installed on the affected system, such as passwords and cookies, including session tokens, for every website that was present in the browser history, and sent them to the destination machine.
Lessons learned there: never just unzip an email attachment without double and triple-checking it, even if it comes from a seemingly legitimate source. Always check the file extensions. If a file doesn’t do what it was supposed to do, that should immediately raise a huge red flag and be a call to action.
If you have a company, as for example a larger streamer, it should be your responsibility to provide appropriate training to your employees, rather than pin the blame to a less experienced employee getting exploited. More rigorous training on security generally pays off and prevents these kinds of attacks. It’s worth noting that methods of attack evolve and change at similar rate as the technology does.
It also turns out sometimes there are drawbacks to using channel managers, they add a layer of obfuscation. Since multiple accounts can manage the channel, it was not easy to establish which one was compromised and responsible for hijacking the channel. Unfortunately, Google’s support can be a mixed bag. They respond rather quickly to big channels, but even then they don’t provide much data on the process of restoring the account. Smaller producers often have to wait a long time to get any help.
Finally, Linus makes a very good point that the Google allows a single session token too much, it should have a decay based on actions done, known as rate limitation. For example it should never be possible to delete thousands of videos on a single token without having to provide any two factor authentication. There is time based expiry, but it lasts very long. In theory, there is also location based expiry, but even in my experience it doesn’t work very well. It should not allow sudden logins from, let’s say, New Zealand, but fairly often it actually does.
Unamused Snarktooth. Advocate for hearing loss & accessibility. Person, friend and a terrible/terrific* artist.
*delete as appropriate
DoctorEldritch