How Linus Tech Tips got hacked

TL:DW, An employee downloaded something and got token logged.

Please keep on uploading great content, I love how you go in details most of the times when you talk about a subject

the clear divide is that, changing a channel name is as drastic as changing the password, and in both cases should force a re-auth, same for the stream key and other "this rarely changes, and should be securely updated" stuff,

I have implemented a couple session mechanisms in the past and what I usually do is I have two types of tokens, one being the access token, and one being the refresh token.
The access token usually lasts 30-60 minutes before needing to request a new one - But in order to request a new one, you need the refresh token along with very specific data like browser window size, local time, your GPU model (Yes, you can get that through canvas APIs in some browsers). After all this information is sent it is compared to the information the refresh token is initially created with when first logging in and only when the current browser information matches closely enough with the initial data, then we can regenerate the access token.

as always great content..!! Hussein it will be great if you can make a video around how u keep track of current happening, making videos along with ur busy job work. Essentially a video covering ur day to day activities will b helpful for lot of people.

One could just add the IP of the user to the refresh (and maybe even the access) token and require the user to provide a second factor when the token is used from another IP. I actually used that for a project once and am planning to use it for a general authentication service for my projects.
This way when the token gets stolen one could even invalidate the session and alert the user. Or just require more authentication like said above because in Germany for example IPs change every day for most ISPs

There is still so much to do in terms of security. Both on the OS level (proper isolation between apps) and from service providers like Google (fine role based permission system and detection of unusual actions like deleting a lot of videos). Every security measure can be useless if the users makes an error, but we can provide guards against simple errors and limit the scope of attacks.

Hi Houssein, great content like usual. I have a question. Could this hijacking technic succeed on macos?

11:35 not just a privacy issue. It simply doesn’t help at all. The attacker can just steal the device ID as well and pretend to be your device anyway

I feel like watching some adventure thriller moving when listening to you. Always excited for what will come next, how will the protagonist solve the issue :D

IP won't change drastically change from a home network but it will change from an organisation level. For instance McAfee cloud proxy using in organizations changes very frequently

One thing I believe CZcams should implement is something like Wordpress does, where channels can give partial access to team members like one team member can only delete comments and one can only upload a video. In this way the entire channel will not be in someone else's hands. Regarding authentication youtube shouldn't allow any team member to do any changes to the channel except the admin. For Admin though youtube can implement something like zero knowledge proof with/in place of 2FA.

Good video. I wish there was a browser api that accesses a secure hardware module on the user's computer, but someone's gonna find an exploit for that. I think you are right that we just have to prompt for password and reauthenticate, when there are critical actions for a user to take.

Great content as usual !

Encrypting cookie store with device managed hardware is the best option, every time I open chrome ask for fingerprint and decrypt the data. Attacker shouldn't be able to decrypt cookie store at any given moment + when decrypted store it in ram with obfuscation to ensure no process can access that data.

Thank you sir, MD asked me a same question like this in the final round interview and I answered the same as you.... and what I got selected 😃✨❤

Hey Hussein device identification is used everywhere now adays. We use JS to collect environment signals and create a device fingerprint (browser, addons, ip, geo etc..).

Allowing users to choose higher security measure like logging out whenever IP changes should definietly be an option.

thank you hussein for the information i just want ask you if the refresh token get stored as http-only this will still be store the file you mention /User/xxx/.../Default/... are the http-only cockies not secure ?

Thanks for sharing your knowledge I love your channel

I was waiting for it!!!

I think you just missed the part where Linus told that he logged from the other side of the world. So, he wasn't using a VPN, or if he was, it wasn't set to Canada.

Thanks for such awesome explanation to what happened

At Adobe all desktop apps tokens are tied to device specifically, but since I mentioned web apps then this device id can be simulated by something like a browser fingerprint.

maybe we can do anomaly detection on device ID , ip address, request timing patterns, have some threshold for anomaly to invalidate token and ask for re-authentication, the trick would be to figure out a balance between user experience and anomaly threshold , we can use a zero knowledge proof mechanism to verify device ID and IP address to overcome privacy concerns.

We must open files we receive over the internet. That's the fact. I would love to hear about how to open a file from an unconfirmed source securely. Keep up with creating great content 👍

IPS change a lot when you are in corporate and working with different vpns

"If the Ip adress changes prompt me for a password". What make you assum the malware used is this case don't have "reverse proxy functionality" allowing the hacker use the victim same IP adress?

What is when you add ssl certification authentication? can in theorie chrome request the cert as Chrome user and the session token only decoded with the part that Google has for that account?

Refresh tokens are probably not stored as cookies but in the local storage

Can u create a video on Elasticsearch internal architecture, why it is fast in search. Like ur videos. Keep continue.

Don’t the ad corporations track the devices already? Couple years back I remember reading somewhere that there is some specific image that browser uses, where each GPU will generate in a unique way, and you can track the machine without really getting any personal details.

Hey Hussain... I think Google already does these protections... I get a prompt when I login from a new device asking if it was me... I believe there might be a setting for it and that employee wouldn't have accepted it... At least he or she should have got a notification stating new device logged in

Wouldnt an anti-virus prevent the executable from running since it was a executable disguised as a PDF?

Woo..
Computer Science is so much interesting!!

Awesome video. BTW you can fake the MAC address as well (MAC spoofing)

I don't think that IP change detection is a solution there, even for desktop. In some countries, and I know for sure in Italy, some Internet Service Providers do not provide a static IP, but a dynamic one. It means that let's say every hour your IP it's updated. Imagine all websites doing IP change detection. Every hour you would need to log in again on every site that you're using.

In some countries the IP address of the router changes every time the router is restarted

But CZcams already uses device fingerprinting to generate a unique userid! Why can’t just use this to log anyone out?

The question is: would the "clicked on a file and ran a malware by accident" still possible if you are on Linux, macOS, or BSD?

I do not think Google invalidates token all that much for changing locatioms too frequently. I use VPN most of the times and keep hoping my IP location. Never once was asked to login again for Google services.

It's not practical to prompt people for password every time your IP changes. Your IP changes more often than you think. The lease time of your public IP depends on the lease time of your ISP's DHCP config. I have seen them being as low as 8 hours.

your description wrote Linus as Linux btw

just receive a message from facebook saying "here is your confirmation code" ? what confirmation code O.O didn't use FB for ages

Why youtube doesn't use strategy recommended by Auth0?

This one is going to be good.

Session cookies are not tokens!?

If the malware can intercept the requests to CZcams, then that’s it

Apple changes my psuedo IP address all the time, I don’t think that google can depend on this anymore.

Where is the reference to "hide extension of exe program" 🙄

I think JavaScript doesn't need access to anything. The OS can just detect that an application of type Web Browser is opened and pass it a humongous hash value which can be associated with the cookie. This way you can't just "unhash" the value and read what people are actually using, not even the browser can, but Google or the respective endpoint can simply invalidate the session if the strings don't match. But then there's other problems that come with that so I'm not sure. Actually, come to think of it, this is where law enforcement could be useful. Just a simple law that states these types of hashes are only allowed for security reasons and can not be used for tracking users. How effective such a law would be, I don't know. But I guess that's better than having nothing at all.

The video looks normal at 1.75X speed.

12:20 I do not agree with you!
No security increase even if CZcams implements ip change reauthorization.
Explanation :- if the hacker is able to get a session token by running as the user process. He will Bypass this security by using the same process as a proxy for communicating to CZcams hence no IP change in this case.

The whole thing is wrong. There should be like a ci/cd environment option for these big platforms (youtube etc) with multiple stages of approval and review. You should be able to see audit logs for every title change, comment deletion, video upload and approve or roll them back. I am banging my head about this because I have to deal with people sharing the login details to these big important accounts and logging in on whatever random machine they feel like. You are giving the keys to the Kingdom to every intern who needs to reply with a smiley face to nice comments. Insanity... my idea might be to just give people VDI access to a machine which is logged in and just tightly control access to that machine. At least with sysmon or something you could detect an application reading the cookie file or talking to a C2 server

cookie? lemme see if so 😂

most ISPs don't offer a static IP, they use a shared ip that changes every day or two. And most users don't have a fingerprint scanner on their pc In fact many people i know don't know their passwords
such proposed changes will benefit only a minority

مرحبا!

100th view 🎉

رمضان کریم

You talk too slow, leaving without heating your explanation, 2mins video made into 13+ mins

No one should have had admin rights except Linus, just dumb.

Basically, Linus' Gamer ""Tech Tips"" learned the hard way that VPNs wont save you, no matter how hard you advertise them for security just to make a quick buck off these subscription surveillance VPN rip offs.