How Linus Tech Tips got hacked

TL:DW, An employee downloaded something and got token logged.

REAZNx

Please keep on uploading great content, I love how you go in details most of the times when you talk about a subject

hamzadlm

the clear divide is that, changing a channel name is as drastic as changing the password, and in both cases should force a re-auth, same for the stream key and other "this rarely changes, and should be securely updated" stuff,

ryanfav

I have implemented a couple session mechanisms in the past and what I usually do is I have two types of tokens, one being the access token, and one being the refresh token.
The access token usually lasts 30-60 minutes before needing to request a new one - But in order to request a new one, you need the refresh token along with very specific data like browser window size, local time, your GPU model (Yes, you can get that through canvas APIs in some browsers). After all this information is sent it is compared to the information the refresh token is initially created with when first logging in and only when the current browser information matches closely enough with the initial data, then we can regenerate the access token.

shapelessed

One could just add the IP of the user to the refresh (and maybe even the access) token and require the user to provide a second factor when the token is used from another IP. I actually used that for a project once and am planning to use it for a general authentication service for my projects.

This way when the token gets stolen one could even invalidate the session and alert the user. Or just require more authentication like said above because in Germany for example IPs change every day for most ISPs

Fabian-_-

11:35 not just a privacy issue. It simply doesn’t help at all. The attacker can just steal the device ID as well and pretend to be your device anyway

FlorianWendelborn

There is still so much to do in terms of security. Both on the OS level (proper isolation between apps) and from service providers like Google (fine role based permission system and detection of unusual actions like deleting a lot of videos). Every security measure can be useless if the users makes an error, but we can provide guards against simple errors and limit the scope of attacks.

yannick

One thing I believe YouTube should implement is something like Wordpress does, where channels can give partial access to team members like one team member can only delete comments and one can only upload a video. In this way the entire channel will not be in someone else's hands. Regarding authentication youtube shouldn't allow any team member to do any changes to the channel except the admin. For Admin though youtube can implement something like zero knowledge proof with/in place of 2FA.

sumitpurohit

Encrypting cookie store with device managed hardware is the best option, every time I open chrome ask for fingerprint and decrypt the data. Attacker shouldn't be able to decrypt cookie store at any given moment + when decrypted store it in ram with obfuscation to ensure no process can access that data.

hackermen

Hey Hussein device identification is used everywhere now adays. We use JS to collect environment signals and create a device fingerprint (browser, addons, ip, geo etc..).

TradingT

IP won't change drastically change from a home network but it will change from an organisation level. For instance McAfee cloud proxy using in organizations changes very frequently

rameez

I feel like watching some adventure thriller moving when listening to you. Always excited for what will come next, how will the protagonist solve the issue :D

MsBijay

Allowing users to choose higher security measure like logging out whenever IP changes should definietly be an option.

prhasn

At Adobe all desktop apps tokens are tied to device specifically, but since I mentioned web apps then this device id can be simulated by something like a browser fingerprint.

aditya

maybe we can do anomaly detection on device ID, ip address, request timing patterns, have some threshold for anomaly to invalidate token and ask for re-authentication, the trick would be to figure out a balance between user experience and anomaly threshold, we can use a zero knowledge proof mechanism to verify device ID and IP address to overcome privacy concerns.

TheAkiller

Good video. I wish there was a browser api that accesses a secure hardware module on the user's computer, but someone's gonna find an exploit for that. I think you are right that we just have to prompt for password and reauthenticate, when there are critical actions for a user to take.

hypergraphic

Thank you sir, MD asked me a same question like this in the final round interview and I answered the same as you.... and what I got selected 😃✨❤

aaman

I don't think that IP change detection is a solution there, even for desktop. In some countries, and I know for sure in Italy, some Internet Service Providers do not provide a static IP, but a dynamic one. It means that let's say every hour your IP it's updated. Imagine all websites doing IP change detection. Every hour you would need to log in again on every site that you're using.

alexandrutimofte

I think you just missed the part where Linus told that he logged from the other side of the world. So, he wasn't using a VPN, or if he was, it wasn't set to Canada.

RenanHiramatsu

as always great content..!! Hussein it will be great if you can make a video around how u keep track of current happening, making videos along with ur busy job work. Essentially a video covering ur day to day activities will b helpful for lot of people.

yashkhd