LTT Hacked

I WAS WRONG! ThioJoe was right and it was a session hijack per Linus' Video. I'm doing research today on this subject as this kind of damage from a simple session token is crazy. I will be doing tests with various VMs to try to replicate this kind of attack on my google account and see how well Advanced Protection holds up. Once I'm confident in these results I'll share them.
While I'm sure Session Tokens can bypass simple 2FA, the Advanced Protection should be a more stringent security measure that requires re-auth. I'll use a test account with simple 2FA and the main one with the Advanced Protection to see if the results are the same.
3/25 Update: Tried all the methods for cloning the session token, I was unable to achieve the result on a simple 2FA or the enhanced protection 2fa. Until I can get a CVE or able to replicate in some manner, I can't verify. All the videos I've seen on YouTube haven't shown a valid session token hijack (John Hammond, ThioJoe, etc.)

ChrisTitusTech

If i learn anything about Linus, he's properly making a youtube video about this.

benisapp

He'll probably get a 20 video series out of this.

michaelgleason

It really sucks that this happened to LTT, but there’s a silver lining to it. Because LTT is such a prolific YouTube channel with so many fans and followers, this is going to really bring internet security to the attention of a LOT of people. Being secure on the internet is something that I’ve thought for a long time that people are far too negligent with. Hopefully LTT will be able to release some of the details of how this breach happened, and how to harden security to prevent it from happening again. I think a lot of people could benefit from that information. I hope LTT gets back up and running soon and that no serious damage was done.

zoltan

I remember when something like this happened to the Corridor Crew. Those hackers are really stepping up their game.

ArrowSwift

I thought the way these hackers are working is they're copying the cookies of the active session. 2FA and hardware keys are basically worthless at that point because the user is already logged in.

d_sellers

I think John Hammond just posted a 2FA bypass method for Google accounts.



Linus definitely had 2FA setup to some level as he has had issues/taking a long time getting into accounts due to 2FA

NPzed

Linus probably wasn't using arch. Use arch kids, (I use arch btw)

jaxcyl-tb

Youtube should really promote their advanced protection program regularly to creators with some degree of popularity if they don't have it yet. Most people just don't know about it. Along with maybe some practical security advice.

mukkaar

so yes, linus himself said it was a session hi-jack.
a machine accedently executed malware that collected all cockies.

ovedach

Haha yeah, my first thought was "They have all that equipment in the lab, but aren't 100% secured with security keys??"
But it could've been a cookie hijack as well, who knows

firalia

Turns out ThioJoe did NOT have a bad take on this and had done a whole YT video about it over a month ago...

kevinoneill

Am wise enough to realise that there is no 100% security, lazy habits and bad practices can overcome most of the security out there.. thats why social engineering works, not only that in the age of the buffer overflow, the lock doesn't matter if you can affect the logic of the branching code behind it, so like real locks, they don't keep criminals out, they keep ordinary people honest...

DevilbyMoonlight

It indeed was a session cookies attack.

jwisemanm

Well, this aged poorly. Bad take by Thio Joe? Come on Chris. Thio was right of course. It was indeed a session token from a cookie that was compromised because the attackers never gained access to LTT's passwords or 2FA keys. Thio even did a video about this kind of attack. I recommend everyone watch that and follow Thio Joe for the latest on how bad actors are going after YouTube creators and regular people.

iamvinku

While these news came out, I scrolled a bit through the replies on Twitter and stumbled upon one reply who wrote a few weeks ago that he wants to talk with YouTube because he has a hunch that there is an insider (meaning, a YouTube employee) who is helping these hackers with getting into accounts.
It's just some random person on Twitter, but if that would turn out true, that would be problematic (and I doubt that even a hardware key would help in that case).

kuhluhOG

Looks like the bigger YT channels need some sort of role permission implementation baked into YT's creator control panel. Have one administrator/root login that's only for modifying/creating roles and account security settings that would normally not be logged into, even by the channel's owner except when times it is needed. Then have video submitters, etc. but require the channel owner authorize any changes or additions to the videos.

This way companies such as LMG can have multiple people with access, but limiting the attack surface. That way an editor can still upload a video, set the metadata for it, but ultimately require a single account to pull the trigger on it going live.

Then for the more secure logins, spawn an encrypted VM instance sandboxed for that purpose.

krozareq

LTT is popular and hated which makes them a target. Everyone loves CTT, so less likely to be hacked.

MichaelJHathaway

Linus just released a video, it's been a cookie hijack it seems.

rodrimora

Can you make a video (in depth) about the Keys please Chris?

abritabroadinthephilippines