[Saka]

Hey Legionnaires! Some of you might be following Linus Tech Tips channel and noticed some suspicious activity on it yesterday morning. It had been hacked and as a result all the videos were unlisted or deleted, the name changed to Tesla and a livestream with Elon Musk talking about cryptocurrencies was broadcasted from it. There were also some scam links posted on it.
Today, a new video was uploaded following the restoration of the channel. Linus explains how he learned about the issue and spent most of his night trying to untangle it.



Obviously, they did have two factor authentication. It is not a bulletproof solution though, and some ways of authentication are less secure than others. For example, SMS authentication, which is one of the most commonly used methods, is susceptible to social engineering targeted at the phone carrier. Notification-based authentication is vulnerable to fatigue attack, where its owner gets spammed by the triggers until they accidentally or absent-mindedly click “allow” in the notification pop-up.

However, this time the hijack was not done using any of these. The attackers simply decided to bypass the log in, passwords and authentication altogether. They used a session token attack.

How does a session token work? It is basically a cookie locally stored on your device that stores that is created once you have logged in and cleared the 2FA if applicable. That way, you don’t have to log in again when you close your browser, because the session is kept alive.

So, how it was obtained? Basically, social engineering happened. I think, this still falls under the definition of phishing, as one of the definitions I found is as follows:
A technique for attempting to acquire sensitive data, such as a bank account number; through fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or a reputable person.

What happened was that an employee in the LTT Media received an email, claiming to be from a sponsor, which had a malware attachment. It was masqueraded as a legitimate source, raising no immediate red flags. The included file was presented in a way suggesting that it was a PDF file including terms and conditions for the sponsoring. Except, that it didn’t work. As it later turned out, in matters of seconds it copied all the data from both browsers installed on the affected system, such as passwords and cookies, including session tokens, for every website that was present in the browser history, and sent them to the destination machine.
Lessons learned there: never just unzip an email attachment without double and triple-checking it, even if it comes from a seemingly legitimate source. Always check the file extensions. If a file doesn’t do what it was supposed to do, that should immediately raise a huge red flag and be a call to action.

If you have a company, as for example a larger streamer, it should be your responsibility to provide appropriate training to your employees, rather than pin the blame to a less experienced employee getting exploited. More rigorous training on security generally pays off and prevents these kinds of attacks. It’s worth noting that methods of attack evolve and change at similar rate as the technology does.

It also turns out sometimes there are drawbacks to using channel managers, they add a layer of obfuscation. Since multiple accounts can manage the channel, it was not easy to establish which one was compromised and responsible for hijacking the channel. Unfortunately, Google’s support can be a mixed bag. They respond rather quickly to big channels, but even then they don’t provide much data on the process of restoring the account. Smaller producers often have to wait a long time to get any help.

Finally, Linus makes a very good point that the Google allows a single session token too much, it should have a decay based on actions done, known as rate limitation. For example it should never be possible to delete thousands of videos on a single token without having to provide any two factor authentication. There is time based expiry, but it lasts very long. In theory, there is also location based expiry, but even in my experience it doesn’t work very well. It should not allow sudden logins from, let’s say, New Zealand, but fairly often it actually does.

[DracoTarot]

@Saka I watch his channel all the time and yea it sucks being hacked. It seems the hackers will find a way eventually to bypass any security method to protect personal data.

The 2FA does work in some substances but not always. I clear my browsing history at least every second day and never save any passwords on Chrome. All my logins have 2FA, but still, a hacker was able to collect all my info. They hacked my Paypal account and my bank account. Did a few transactions from my bank through Paypal and changed my passwords. When the hacker was done the hacker closed my Paypal account and I was unable to log in again.

The hacker also made Google ads under my name and made purchases on the Google play store. I was able to track the IP and the hacker was from Russia. My personal info was stolen from SITE123's database. I had a website with them and after a search noticed many people were complaining their data was compromised.

Google support basically refused to lend a helping hand and wanted to bill me for all the ads and monetization done through google ads and profile. Had to delete my online presence completely. Even closed my Facebook account.

I rarely use Chrome these days. My browser of choice is Duck Duck Go. So far my info seems to be secure.

[AhmedOsmaan]

So impressed by his response. Explaining what happened, taking responsibility and not just blaming subordinates, making constructive recommendations, and showing gratitude and grace

[Saka]

@DracoTarot It sucks and is unfortunate that individuals or small companies can't count on support from Google. For example Android subreddit is full of wrongly banned devs and they just get bot replies.
@AhmedOsmaan indeed, it is very good of him to take the responsibility and treat it like a lesson how to be more secure in the future.

[DracoTarot]

@Saka Linus kept his cool and I respect the fact he didn't blame anyone for the hack. It was an honest mistake to open the PDF file and anyone can fall victim to hackers. I'm glad he was able to save his youtube channel. Would have been crazy to lose all the subs and content. Hackers are vile human beings if they are only using their skills to commit evil acts.

Much respect for the man fending off the hackers only in his birthday suit. 😂

[Saka]

@DracoTarot Oh yes, the strawberry in the security camera footage was hilarious. 😂

I remember from a video about roasting Linus, maybe it was the WAN show, not sure, that Yvonne said he sweats a lot in the bed (something along the lines of making everything wet when just sleeping), so guess that's why the birthday suit.

I've already seen a meme that one can see who's wearing the pants there (in the security footage). 😂

[DracoTarot]

@Saka 😂🤣

Something else his viewers and friends make fun of is his sandals. He wears sandals all the time no matter where he goes.

He could've at least put on a pair of boxers or something 😂 but I guess it's his territory and flopping around even on a security cam doesn't matter at all. 😁

[Saka]

Originally Posted by DracoTarot

Something else his viewers and friends make fun of is his sandals. He wears sandals all the time no matter where he goes.

Sandals with SOCKS! You left our the important part. 🤣