“This attack highlights a significant problem with the way services such as YouTube are designed”
The recent attack on Linus Tech Tips shows that YouTube needs to update its security procedures. Plus, why the pub will always win over zero inbox
Another day, another YouTube channel hack. This time it was Linus Tech Tips, one of the more prolific YouTubers. Linus and team lost control of multiple channels that they run, and the miscreants decided to delist most of the huge library of videos stored there, and also to start posting videos of their own.
Fortunately, Linus and co took back control of the channels quite quickly; YouTube support was apparently a big help, but this should be no surprise for a channel that has 15.3 million subscribers and nearly 7 billion video views.
So, what went wrong? Surely they weren’t using passwords such as “password” or “12345678”? No, of course not. Instead, this attack highlights a significant and growing problem with the way in which services such as YouTube are designed and implemented.
There’s a long video on the channel explaining the attack, but the short version is this. Someone on the team downloaded what appeared to be a PDF file from an address that, at first glance, looked legitimate. Said person unpacked the file, and then tried to run the PDF file to see the contents. However, it didn’t render cleanly. That’s because it wasn’t a PDF file at all, but malware. Malware designed to steal the session token from a browser that was already logged in to and authenticated for YouTube.
Here’s how it works. When you log in, the browser session takes