How Linus Tech Tips got hacked
Skills:
Security Basics90%LLM Engineering80%Tool Use & Function Calling70%AI Security60%Defensive AI50%
Key Takeaways
The video explains how Linus Tech Tips' YouTube account was compromised via session hijacking and cookie hijacking, and discusses the technical details of the attack and potential remedies.
Full Transcript
line of Stack depth a very popular YouTube channel got hacked yesterday on March 23rd 2023. it's appropriate the use of the word hack here because the way the attacker got access is a very hacky way indeed they didn't really need the passwords they didn't really need to reset the password so to even bypass SMS or like multi-factor authentication it's not even that they use another trick which is called session hijacking and uh I wanna unpack that in technical details and go on to go through all of these layers let's jump into it so TL there are what really happened was uh one of Linus's team member has an YouTube account and that YouTube account has full access to all lionesses channels they were logged into YouTube and we know that when you log into any site that supports authentication the moment you log in the server will respond back with a nice responseer called sit cookie and that said cookie will have a value that authenticates you in the future it's called the session token or access token or refresh tokens depends like like what kind of authentication it is and that cookie is now stored locally on your browser in a tiny SQL like database called cookies listen assuming Chrome and for every request future request that goes to that same domain in this case youtube.com that cookie will be locked up in the SQL light and will be sent in the request cookies header as just a text right a server will receive that cookie we'll take that content and it knows that in this particular case this content is a session token it will look it up and says oh oh you're you're X and I will just authenticate you why and the reason is because HTTP is stateless because every request in HTTP must include pretty much everything the server needs because you can't rely on information that is persisted in the memory of that server because that server can go away anytime right every request can hit another server so that request must have everything it needs right it must transfer any state with it to the server so so what happened here is I think this team member has downloaded some sort of an attachment that end up to be an executable that executable run on that local machine and that executable that malware got access to the cookie sqlite database taking that it's a cola database it decrypted it I'm going to talk about that because it's actually encrypted how can it decrypt it because it's running as this as a process in the same user space as the other user so if Chrome can decrypt it of course another process can it's the same machine right once we have the decrypted version right which is literally another column in that database that table they sent that SQL lights cookies file to the attacker the attacker took that file replaced their Chrome local file via their Chrome go to youtube.com voila they're logged in as the team member right and just like that now they can go as it's as if someone just authenticated again right it's as if Google received another session token uh just from another IP address right that is probably small enough knows that Linus is in Canada so probably used a VPN to as if to login from Canada just to make sure not login just to add Twitter to appear to be an IPS from Canada so that session tokens in this case it's probably going to be validated so uh it's close enough right I mean Google is small enough if the same session token is all of a sudden came from Canada and then a few minutes later it's in I don't know Japan uh it's gonna raise an eyebrow and it will it should invalidate that I'm pretty sure Google has a guard logic of that I mean it depends like you might you might have your laptop you have logged in and then you actually took a flight to Japan from Canada and then you you just fired Chrome again that's probably there's like a limit they will say all right uh there's like a x amount of hours you probably just traveled things like that but again this is out of the question we might discover that later but that's that's what happened right and then they started their scam the crypto scam and all that stuff right so that's that's technically what happened so let's let's actually dive deep into what exactly uh what how cookies are stored in Chrome you see uh cookies are stored in a SQL light as I talked about it and this is literally tables called cookies with uh the host key which is the URL and the value called value that the unencrypted cookie and there's another column called encrypted value right and pretty much in that does back in 2014 they moved to the encryption previously they everything was unencrypted right so you can technically take that SQL light as is paste it in another Chrome and it will work magically that's normally the case you can you can try it now take a chrome took those I think it's in the local cookie the local app data slash Network slash default paste another Chrome it will it will fail it will not it will not detect it and the reason is because it's encrypted and it's encrypted with a local encryption key that's actually in the same it's a different directory within the same user profile so the the thing that you need to do as as the attacker the malware you have first to read the cookie file which you can because they're not running as a process as that user you can need now to decrypt the content decrypt the value of that and and it's not hard there are many scripts online that I found that actually you can do that right so hey I'm running as me why don't you let me decrypt my own cookies right and that's the trick here so you can decrypt that content and store it as another column called the value and now it's a plain text and chrome is is responsible to read plain text cookies so yeah uh so we talked about how cookies are stored we talked about how cookies can be hijacked after decrypting it and then once you have that version of the cookie SQL live you can transfer anywhere and technically it should work that's how they were able to do it and it's all because they were able to run as a script locally right and I think Theo Joe goes into really good details of how you can even enter my machine right it says like OneNote file tricks then I was like this one this one got me it was really interesting you can hide you can you can trick the extension to show as a dock but it's actually an AXA by by introducing a right to left special character which will flip that because I'm I speak Arabic so I understand how this works because I actually when I want to type in Arabic you do a special key to actually flip and start writing from right to left and and and I understand that it's it's really confusing to read Arabic and English in the same sentence it's so confusing it's it's so understandable that people took advantage of this to actually hide the extension I'll make a reference to his video that is very interesting all right so let's finally talk about session tokens here so the session tokens at least in oauth which I think YouTube users are two types right there's a refresh token and there's the access token when you first authenticate with YouTube you get back a refresh token and this is a long lived token usually weeks right or even more than that and then your the code in your browser the YouTube JavaScript code will use that refresh token to get something called the access token right and that access token is what we're talking about that would be used and sent with every request so you get that and get that temporary one maybe 30 minutes on one hour right and that access token will be stored locally okay and then will be sent and will be used with every single request you visit the page you visit you open this YouTube video the access token is always sent and that token eventually expired or prior to get expired the refresh token will detect or the code will detect then and it will request a new access token and the attacker can do all of this stuff because guess what the refresh token and the access token are stored as cookies right so what you can do here is what kind of Remedies what what what what can you do what can Google do in this case right I mean Linus mentioned this in his video I suppose this morning he said that well why don't Google why don't you you monitor us all the time you know what we're doing why don't you just see our habits and say okay usually this session or this user uh upload a single video does a bunch of editing changes the title changes the description but now if they're doing something drastic like deleting a bunch of videos maybe prompt them for the password which they don't have if they got prompted if the attacker got prompted for the password they will immediately fail right prompt them for if there's a like a drastic action prompt them invalidate the access token that's another way if if it's coming from a completely different IP address which it's an easy thing to go uh to circumvent by the attacker just use a VPN to simulate that you're in Canada right you might say why don't you have why don't we send more information about the device that is using this access token such that we associate the access token with the device that is being used but think about it this means that JavaScript in case this is because this is a browser right it is Javascript must have access to the device information because like you can't like access the MAC address seems like a security thing I wouldn't I wouldn't allow that right it's like a sketch 22. JavaScript is so you know nasty when it comes to these things you can't allow us to have eldest thing right you can say oh I'm gonna access certain device identifier a unique cache that identified that but then you get into a privacy thing right like that's a whole different topic that I don't know anything about and I'm really Frankly Speaking not interested even though but it's like oh I don't want anyone to fingerprint me and understand this like it's it's a really a cash 22 what do you do if the moment you expose the device ID then there is a way to uniquely get identified right and unfortunately you know corporates use this identifier to sell you more stuff across other other machines other than that but in this particular case could be useful to prevent session hijacking what one thing I can think of is like if the IPS has changed prompt me for a password I'm fine with it give that give that as an option to me Chrome in the browser only in the YouTube app I don't care why because I'm a mobile device and of course my IPR is just gonna change every few you know I don't know if whatever right every interval but if I'm hooked it to Wi-Fi chances that my ISP will change my IPR very rare it's gonna stay for for a long time right the IPS is the public IPS that is assigned to technically my router it's not gonna change right so yeah leave it that if it changes prompt me from a password and at least for me I use Mac and I use Safari and everything is just really using this nice you know fingerprint and just use this fingerprint and then log in it's like I don't even remember anything right passwords it's not it's not like I I use the mouse just literally but my month then dude login you know so logging in is not really a problem per se when it comes to that even if you're prompting I'll just do do that all right guys that's it for me today gonna see you in the next one bye
Original Description
In this short video we explain how was it possible for Linux to get hacked with cookies hijacking.
0:00 Intro
0:47 TLDR what happened
5:10 Cookies in Chrome
7:30 Cookies Hijacking
8:46 Session Tokens (Access/Refresh)
10:00 Remedies
Linus Video
https://youtu.be/yGXaAWbzl5A
ThioJoe Video
https://youtu.be/ieQUy8YTbFU
Fundamentals of Backend Engineering Design patterns udemy course (link redirects to udemy with coupon)
https://backend.husseinnasser.com
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
https://network.husseinnasser.com
Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon)
https://database.husseinnasser.com
Follow me on Medium
https://medium.com/@hnasr/membership
Introduction to NGINX (link redirects to udemy with coupon)
https://nginx.husseinnasser.com
Python on the Backend (link redirects to udemy with coupon)
https://python.husseinnasser.com
Become a Member on YouTube
https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join
Buy me a coffee if you liked this
https://www.buymeacoffee.com/hnasr
Arabic Software Engineering Channel
https://www.youtube.com/channel/UChWZsjdoRvZ0T9QWZOD6UpA
🔥 Members Only Content
https://www.youtube.com/playlist?list=UUMO_ML5xP23TOWKUcc-oAE_Eg
🏭 Backend Engineering Videos in Order
https://backend.husseinnasser.com
💾 Database Engineering Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQXjD0HOzN7P2tgzu7scWpl2
🎙️Listen to the Backend Engineering Podcast
https://husseinnasser.com/podcast
Gears and tools used on the Channel (affiliates)
🖼️ Slides and Thumbnail Design
Canva
https://partner.canva.com/c/2766475/647168/10068
Stay Awesome,
Hussein
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Hussein Nasser · Hussein Nasser · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
Channel Update - New Book, New Job, New Videos
Hussein Nasser
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
Javascript by Example - The Vook
Hussein Nasser
Vlog - Keep your servers close and your database closer
Hussein Nasser
Vlog - Client/Server Programming Languages
Hussein Nasser
Javascript By Example L1E01 - Getting Started
Hussein Nasser
Persistent Connections (Pros and Cons)
Hussein Nasser
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
Happy new Year from IGeometry!
Hussein Nasser
Synchronous v. Asynchronous
Hussein Nasser
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
Relational Database Atomicity Explained By Example
Hussein Nasser
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
What Comes First, User Experience or Software Architecture?
Hussein Nasser
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
Advice for New Software Engineers and Developers
Hussein Nasser
Why JSON is so Popular?
Hussein Nasser
Building Scalable Software - SLA, HS, VS
Hussein Nasser
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
Learn By Doing.
Hussein Nasser
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
My Story
Hussein Nasser
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
Can User Experience Help Build Better Rest API?
Hussein Nasser
Reverse engineering Instagram in flight mode
Hussein Nasser
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
The evolution from virtual machines to containers
Hussein Nasser
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
Canary Deployment (Explained by Example)
Hussein Nasser
No Excuses
Hussein Nasser
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
What is an Asynchronous service?
Hussein Nasser
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
Nodejs Express "Hello, World"
Hussein Nasser
Reverse Engineering Instagram feed
Hussein Nasser
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Why We Stop Injecting Code Into Shopify Themes for B2B Wholesale
Dev.to · Anil Kumar
A founder once asked me why refunds kept disappearing, here is what NestJS was actually doing
Dev.to · Peace Melodi
I reviewed a NestJS fintech backend where the numbers never quite matched, this is the fix
Dev.to · Peace Melodi
Impact of deployment topology on rate-limiting and trust proxy
Dev.to · Rushikesh Surve
Chapters (6)
Intro
0:47
TLDR what happened
5:10
Cookies in Chrome
7:30
Cookies Hijacking
8:46
Session Tokens (Access/Refresh)
10:00
Remedies
🎓
Tutor Explanation
DeepCamp AI