In the wake of some high profile hacks on YouTube, we discuss how crooks are using an attack called “session hijacking” to compromise accounts that can allow them to bypass the account password.
On Thursday 23rd March 2023, the Linus Tech Tips YouTube channel – with over 15 million subscribers – was compromised by crooks who used the channel to promote cryptocurrency scams. In a video revealing what happened, the founder of the channel Linus Sebastian explained exactly how crooks compromised his popular YouTube channel without needing either the password or 2FA code.
Having both a strong password and two-factor-authentication enabled is an absolute must for any important online account. But as the recent hack of Linus Tech Tips illustrates, these can be bypassed by a session hijacking scam. And while these scams are comparatively rarer than, say, your generic phishing attack (because session hijacking attacks usually require more effort in part of the crook) they can still be used to great effect and with devastating consequences.
Session hijacking happens when crooks manage to get a hold of a user’s “session” – but what do we mean by “session”?
When a user logs into a website (i.e. YouTube) using their password (and 2FA code if enabled) that website creates a session token or session ID for the user’s Internet browser. This allows that website to keep track of the user for a certain period of time, so it doesn’t forget them and ask for their password every 30 seconds.
After all, it would get quite tiresome if we keep having to login to a website every single time we closed our browser down or went to make a cup of coffee! So session tokens and IDs allow a website to know its still the user there, even if it’s been 20 minutes or the user restarts their browser.
Sponsored Content. Continued below…
The information a session token comprises of – typically a long string of numbers and letters – is stored on the user’s device (i.e. smartphone or PC). Sessions usually expire after a certain time (which is why if a user hasn’t used a website for a long time, they have to log back in) or they’re deleted if the user logs out of the website.
But if a crook can steal that session information while it is still active, they can fool the website into thinking they’re the user, and can actually access an account using just that information, effectively bypassing any authentication like a password and yes, two-factor-authentication as well.
Of course, the crux of this scam is stealing the session ID from the user. This can be done a few ways. For one, if a crook gains access to the user’s home Wi-Fi or if the user was on a public Wi-Fi connection (without a VPN) the crook can eavesdrop on data going to and from the user’s device. However in the case of Linus Tech Tips, it was a classic email malware scam. One of the employees of the YouTube channel opened a targeted email scam that contained a zipped up fake PDF document that, once opened, installed malware onto their device.
And it was that malware that went searching for any active sessions stored on the device to steal. And it found them. The active session tokens found were, as you probably guessed, for the Linus Tech Tips YouTube channel.
Sponsored Content. Continued below…
And that was all they needed. From there the crooks gained full access to the account and posted various videos with links to crypto-currency websites in the video descriptions, as well mass deleting all the videos on the channel as well.
And as Linus himself pointed out, detecting a session hijacking scam can be difficult because if someone does manage to gain access to an account we own, our first assumption would be that the crooks managed to access through the front door (password) and not through the lesser used back door.
As for Linus Tech Tips, they did manage to get their YouTube channel back up and running.