A friend of mine is (or was...) the owner of this channel https://www.youtube.com/losliberales The channel had a few million visits* in the last months. He's been methodically ranting against govcorp both local and the soros-gates-pentagon variety from an anarchist libertarian perspective for a few months. A few days ago the account was 'hacked', the two factor authentication somehow defeated, the content deleted and replaced with advertising for some kind of ethereum scam, and at that point the account was suspended by jewtube because of 'violation of terms of service'. He's talked to jewtube and he might get the account back. So at face value this was an ordinary hack, but it seems it's also possible that, say, the argie government got the channel closed by indirect means. *he had at least one video with +1 million visits and tens of videos with 100-200k views.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, September 20, 2020 1:37 AM, Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote: ...
A friend of mine is (or was...) the owner of this channel
https://www.youtube.com/losliberales ... [ provocations, good trouble ] ... A few days ago the account was 'hacked', the two factor authentication somehow defeated, the content deleted and replaced with advertising for some kind of ethereum scam, and at that point the account was suspended by jewtube because of 'violation of terms of service'.
more common than attacking 2nd factor is session riding or browser jacking, using the existing auth token exfiltrated. you're then "the target" and can do as you please (until session expires). if you can attack over wifi or LAN, this is almost always easiest.
He's talked to jewtube and he might get the account back.
they can identify this behavior as "anomalous". if they want to help or not, good luck...
So at face value this was an ordinary hack, but it seems it's also possible that, say, the argie government got the channel closed by indirect means.
the oldest tricks still the best tricks. if you can jack session and achieve ends, without exotic exploits or extraordinary access, all the better!
*he had at least one video with +1 million visits and tens of videos with 100-200k views.
sounds like a target :) best regards,
On Sun, 20 Sep 2020 17:46:14 +0000 coderman <coderman@protonmail.com> wrote:
more common than attacking 2nd factor is session riding or browser jacking, using the existing auth token exfiltrated. you're then "the target" and can do as you please (until session expires).
ah yes, I overlooked that possibility. But even if you hijack a session, wouldn't the system still re-check that you have access to your phone before allowing you to change all your passwords? It seems to me that it should? (but prolly doesn't because it's too 'inconvenient' for the user?)
if you can attack over wifi or LAN, this is almost always easiest.
He's talked to jewtube and he might get the account back.
they can identify this behavior as "anomalous". if they want to help or not, good luck...
yeah we were expecting youtube to close the channel at any moment (they did delete a few videos), so the 'hacking' may turn out to be a convenient excuse. I guess it's wait and see now.
So at face value this was an ordinary hack, but it seems it's also possible that, say, the argie government got the channel closed by indirect means.
the oldest tricks still the best tricks. if you can jack session and achieve ends, without exotic exploits or extraordinary access, all the better!
yeah good point. His PC doesn't run a hardened linux or anything like that...
*he had at least one video with +1 million visits and tens of videos with 100-200k views.
sounds like a target :)
best regards,
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, September 20, 2020 6:41 PM, Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
... But even if you hijack a session, wouldn't the system still re-check that you have access to your phone before allowing you to change all your passwords? It seems to me that it should? (but prolly doesn't because it's too 'inconvenient' for the user?)
note that you don't need to change passwords to accounts to be able to use them. in fact, changing passwords usually requires re-authentication, but extending a session indefinitely is free! :) this is the dirty little secret in infosec: authorized session life cycle is almost always too lenient and too long. for example, many services don't even bind a session to an IP, so session jacking you across the globe throws up no issues. you can have sessions that don't expire upon password change - you must instead go through a separate step to kill existing sessions! you can have hijacked sessions that simply renew, indefinitely, keep an active connection to your accounts for days, months, years (!!) without ever having to enter credentials. most of the time this is laziness on behalf of service provider. even the big ones. sometimes usability is given priority over security - can't cause an inconvenience for users! they won't get hacked... end result: most services handle sessions sloppily; caveat emptor. best regards,
On Sun, 20 Sep 2020 18:49:12 +0000 coderman <coderman@protonmail.com> wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, September 20, 2020 6:41 PM, Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
... But even if you hijack a session, wouldn't the system still re-check that you have access to your phone before allowing you to change all your passwords? It seems to me that it should? (but prolly doesn't because it's too 'inconvenient' for the user?)
note that you don't need to change passwords to accounts to be able to use them. in fact, changing passwords usually requires re-authentication, but extending a session indefinitely is free! :)
well passwords were changed in this case, so that would point to the phone being compromised I guess? Sorry about my ignorance of the working details of 2fa. I never bothered with it. Let me check. Ah yes, I don't even own a cellphone =)
this is the dirty little secret in infosec: authorized session life cycle is almost always too lenient and too long. for example, many services don't even bind a session to an IP,
haha that's just...pathetic. I don't think google-nsa are that incompetent? though the bug can certainly be seen as a 'feature'...
so session jacking you across the globe throws up no issues.
you can have sessions that don't expire upon password change - you must instead go through a separate step to kill existing sessions!
you can have hijacked sessions that simply renew, indefinitely, keep an active connection to your accounts for days, months, years (!!) without ever having to enter credentials.
most of the time this is laziness on behalf of service provider. even the big ones. sometimes usability is given priority over security - can't cause an inconvenience for users! they won't get hacked...
well in this case sessions were regularly closed and if changing passwords still requires access to the phone, the phone must have been compromised, it seems to me.
end result: most services handle sessions sloppily; caveat emptor.
best regards,
for what it's worth, the helpful jewtube jews have 'unhacked' my friend's channel. I guess it isn't radical enough =) https://www.youtube.com/channel/UC8WwqW8uW2X6ys3PWMiDSzg/videos?disable_poly...
On Thu, Sep 24, 2020 at 10:20:21PM -0300, Punk-BatSoup-Stasi 2.0 wrote:
for what it's worth, the helpful jewtube jews have 'unhacked' my friend's channel. I guess it isn't radical enough =) https://www.youtube.com/channel/UC8WwqW8uW2X6ys3PWMiDSzg/videos?disable_poly...
CIA must have their hopeful eyes on him... Sky-Blue Revolution, look out :D
participants (3)
-
coderman -
Punk-BatSoup-Stasi 2.0 -
Zenaan Harkness