Yesterday, we reported that the channels of YouTuber Linus Sebastian were taken over by hackers. The threat actors removed the videos from his channel Linus Tech Tips and replaced them with two videos that discuss cryptocurrency and feature business mogul Elon Musk. Upon discovering the incident, Google took the videos down and Sebastian eventually regained access to his channels. However, how the threat actors managed to infiltrate the YouTuber's channels remained unknown, at least until now.
In a recently uploaded video, Sebastian confirmed that his company fell victim to a cyberattack called session hijacking, also known as cookie hijacking. A session hijacking attack normally happens when a threat actor gains access to a victim's online accounts by stealing their session cookies, eliminating the need to capture login credentials or go through multifactor authentication (MFA). Session cookies are stored locally on a user's PC every time they log in to a website.
How does a threat actor gain access to a session cookie, you ask? They start by sending the victim a phishing email that pretends to be something important (e.g., a message from a close friend or a business invoice). These emails typically contain a malicious attachment that appears to be a PDF but in reality is an executable file capable of introducing malware to the victim's system. As soon as the malware activates, it then steals session cookies, allowing cybercriminals to access the victim's account without the need to enter login credentials.
This is exactly what happened in the incident that affected Sebastian's company, as one of his team members downloaded what appeared to be a sponsorship offer from a potential partner. The email reportedly came from a legitimate-looking source and didn't have obvious red flags like grammatical errors. Because the team member thought the email was legitimate, they extracted the contents and launched what appeared to be a PDF containing the terms of the deal. When the file presumably didn't open, the employee went on with the rest of their day.
However, the file actually contained malware which accessed all user data from browsers, such as locally saved passwords, cookies, and browser preferences. At this point, the threat actors exported the data and stole the user's session, which enabled them to access every website the user was logged into, including Sebastian's YouTube channels.
Sebastian admitted that if his company had more rigorous training for his company's newcomers and better processes for following up on notifications from their sitewide anti-malware program, they would not have fallen victim to the attack.
The tech YouTuber also took the time to call out Google's email responses regarding the incident.
"Other than [saying] 'We're aware and working on it,' the internal team doesn't seem to even be allowed to communicate with creators directly. They figured out that the attack came from one of our non-video production teams pretty quickly and banned that Google Workspace account almost immediately. But even a quick 'Hey, I know you're stressed, here's what's going on, and here's how we can keep this from spreading' would almost certainly have calmed my nerves and saved all of us some work by keeping TechLinked and Techquickie in our hands."
Sebastian also mentioned how Google's one-on-one email incident response only benefits larger channels like theirs. "I've seen quite a few people express resentment that we were able to get this resolved so quickly when their favorite niche creator X or Y struggled with it for an extended period of time or never got it fully resolved," he stated.
As such, Sebastian believes that there is a need for better security options for key YouTube channel attributes to mitigate session hijacking attacks. For instance, he says that YouTube should require users to re-enter their password or re-authenticate when changing important elements like YouTube channel name and stream keys or deleting multiple videos simultaneously. Sebastian also says that YouTube should also require users to re-authenticate if they suddenly changed locations.
You can watch Sebastian's full reaction to the issue in the video above.
49 Comments - Add comment