One could just add the IP of the user to the refresh (and maybe even the access) token and require the user to provide a second factor when the token is used from another IP. I actually used that for a project once and am planning to use it for a general authentication service for my projects. This way when the token gets stolen one could even invalidate the session and alert the user. Or just require more authentication like said above because in Germany for example IPs change every day for most ISPs
I have implemented a couple session mechanisms in the past and what I usually do is I have two types of tokens, one being the access token, and one being the refresh token. The access token usually lasts 30-60 minutes before needing to request a new one - But in order to request a new one, you need the refresh token along with very specific data like browser window size, local time, your GPU model (Yes, you can get that through canvas APIs in some browsers). After all this information is sent it is compared to the information the refresh token is initially created with when first logging in and only when the current browser information matches closely enough with the initial data, then we can regenerate the access token.
@@hypergraphic It's not a method that's going to resist everything, but will generally slow the attacker down and will make forging a second access token way harder as if the necessary data doesn't match then you can invalidate the refresh token. What it does for sure is introduce way more ground for mistakes on the attacker's side and requires way more preparation.
@@shapelessed ye definitely do not prevent the hack if it is well planned since if token can be logged it's likely that those GPU model can be logged as well
@@qwertyqwerty-jp8pr You can't secure everything since it's client-side information. If you're already on the client device then there is not much the server can do against it, but if you are not, then that's a completely different story. Cookies aren't only being stolen through malware, in which case the attack becomes way harder. There's not much I can do if somebody gets access to a client device, that's actually slightly not my problem - I can secure things on my side, but the client also has to do its job.
Then a hacker just needs to steal the refresh token to get another access token right? What does having two tokens provide, except that specific data you mentioned, which can be stolen anyway? Genuine question, trying to understand the benefits of that two token method
the clear divide is that, changing a channel name is as drastic as changing the password, and in both cases should force a re-auth, same for the stream key and other "this rarely changes, and should be securely updated" stuff,
as always great content..!! Hussein it will be great if you can make a video around how u keep track of current happening, making videos along with ur busy job work. Essentially a video covering ur day to day activities will b helpful for lot of people.
I feel like watching some adventure thriller moving when listening to you. Always excited for what will come next, how will the protagonist solve the issue :D
There is still so much to do in terms of security. Both on the OS level (proper isolation between apps) and from service providers like Google (fine role based permission system and detection of unusual actions like deleting a lot of videos). Every security measure can be useless if the users makes an error, but we can provide guards against simple errors and limit the scope of attacks.
It's still way harder to "pretend" to be another device because of the shear amount of information that can be bound to your session. You make one thing harder here, one there, another one over there, and suddenly it turns out to be way more likely the attacker might either run out of time or give up entirely.
@@shapelessed It’s literally just another HTTP header they’d need to fake. "Might slightly inconvenience an attacker" is not a good enough reason to give up all privacy.
@@shapelessed if any javascript program can get access to device ID then hacker doesn't need do anything to get victim device ID and just attached to http header ... No security improvement!
@@FlorianWendelborn agreed. if they knew enough to inject a malware to token log a targeted person, they'd know how to modify device header info. implementing password for certain actions like delete files is akin to the logic for sudo, so google should deff do that asap
One thing I believe RUclips should implement is something like Wordpress does, where channels can give partial access to team members like one team member can only delete comments and one can only upload a video. In this way the entire channel will not be in someone else's hands. Regarding authentication youtube shouldn't allow any team member to do any changes to the channel except the admin. For Admin though youtube can implement something like zero knowledge proof with/in place of 2FA.
I don't think that IP change detection is a solution there, even for desktop. In some countries, and I know for sure in Italy, some Internet Service Providers do not provide a static IP, but a dynamic one. It means that let's say every hour your IP it's updated. Imagine all websites doing IP change detection. Every hour you would need to log in again on every site that you're using.
I think you just missed the part where Linus told that he logged from the other side of the world. So, he wasn't using a VPN, or if he was, it wasn't set to Canada.
It's not practical to prompt people for password every time your IP changes. Your IP changes more often than you think. The lease time of your public IP depends on the lease time of your ISP's DHCP config. I have seen them being as low as 8 hours.
thank you hussein for the information i just want ask you if the refresh token get stored as http-only this will still be store the file you mention /User/xxx/.../Default/... are the http-only cockies not secure ?
Hey Hussain... I think Google already does these protections... I get a prompt when I login from a new device asking if it was me... I believe there might be a setting for it and that employee wouldn't have accepted it... At least he or she should have got a notification stating new device logged in
I do not think Google invalidates token all that much for changing locatioms too frequently. I use VPN most of the times and keep hoping my IP location. Never once was asked to login again for Google services.
Encrypting cookie store with device managed hardware is the best option, every time I open chrome ask for fingerprint and decrypt the data. Attacker shouldn't be able to decrypt cookie store at any given moment + when decrypted store it in ram with obfuscation to ensure no process can access that data.
Good video. I wish there was a browser api that accesses a secure hardware module on the user's computer, but someone's gonna find an exploit for that. I think you are right that we just have to prompt for password and reauthenticate, when there are critical actions for a user to take.
Sadly, once you get on the client device you're generally all-powerful. You might need an escalation exploit to get admin rights but other than that it's game over.
Don’t the ad corporations track the devices already? Couple years back I remember reading somewhere that there is some specific image that browser uses, where each GPU will generate in a unique way, and you can track the machine without really getting any personal details.
I think JavaScript doesn't need access to anything. The OS can just detect that an application of type Web Browser is opened and pass it a humongous hash value which can be associated with the cookie. This way you can't just "unhash" the value and read what people are actually using, not even the browser can, but Google or the respective endpoint can simply invalidate the session if the strings don't match. But then there's other problems that come with that so I'm not sure. Actually, come to think of it, this is where law enforcement could be useful. Just a simple law that states these types of hashes are only allowed for security reasons and can not be used for tracking users. How effective such a law would be, I don't know. But I guess that's better than having nothing at all.
The whole thing is wrong. There should be like a ci/cd environment option for these big platforms (youtube etc) with multiple stages of approval and review. You should be able to see audit logs for every title change, comment deletion, video upload and approve or roll them back. I am banging my head about this because I have to deal with people sharing the login details to these big important accounts and logging in on whatever random machine they feel like. You are giving the keys to the Kingdom to every intern who needs to reply with a smiley face to nice comments. Insanity... my idea might be to just give people VDI access to a machine which is logged in and just tightly control access to that machine. At least with sysmon or something you could detect an application reading the cookie file or talking to a C2 server
maybe we can do anomaly detection on device ID , ip address, request timing patterns, have some threshold for anomaly to invalidate token and ask for re-authentication, the trick would be to figure out a balance between user experience and anomaly threshold , we can use a zero knowledge proof mechanism to verify device ID and IP address to overcome privacy concerns.
"If the Ip adress changes prompt me for a password". What make you assum the malware used is this case don't have "reverse proxy functionality" allowing the hacker use the victim same IP adress?
Hey Hussein device identification is used everywhere now adays. We use JS to collect environment signals and create a device fingerprint (browser, addons, ip, geo etc..).
At Adobe all desktop apps tokens are tied to device specifically, but since I mentioned web apps then this device id can be simulated by something like a browser fingerprint.
We must open files we receive over the internet. That's the fact. I would love to hear about how to open a file from an unconfirmed source securely. Keep up with creating great content 👍
First off make sure file extensions are not hidden. Victim would have seen it was [filename].pdf.scr in this case. If it's an executable or a pdf probably skip it. You could run it sandboxed in a VM or something like Windows Sandbox though.
IP won't change drastically change from a home network but it will change from an organisation level. For instance McAfee cloud proxy using in organizations changes very frequently
What is when you add ssl certification authentication? can in theorie chrome request the cert as Chrome user and the session token only decoded with the part that Google has for that account?
12:20 I do not agree with you! No security increase even if RUclips implements ip change reauthorization. Explanation :- if the hacker is able to get a session token by running as the user process. He will Bypass this security by using the same process as a proxy for communicating to RUclips hence no IP change in this case.
Exactly what I'm thinking, you can keep switching between VPN IPs and the same sessions retained for almost every website, and specifically I never had to re-login into Google services when I switch VPN locations
Probably not, as this attack relied on a file that was disguised as a .pdf but was actually a .scr executable. The real file extension was hidden. This kind of masquerading could also happen on a Mac (which also has file extensions hidden by default). It's an annoying security flaw of both. Linux and BSD do not have file extensions.
most ISPs don't offer a static IP, they use a shared ip that changes every day or two. And most users don't have a fingerprint scanner on their pc In fact many people i know don't know their passwords such proposed changes will benefit only a minority
Basically, Linus' Gamer ""Tech Tips"" learned the hard way that VPNs wont save you, no matter how hard you advertise them for security just to make a quick buck off these subscription surveillance VPN rip offs.
TL:DW, An employee downloaded something and got token logged.
Thanks. Nasser can be often long winded to fill up some playtime quota
Thanks but still Hussein's explanation gives me more curiosity
@@poulticegeist I was just about to write that. I like his content but his long-winded explanations in so many videos is just unbearable sometimes.
@@poulticegeist well, he did mention tldr in video himself as well.
One could just add the IP of the user to the refresh (and maybe even the access) token and require the user to provide a second factor when the token is used from another IP. I actually used that for a project once and am planning to use it for a general authentication service for my projects.
This way when the token gets stolen one could even invalidate the session and alert the user. Or just require more authentication like said above because in Germany for example IPs change every day for most ISPs
I have implemented a couple session mechanisms in the past and what I usually do is I have two types of tokens, one being the access token, and one being the refresh token.
The access token usually lasts 30-60 minutes before needing to request a new one - But in order to request a new one, you need the refresh token along with very specific data like browser window size, local time, your GPU model (Yes, you can get that through canvas APIs in some browsers). After all this information is sent it is compared to the information the refresh token is initially created with when first logging in and only when the current browser information matches closely enough with the initial data, then we can regenerate the access token.
That's an interesting idea.
@@hypergraphic It's not a method that's going to resist everything, but will generally slow the attacker down and will make forging a second access token way harder as if the necessary data doesn't match then you can invalidate the refresh token.
What it does for sure is introduce way more ground for mistakes on the attacker's side and requires way more preparation.
@@shapelessed ye definitely do not prevent the hack if it is well planned since if token can be logged it's likely that those GPU model can be logged as well
@@qwertyqwerty-jp8pr You can't secure everything since it's client-side information.
If you're already on the client device then there is not much the server can do against it, but if you are not, then that's a completely different story. Cookies aren't only being stolen through malware, in which case the attack becomes way harder. There's not much I can do if somebody gets access to a client device, that's actually slightly not my problem - I can secure things on my side, but the client also has to do its job.
Then a hacker just needs to steal the refresh token to get another access token right? What does having two tokens provide, except that specific data you mentioned, which can be stolen anyway? Genuine question, trying to understand the benefits of that two token method
the clear divide is that, changing a channel name is as drastic as changing the password, and in both cases should force a re-auth, same for the stream key and other "this rarely changes, and should be securely updated" stuff,
Please keep on uploading great content, I love how you go in details most of the times when you talk about a subject
as always great content..!! Hussein it will be great if you can make a video around how u keep track of current happening, making videos along with ur busy job work. Essentially a video covering ur day to day activities will b helpful for lot of people.
IPS change a lot when you are in corporate and working with different vpns
I feel like watching some adventure thriller moving when listening to you. Always excited for what will come next, how will the protagonist solve the issue :D
There is still so much to do in terms of security. Both on the OS level (proper isolation between apps) and from service providers like Google (fine role based permission system and detection of unusual actions like deleting a lot of videos). Every security measure can be useless if the users makes an error, but we can provide guards against simple errors and limit the scope of attacks.
11:35 not just a privacy issue. It simply doesn’t help at all. The attacker can just steal the device ID as well and pretend to be your device anyway
It's still way harder to "pretend" to be another device because of the shear amount of information that can be bound to your session.
You make one thing harder here, one there, another one over there, and suddenly it turns out to be way more likely the attacker might either run out of time or give up entirely.
@@shapelessed It’s literally just another HTTP header they’d need to fake. "Might slightly inconvenience an attacker" is not a good enough reason to give up all privacy.
@@shapelessed if any javascript program can get access to device ID then hacker doesn't need do anything to get victim device ID and just attached to http header ... No security improvement!
@@FlorianWendelborn agreed. if they knew enough to inject a malware to token log a targeted person, they'd know how to modify device header info. implementing password for certain actions like delete files is akin to the logic for sudo, so google should deff do that asap
One thing I believe RUclips should implement is something like Wordpress does, where channels can give partial access to team members like one team member can only delete comments and one can only upload a video. In this way the entire channel will not be in someone else's hands. Regarding authentication youtube shouldn't allow any team member to do any changes to the channel except the admin. For Admin though youtube can implement something like zero knowledge proof with/in place of 2FA.
indeed. like AWS IAM
I don't think that IP change detection is a solution there, even for desktop. In some countries, and I know for sure in Italy, some Internet Service Providers do not provide a static IP, but a dynamic one. It means that let's say every hour your IP it's updated. Imagine all websites doing IP change detection. Every hour you would need to log in again on every site that you're using.
Google should check for trusted devices
Thank you sir, MD asked me a same question like this in the final round interview and I answered the same as you.... and what I got selected 😃✨❤
I think you just missed the part where Linus told that he logged from the other side of the world. So, he wasn't using a VPN, or if he was, it wasn't set to Canada.
Woo..
Computer Science is so much interesting!!
It's not practical to prompt people for password every time your IP changes. Your IP changes more often than you think. The lease time of your public IP depends on the lease time of your ISP's DHCP config. I have seen them being as low as 8 hours.
But RUclips already uses device fingerprinting to generate a unique userid! Why can’t just use this to log anyone out?
thank you hussein for the information i just want ask you if the refresh token get stored as http-only this will still be store the file you mention /User/xxx/.../Default/... are the http-only cockies not secure ?
Hey Hussain... I think Google already does these protections... I get a prompt when I login from a new device asking if it was me... I believe there might be a setting for it and that employee wouldn't have accepted it... At least he or she should have got a notification stating new device logged in
I do not think Google invalidates token all that much for changing locatioms too frequently. I use VPN most of the times and keep hoping my IP location. Never once was asked to login again for Google services.
Encrypting cookie store with device managed hardware is the best option, every time I open chrome ask for fingerprint and decrypt the data. Attacker shouldn't be able to decrypt cookie store at any given moment + when decrypted store it in ram with obfuscation to ensure no process can access that data.
Apple changes my psuedo IP address all the time, I don’t think that google can depend on this anymore.
Can u create a video on Elasticsearch internal architecture, why it is fast in search. Like ur videos. Keep continue.
Good video. I wish there was a browser api that accesses a secure hardware module on the user's computer, but someone's gonna find an exploit for that. I think you are right that we just have to prompt for password and reauthenticate, when there are critical actions for a user to take.
Sadly, once you get on the client device you're generally all-powerful. You might need an escalation exploit to get admin rights but other than that it's game over.
your description wrote Linus as Linux btw
Linus doesnt know how Linux works unfortunately lmao. Dudes a GAyMer!!
The video looks normal at 1.75X speed.
Don’t the ad corporations track the devices already? Couple years back I remember reading somewhere that there is some specific image that browser uses, where each GPU will generate in a unique way, and you can track the machine without really getting any personal details.
In some countries the IP address of the router changes every time the router is restarted
Allowing users to choose higher security measure like logging out whenever IP changes should definietly be an option.
I think JavaScript doesn't need access to anything. The OS can just detect that an application of type Web Browser is opened and pass it a humongous hash value which can be associated with the cookie. This way you can't just "unhash" the value and read what people are actually using, not even the browser can, but Google or the respective endpoint can simply invalidate the session if the strings don't match. But then there's other problems that come with that so I'm not sure. Actually, come to think of it, this is where law enforcement could be useful. Just a simple law that states these types of hashes are only allowed for security reasons and can not be used for tracking users. How effective such a law would be, I don't know. But I guess that's better than having nothing at all.
The whole thing is wrong. There should be like a ci/cd environment option for these big platforms (youtube etc) with multiple stages of approval and review. You should be able to see audit logs for every title change, comment deletion, video upload and approve or roll them back. I am banging my head about this because I have to deal with people sharing the login details to these big important accounts and logging in on whatever random machine they feel like. You are giving the keys to the Kingdom to every intern who needs to reply with a smiley face to nice comments. Insanity... my idea might be to just give people VDI access to a machine which is logged in and just tightly control access to that machine. At least with sysmon or something you could detect an application reading the cookie file or talking to a C2 server
maybe we can do anomaly detection on device ID , ip address, request timing patterns, have some threshold for anomaly to invalidate token and ask for re-authentication, the trick would be to figure out a balance between user experience and anomaly threshold , we can use a zero knowledge proof mechanism to verify device ID and IP address to overcome privacy concerns.
"If the Ip adress changes prompt me for a password". What make you assum the malware used is this case don't have "reverse proxy functionality" allowing the hacker use the victim same IP adress?
just receive a message from facebook saying "here is your confirmation code" ? what confirmation code O.O didn't use FB for ages
Wouldnt an anti-virus prevent the executable from running since it was a executable disguised as a PDF?
Hey Hussein device identification is used everywhere now adays. We use JS to collect environment signals and create a device fingerprint (browser, addons, ip, geo etc..).
You talk too slow, leaving without heating your explanation, 2mins video made into 13+ mins
Awesome video. BTW you can fake the MAC address as well (MAC spoofing)
At Adobe all desktop apps tokens are tied to device specifically, but since I mentioned web apps then this device id can be simulated by something like a browser fingerprint.
We must open files we receive over the internet. That's the fact. I would love to hear about how to open a file from an unconfirmed source securely. Keep up with creating great content 👍
Open it in a virtual machine, I guess?
First off make sure file extensions are not hidden. Victim would have seen it was [filename].pdf.scr in this case. If it's an executable or a pdf probably skip it. You could run it sandboxed in a VM or something like Windows Sandbox though.
Why youtube doesn't use strategy recommended by Auth0?
Session cookies are not tokens!?
IP won't change drastically change from a home network but it will change from an organisation level. For instance McAfee cloud proxy using in organizations changes very frequently
What is when you add ssl certification authentication? can in theorie chrome request the cert as Chrome user and the session token only decoded with the part that Google has for that account?
Refresh tokens are probably not stored as cookies but in the local storage
Hi Houssein, great content like usual. I have a question. Could this hijacking technic succeed on macos?
مرحبا!
If the malware can intercept the requests to RUclips, then that’s it
12:20 I do not agree with you!
No security increase even if RUclips implements ip change reauthorization.
Explanation :- if the hacker is able to get a session token by running as the user process. He will Bypass this security by using the same process as a proxy for communicating to RUclips hence no IP change in this case.
Exactly what I'm thinking, you can keep switching between VPN IPs and the same sessions retained for almost every website, and specifically I never had to re-login into Google services when I switch VPN locations
The question is: would the "clicked on a file and ran a malware by accident" still possible if you are on Linux, macOS, or BSD?
Probably not, as this attack relied on a file that was disguised as a .pdf but was actually a .scr executable. The real file extension was hidden. This kind of masquerading could also happen on a Mac (which also has file extensions hidden by default). It's an annoying security flaw of both. Linux and BSD do not have file extensions.
Thanks for sharing your knowledge I love your channel
cookie? lemme see if so 😂
oh yeah that was it lol. Guys and girls……. Cookie stealing has been a thing for ages. Take it seriously!
No one should have had admin rights except Linus, just dumb.
I was waiting for it!!!
Where is the reference to "hide extension of exe program" 🙄
I got some one thanks
This one is going to be good.
رمضان کریم
Great content as usual !
most ISPs don't offer a static IP, they use a shared ip that changes every day or two. And most users don't have a fingerprint scanner on their pc In fact many people i know don't know their passwords
such proposed changes will benefit only a minority
Basically, Linus' Gamer ""Tech Tips"" learned the hard way that VPNs wont save you, no matter how hard you advertise them for security just to make a quick buck off these subscription surveillance VPN rip offs.
100th view 🎉
🏆
@@shubhamdhingra6089
Thanks for such awesome explanation to what happened