Linus Tech Tips Got Hacked: Understanding How The Attack Took Place

Image Credit: Linus Tech Tips

At the time of this writing Linus Tech Tips got hacked a little over 24 hours ago. For those of you who don’t know Linus Tech Tips is an immensely popular Youtube channel with 15.3 million subscribers. 

In the wee hours of Friday morning his channel got hacked and started live-streaming a recording of Elon Musk talking about crypto. In the description of the video there was a link to crypto scam that would steal your money. For hours it was a back and forth between him and the hackers who started deleting his videos. How did this happen though? He is an IT guy, surely he knows how to lock down his systems. 

Well, this attack isn’t new but it is definitely unique one. In order to get into the channel the attackers sent a phishing email. This wasn’t the stereotypical phishing email with the bad grammar, poor syntax, sketchy email, and a request to provide credentials. This was legit looking email from a prospective sponsor. One of Linus’s team open the PDF contained in that email. That PDF was the silver bullet it turned out to be malware that took the information on that system namely the session tokens.

Before we dive deeper into how this works we need to understand what a session token is. Oracle gives helpful summary of this whole process works so I am going to give the stage to them real quick:

The Session Service also generates a session token for the new session data structure. The session token, also known as a sessionID, is an encrypted, unique string that identifies the specific session instance. If the session token is known to a protected resource such as an application, the application can access the session and all user information contained in it. In Access Manager, a session token is carried in a cookie. A cookie is an information packet generated by a web server and passed to a web browser. The fact that a web server generates a cookie for a user does not guarantee that the user is allowed access to protected resources. The cookie simply points to user information in a data store from which an access decision can be derived.

With that helpful summary being said let us return to the hack. The downloaded malware then proceeded to then steal the information on that computer, particularly the session tokens. The malware then proceeded to send this information back to the attacker. The attacker then taking those session tokens was able to create a clone of the browser on which Linus’s Youtube channel was logged into. Since session tokens contain the information necessary to log in, the attacker was able to control LTT, despite Linus’s repeated attempts to boot the attacker. The attack got stopped only after Youtube banned the account for violating Youtube’s terms of service.

Linus had a number of criticisms for Youtube, namely the fact that there wasn’t any form of verification to confirm the mass deleting of videos. Don’t worry though all the videos were stored in Youtube’s backup so he was able to recover everything for his channel. Hopefully all will be well since it ended well.

This attack is a bit of a unique one since it used session tokens for access rather than more traditional methods such as password brute forcing. The importance of deleting cookies and browser history periodically. Clearing your browser cache every now and then will help reduce the likelihood of suffering this form of attack. Better yet never download anything sketchy and you will be fine. 😁