Linus Tech Tips' YouTube Channel Was Hacked

New submitter Kitkoan writes: Hackers had gained control of Linus Tech Tips' YouTube channel to promote a cryptocurrency scam. Earlier on Thursday, hackers had gained control of the Linus Tech Tips YouTube channel and used it to promote a fake crypto giveaway that falsely used the name of Elon Musk and the Tesla brand (obviously without the permission of either party). Thankfully, the Linus Tech Tips crew quickly worked to re-establish control of the channel, but not before the channel had started two live streams to promote AI, chat GPT, Bitcoin, and their aforementioned (fake) crypto giveaway.

Re:

[Anonymous Coward]

it still does, you just haven't evolved, or always had a narrow idea in your head about what you thought "hacking" is.

Re:

[Anonymous Coward]

i'm terribly sorry your definition of "hacked" doesn't fit with reality.

Re:

[higuita]

it is called taken over or seized, not hacking (that actually should be called cracking, but that is a different story) ... they simply gain the user/password (probably via target or random phishing), not found a security hole that allowed them to crack in to the youtube account

so no, you are the one that have not enough knowledge to know the difference and are just one more journalist that likes the work hacking and use it for everything

Re:

[DarkRookie2]

Please, old mighty and stinky grey bread, what did it mean.
I am pretty sure this is a solid example of someone getting hacked.

Re:

[Rhipf]

Well the i hope you are never speechless then or have a thrill or have a rival since all of those words don't mean what you think they do (if you stick to their original meaning anyway).

8^)

Re:

[swillden]

Ah, language certainly evolves, and I long ago gave up the fight for "hack". But it was clear to me that DarkRookie2 didn't even know what the original definition was, and that's a sad statement about what slashdot has become -- doubly reinforced by the moderation of my post. The nerds are mostly gone. Not because those who are here use language differently, because they no longer understand "hack value", regardless of the name.

Re:

[kurkosdr]

Guess what, nobody cares. What matters is what the word means now (in the mainstream sense). Also, those old-timer hackers used to do some downright illegal stuff in their free time ( http://catb.org/jargon/html/P/... [catb.org] ), so they've earned the negative connotation.

Re:

[NobleNobbler]

I totally agree and I'm not sure how to even put it into words.

For example, "I was hacked" perhaps meant: A clever exploit allowed someone to bypass the login for my OS and do this or that or whatever.

Now: "I downloaded an app that is sending automated facebook messages because it found a cookie"

Or, "My PAT token was read by another VS Code extension and then used maliciously"

Hardly a difference on the surface, but somehow so different?

Re:

[jmke]

> I totally agree and I'm not sure how to even put it into words.
>For example, "I was hacked" perhaps meant: A clever exploit allowed someone to bypass the login for my OS and do this or that or whatever.

"Hacking and cracking are functionally the same, but hackers maintain that their work is to find holes in security systems that can then be fixed. Whereas with cracking, the intent is purely malicious"

in this case they were cracked. Be it through human error, IT misconfigurations or open/unpatche

Uh, fans?

[geekmux]

"...but not before the channel had started two live streams to promote AI, chat GPT, Bitcoin, and their aforementioned (fake) crypto giveaway."

Uh, don't they have like millions of YT followers? (not that I could confirm, finding the channel is a bit difficult right now.)

So much for relying on your fan base to you know, maybe give you a heads-up before multiple live streams kick off that appear quite out of the ordinary...

Re:

[PhrostyMcByte]

For every fan, there's probably 100 visitors stumbling on it for a review of some product they want.

Re: Uh, fans?

[AutoTrix]

Fans were spending their own money to keep the live chat full of comments about how it was scam to prevent people from falling victim

Re:

[geekmux]

Fans were spending their own money to keep the live chat full of comments about how it was scam to prevent people from falling victim

Weird how no one could find an email address or contact info for the channel owner for a more direct approach.

Also seems like YT is more concerned about being MAFIAAs bodyguard and serving copyright takedown notices rather than having a mechanism in place to report what would appear to be an obvious scam and takeover of a well-known channel.

Hope the AAR results in some kind of better controls other than "keep the live chat full of comments".

Re:

[Kokuyo]

Wow, it's crazy how there's always so.eone who would have solved a crisis so much better and faster.

Re:

[geekmux]

Wow, it's crazy how there's always so.eone who would have solved a crisis so much better and faster.

Point to where the comment hurt you, or wouldn't help prevent the problem next time.

Common F. Sense will wait.

Re:

[laxguy]

yeah im sure the channel owner is going to stop the live stream to check their email periodically and hopefully find the message that says their live stream audio was out... yeah thats totally better than a LIVE CHAT mentioning it to the person LIVE with specific notifications available to make it VERY OBVIOUS that is happening CURRENTLY

Re:

[geekmux]

yeah im sure the channel owner is going to stop the live stream to check their email periodically and hopefully find the message that says their live stream audio was out... yeah thats totally better than a LIVE CHAT mentioning it to the person LIVE with specific notifications available to make it VERY OBVIOUS that is happening CURRENTLY

YouTube itself was not taken over, so again my comment stands. So much for a "If you see something, say something" policy of reporting.

Sorry, but when it becomes that obvious that a takeover is happening (as in multiple live streams), then YouTube itself should have the equivalent of a "911" type of reporting via multiple methods.

The current "solution" smacks of kids standing around filming someone being assaulted instead of actually trying to help the victim and teach others how to DO MORE next time to c

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Unfortunately, I have to agree. Occasionally, they have something reasonably good, but a lot they do is not. They are flashy, fake being contrarian and non-mainstream, but the simple fact of the matter is that they all lack real solid technological insight.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DarkRookie2]

Its entertaining, but you aren't getting much in the way of solid reviews there.

Re:

[skipkent]

It's fine if they just stuck to regular consumer tech. They seems to be building a lab to compete with Gamers Nexus, but it'd be hard to shake off that goofy image, especially since I'm assuming they'll continue on with their current content.

The worst part is when they "feature" enterprise gear, I'm assuming they just get a product and the sales slides and give the same pitch but with their own twist. They're just shills.

Re:

[EvilSS]

They seems to be building a lab to compete with Gamers Nexus

So they are also going to buy a bunch of test gear and never use it?

Re:

[Osgeld]

I agree as well, I used to watch way too many of those types of channels, and never was a fan. Its well produced most of the time but it seems like A) the topics are simplistic and B) they seem to go out of their way and put a lot of effort in not trying and making mistakes a 10 year old enthusiast would roll their eyes at

ie: "ultimate budget gamer build!!!!" proceeds with one stick of ram and mechanical hard drives

and while I cant fault the guy, I can't stand his voice and talking style. While no one can

Re:

[gweihir]

ie: "ultimate budget gamer build!!!!" proceeds with one stick of ram and mechanical hard drives

Urgh. That is _bad_!

Re: Good. He is shilling Windows 11.

[AutoTrix]

I quit when he failed to take ownership of himself nuking Linux a few years ago, despite the distro telling him exactly what was going to happen.

Re:

[higuita]

this is exactly what happen with "windows pro users" go to linux, they think they are awsome and know it all and when they find they still have lot to learn, many of them blame others and "how linux is doing it wrong" ( just because it works in a different way from windows) and give up. Luckily, some windows advance users do make the effort and quickly learn linux and actually keep using it

ChatGPT is now a scam?

[gweihir]

I thought it was pretty flashy, but not that good. Putting it in the same basket with the crypto-scam is a bit surprising though.

Very Common

[jetkust]

I've seen this happen several channels I've followed. Usually it starts with them being tricked into installing malicious software by targeted phishing or using google ads to trick people into downloading modified versions of popular software. Once the software is installed, the hackers have remote access and will eventually gain access their accounts, usually starting with Gmail. They use their YouTube access to trick people to purchase crypto or who knows what because Elon musk is saying you will get d

Cookie Hijacking?

[organgtool]

I have no idea who "ThioJoe" is, but he claims on his Twitter feed [twitter.com] that the attack vector was cookie hijacking.

If that's the case, not even MFA can prevent the attack. Regardless of whether or not this was the attack vector, does anyone know of any protections that users and/or web site admins/developers can do to protect against cookie hijacking?

Re: Cookie Hijacking?

[itsme1234]

Err, don't get your computer controlled by malicious software?

Re:

[organgtool]

I believe there are other ways of hijacking cookies than malware installed on your device. According to the Wikipedia page for Firesheep [wikipedia.org], cookies from other devices on the same WiFi network can be hijacked. However, the page is short on details. Is it only unencrypted WiFi? Would WPA3's Wi-Fi Device Provisioning Protocol prevent that attack vector? Could secure cookies provide safety from cookie hijacking on WiFi devices that don't support WPA3?

Once an organization becomes large enough, infections b

Re: Cookie Hijacking?

[itsme1234]

It only works on plain http (which none of the big sites uses nowadays) by sniffing local traffic. Not even worth mentioning.

Re:

[geekmux]

Err, don't get your computer controlled by malicious software?

(Me) *Don't ask it man...just don......dammit, I can't help myself*

Was he running...Linux?

Re:

[Mononymous]

No. A new employee clicked on a fake PDF from an email on Windows.

Re: Cookie Hijacking?

[CrappySnackPlane]

A popular Chrome extension called "get cookies.txt" recently turned full malware, sending identifying header information and all your cookies to some third party site. Most users of the extension were using it for tube downloader clients (the most popular OSS version even linked to the extension on its GitHub, since until recently the extension was safe and useful).

If TFA was actually recent and not from two years ago, I'd say that it probably stemmed from that - but it's a two year old incident, so who eff

Re:

[geekmux]

A popular Chrome extension called "get cookies.txt" recently turned full malware...

Written like the t-virus finally made it's way to the brain and went full Resident Evil.

The hell causes that? Supply chain hack in the formerly benign code or what?

Re:

[swillden]

does anyone know of any protections that users and/or web site admins/developers can do to protect against cookie hijacking?

Nope, but I do know one that browser developers could use on Android, at least: Token binding using the hardware-backed keystore. Token binding couples an asymmetric key pair with the cookie, and requires a challenge/response authentication, with the client using the private key to sign the server's challenge (can also just use the key pair for mTLS). If the key pair is in the hardware-backed keystore it is bound to the device and barring a pretty deep exploit (deeper than the kernel), the private key canno

Re:

[AdverseConditionsU3]

1: Your daily driver should not be trusted with critical accounts, it is the most likely system you use to get infected
2: Only access critical accounts from a "closed" system
2a: No remote access potential (ssh, IPMI, VNC, RPD, etc) and no services/open ports.
2b: Minimize hardware use, no USB, no bluetooth, no wifi if you're on ethernet.
3: Minimize use of the high security system - it is only used to access your critical infrastructure/accounts. It does not get random software installed. It does no

Re:

[AdverseConditionsU3]

On the server side. You have to do something like lock cookie sessions to IPs. This is problematic on systems that frequently change IPs like on mobile networks, so it is not generally done. But it probably should be an option on high security accounts.

Re:

[DrMrLordX]

Cookie compromised!

https://www.reddit.com/r/itsau... [reddit.com]

Not rocket surgery!

[NewtonsLaw]

Why doesn't YT require users to re-authenticate whenever their IP number associated with a sesseion changes?

This would effectively circumvent the session-cookie vulnerability (thanks to 2FA) and although it might be a little inconvenient for those who are jumping around using different networks, that would be a small price to pay for patching this gaping hole in security!

Re:

[DarkRookie2]

Prolly cost money.

Re:

[Jezral]

...it might be a little inconvenient for those who are jumping around using different networks...

Such as everyone working via 5G or everyone behind ISP NAT. If we were on IPv6 then this would work, but with IPv4 the IP is sadly not guaranteed to remain stable. Tying credentials to the IP would be a massive inconvenience for a lot of people - many more than you think.

This has been true since the dialup days, and only IPv6 has a chance of fixing it.

Re:

[youn]

There is not enough details on the actual attack but assuming one device is compromised on that network (router, iot...), they could be used as a proxy and provide the same ip address.

With that said, YouTube likely do something like that where they try to find patterns like that but it's tricky because ip addresses change/ people move from network to network. Also they likely have multiple servers and it may take time to propagate information like that so it could be a tradeoff for performance.

so, it may no

Was wondering about that.

[Chas]

Woke up this morning, Breakfast, shower, check YT and LTT's entire freaking catalogue is up in the screen, drowning EVERYTHING out.

Got my first call of the day, came back and refreshed. All gone.

Linus trying to get someone on the line at Google

[thesjaakspoiler]

Linus not finding any way to directly contact anyone at Google.

Where is Lord APK at? He could have saved Linus!

[Cito]

APK could have saved Linus if he would have just shared his divine hosts file gospel.

Sadly Lord APK has been missing so yet another youtuber has had to fall victim. ;-(

That explains it

[legojenn]

I saw a couple of videos from Tesla in my feed. I thought it was Google being scummy inserting ads in the new videos from subscribed channels list. It was just Linus being negligent, but not outside the realm of possibility for Google.