In recent times many youtube accounts get hacked (Not only Youtube). Nowadays, many are aware of 2 Factor Authentication. Surely, a high-profile YouTuber might have enabled 2-FA. But how do they get hacked?
In this article, we are gonna see how this is done very easily by hackers. In the end, I will be attaching a video where I would be using a simple tool to demonstrate this attack in an ethical way.
What does a hacker do to get around 2-FA?
Many techniques are used by them. But the most successful one to get hold of the accounts is by approaching the YouTubers for brand promotions and stuffs like that.
For example, they will be sending a so-called “software” like video editing software or any productivity software for reviewing them. They also claim to pay for the review.
Youtubers also receive tons of real promotional offers. They make the stuff looks legitimate. So, they download the software sent for reviewing them.
Here comes the main part. The software will contain malware specially crafted for them to evade Antivirus software (in case if they have one). But the simple process takes place at the back.
All they do is to get hold of cookies stored in the browser. With that “Cookies”, they don’t need your Email ID, Password, and 2-FA code. Sounds creepy? Let us see more about cookies and their functions.
What is a Cookie?
Cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user’s computer by the user’s web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user’s device during a session.
Cookies contain various data like your shopping cart data to your encrypted authentication token to a website. Cookies are the stuff created to remember the user when they visit again to the site.
In short, they are used to track your web activity around the internet. Cookies are also used to profile users by the analytics software to target ads and stuff. Like you may get ads related to your browsing history.
The authorization token is a mixture of alphabets lowercase, uppercase, numbers, and even symbols in some cases.
Now let’s see how these work.
Session aka Cookies Hijacking
When you log in to the server, it validates the credentials and a session is created then it sends a code aka Authorization token to the browser, and stores it as cookies by the browser in the computer.
Cookies do have an expiration time. Ranging from 1 sec to 1 year or even more than that. The time counted is from the actual login time by the user.
So, the hackers target the saved cookies by the browser. It could be easily gained by writing some scripts. Even, you could see the cookies by yourself by clicking the lock icon on the URL bar.
You could even edit them by using some extensions in a click.
Hackers get those cookies and use that in their browser to get access to your account. That process is called Session Hijacking aka Cookie Hijacking.
Now let’s dive into the ethical demonstration of getting and using those cookies to log in.
What exactly does the hacker do to log into the account?
In this video, I have demonstrated the attack in a simple way. I have installed Brave and Chrome and opened them side by side. Both the Browsers store cookies in different places. So, we could demonstrate this in the same Device.
I am logging on to YouTube only in Brave. Not on Chrome. It is a 2-FA youtube account. I have just refreshed both the browser tabs after logging in to show you that I have not logged in on chrome.
I am just using a Cookie Editor Extension to Copy the cookies stored in Brave. I just import the copied cookies and refresh the page.
You could see I am logged in to YouTube on Chrome without any Credentials. No Email ID, No Password, No 2-FA Pin.
For the video, I have used the same device. This also works with different devices with the same process.
For a simple demonstration, I used Cookie Editor. Hackers use coded malware to automate this process remotely by accessing the Browser files. They do it in a completely different way.
Now let’s see how could we prevent this attack?
How could we Prevent this?
A reputed antivirus could stop this mostly. Like 99.99%. Some Antiviruses use AI to detect the malware signatures which are not in their database.
These attacks could easily be happening if there is no antivirus solution installed on their computers. Most people don’t use a reputed AV and this results in increasing in these attacks.
I recommend you to install a reputed paid antivirus solution on your computer. If you are using windows then surely you must have one. Compared to macOS and Linux, Windows is heavily targeted as they are used by the majority of people.
One more trick that I use could also be followed… In chrome open Settings > Privacy and Security > Site Settings > Cookies and Site Data > Turn on “Clear cookies and site data when you close all windows”.