Skip to main content

Apparently, Linus of Linus Tech Tips, a YouTube channel known for … uh tech tips … didn’t read my blog post on session cookie stealing attacks. Or maybe they read it, and I wasn’t clear enough. Whatever.

The point of this post is to explain how even the best can be vulnerable. So, grab some popcorn, and let’s dive in and learn life lessons from Linus.

Act 1: A Cunning Cyber Trap

An unsuspecting Linus Tech Tips team member opened an email containing malware craftily disguised as a mouth-watering sponsorship offer. This sneaky little program wasted no time, swiping session tokens from the victim’s browsers (Chrome and Edge) which gave attackers some of the keys to Linus’s kingdom. And what did they do with their newfound power? What anyone would do: stream fake Elon Musk crypto scam videos and delete channel content, of course!

Act 2: Linus vs. The Hackers

At 3 AM Linus and his team embarked on a naked race (seriously, watch the evidence–but only after you finish reading this post) to contain the attack.

The team hadn’t prepared a disaster response plan. So the team had to make stuff up as they went along. Of course, you’ve got a plan in place, right? If not, subscribe, like, and follow us on LinkedIn and I promise I’ll explain how..

Linus, bless his heart, focused on password security and two-factor authentication. That’s usually the right move, but in this case, the attackers had waltzed in through the session token (or session cookie) their malware stole.

Google’s tools, ever the trusty sidekicks, glitched and timed out, adding to the team’s mounting frustrations.

The cold weather in Linus’s room shrink Linus’s patience and, uh, ego.

Act 3: The Cavalry Arrived

When all seemed lost, Google’s Partner support swooped in, identifying the compromised account and banned it, restoring order and videos to their Tech Tips realm.

The Moral of the Story

What wisdom can we extract from this tale?

Have a plan: Know your services, who has the keys to them, and how to snatch those keys back when needed.

Arm yourself with the right tools: Powerful weapons like Google Apps Manager (GAM) can help automate Google Workplace processes to speed things up if you’re comfortable with the command-line and maybe some scripts. Not for everyone. Still, they are not enough as they do not cover other services which are vulnerable to this attack, so having a plan for how to kill sessions on all critical services is critical.

Keep it simple: If you’re looking for a user-friendly ally, consider YeshID, designed to help you manage your security without breaking a sweat.

Find out who added the strawberry to the video.

A word from our sponsor

YeshID is a next-generation identity and access management solution. The tool is dead simple to use and smart enough to help create a disaster plan, identify and control who has access to what, and mitigate threats with one click. It’s designed to be delightful to use, created with CEOs, founders, and others in mind who wake up to a disaster and wonder why they are still the super admin.

Serious moment: Session Token Theft – Don’t Get Infected

Protecting against session token theft is incredibly hard. You can learn more about this attack in my previous post here, but let me summarize it for you: a session token cookie is a way to authenticate you without you needing to type in your password (or give your finger) on Every. Single. Action. Think of them as temporary passwords your browser enters for you on every action. These cookies live in your browser storage and are carefully protected. Unless they are stolen via malware, as in this case. Stealing a session token allows the bad actor to authenticate as you without any friction (password, finger, face…)

There is currently no perfect solution to detect and prevent this attack because each website does it differently. If you are on Google Workspace to Enterprise edition, I recommend reducing session duration to something that won’t annoy users too much.

Don’t forget other services (if they support it), e.g., Manage session duration | Slack. Sorry, Kris.

You can go further and enable Context-Aware Access, and configure it only to allow access from specific trusted devices, but it only covers very specific Google apps, and that doesn’t help Linus as it does not cover YouTube, or third-party services. Or, if you bought GitHub Enterprise and did a SAML integration for that extra Enteprirse-level security, you won’t benefit from Context-Aware Access because that’s not covered:

I am optimistic that the future will be better than today. OIDC (OpenID Connect) – the technology most commonly used for SSO these days – has recently approved the specifications for enabling better session management across different websites and apps with Final: OpenID Connect Session Management 1.0, and support for forcing a logout with Final: OpenID Connect Back-Channel Logout 1.0, but adoption will take some time. Until then: Avoid malware.

In Conclusion:

The Linus Tech Tips hack was a rollercoaster of emotions, but we’ve emerged from it wiser and more prepared for the twists and turns of the digital security world. So let’s raise a toast to learning from other people’s misfortunes and staying safe out there, folks!