15,000 influencer accounts hijacked
Surely that's a positive outcome?
After years of complaints from YouTubers, Google has pinpointed the root cause of a series of account hijackings: software sponsorship deals that delivered malware. Google forums have for years witnessed pleas for help to regain control of stolen YouTube accounts, despite the owners using multi-factor authentication. Impacted …
LOL. But oh, look!, systems that included everything from email, to encryption, to 2FA, compromised!! Who could have possibly BELIEVED this was possible, considering how "secure" we can make [anything we want to on] the web!!
(referencing other discussion regarding email "security")
Greedy parasites attacked by greedy parasites. Yes, how my heart bleeds for the poor ickle wickle vacuous so-called "influencers".
I guess this should teach them to beware of sleekit people loudly pushing messages that any sensible person would see through as probably being too good to be true. How sad, hoist by their own petard.
To me, popular YouTuber-Accounts are like good old magazines.
You're interested in StarWars, watch my StarWars-Channel.
You're interested in general politics, hear me ramble.
So, if any of this more or less topic-specific channel starts to tout something completely unrelated, i.e. Crapto, why would I fall for it?
I mean, that's the equivalent of a machine gun company starting to advertise in Mom&Prams Weekly.
"Why is Github allowing this? I appreciate it's probably whack-a-mole, but are they even trying to not host this stuff?"
Think of it from an InfoSec perspective; if everyone can see the source code for the malware it opens up development opportunities for more people to be able to defend themselves (and others) from said malware. Security through obscurity means less people have eyes on the action.
There is an argument that shielding the masses from this information offers greater protection, but the counter argument is that having more "open" channels of analysis means that threat response times can be quicker when, not if, these attacks take place.
My favorite violinist Antal Zalai lost his channel and all of his videos to crypto scammers recently. I'm pretty sure no fake sponsorships were involved, just a regular phishing or cracking attack. When I searched backwards from the crypto peddlers' business names I found thousands of mid sized channels on the same boat. WTF YouTube?
I guess your violinist doesnt generate enough ad revenue for Google for them to consider them an "influencer" and someone "worthy" of protection/getting their account back.
As for going after the crypto peddlers, Google doesnt go after them until they've ammassed a large enough amount of money, so that Google can then decide they were bad'uns and kick them out, and simply pocket the ad revenue rather than paying out.
Or at least that the only explanation I can come up with, since it should be trivial to do a simple reverse search of whatever crap is being spewed from a compromised/stolen account, and ban all of it. But then maybe that's just too difficult for Google's super duper amazing algorithms...
I guess your violinist doesnt generate enough ad revenue
That's a bit simplistic view. Google is in control of what ads and when are showing, so it might as well be that they just don't like violinists (although I am not following what are the latest trends are in terms of who gets cancelled and if violins are still politically correct) and they don't show enough ads.
YT doesn't actually care. Income is income, whether from ads on legit channels or hijacked channels.
Google will only really sit up and take notice when enough people jump ship because of these problems. It'd have to be enough users to seriously dent YT revenue, so short of a huge awareness campaign and mass exodus, it seems likely things will stay the same.
The thing more likely to make people jump ship is the recent trend on YT to show more and more ads, not only before, but in the middle of videos, and to try and tout their ad-free paid-for version.
Along with a group of friends, since the beginning of the pandemic, we have been regularly watching bad films together on YT (there are a lot of films that are either too bad to bother with copyright, or which are out of copyright on there), using discord to chat along. It has become more and more frustrating to keep everyone in synch with the number of ads that YT is now spouting. Some films are worse than others for this.
In the modern world it seems people want to be protected from being idiots. What's worrying is that they are supported in this.
It looks like these people got phished by an offer that was too good to be true. Or to put it another way they let their greed trump their common sense (if they had any in the first place).
Once upon a time if somebody got scammed with the pig in a poke (which is exactly what these scams are) they were told "more fool you" and that was pretty much that. These days apparently the likes of Google are supposed to protect them against their own idiocy.
That's how just cookie based auth works. You authenticate (with 2FA) and then a signed token is stored in a session cookie; the token will be valid for x amount of time. The next time you navigate to a different url on the same site (or make an XHR request) the cookie is sent in the request by the browser so you don't have to auth again. (Otherwise you'd have to login every time you went to a different page, or did anything that triggered a request).
There are alternatives to cookie based token, e.g. appending the token as a &token=xxx parameter on each url, but it's generally considered worse because users can inadvertently share that url with the whole internet and expose their account that way.
I assumed that a browser "session" had certain immutable elements like the source and destination hosts. (I use "hosts" somewhat loosely. I know about server-side load balancing.)
How could Joe steal a session cookie from Betty in Manchester and then use that to auth from his home in Elbonia?
You could store other stuff in the cookie/serverside but it tends to come with user convenience drawbacks - an IP address often doesn't stay the same over the lifespan of the token (e.g. 30 days) so you'd be forcing them to log in more; storing location only works if they don't move around too much. Genuinely persistent identifiers that could be stored to stop a cookie from being used in a different machine are a privacy problem exactly because they're persistent and get used for advertising tracking. Maybe some of those drawbacks are a worthwhile trade off for high value accounts though.
HTTP (not HTTPS) is a stateless protocol, the server has no way of knowing that a request relates to a previous request other than if the browser sends some data (which is the cookie) to alert the server to the fact that you have communicated before. There is no reliable way for the server to see the real IP address of the client because any kind of load balancer or HTTP proxy will mean that the "source" of the HTTP connection is the LB or proxy. There is a workaround to put the source IP address in as a header, but that can be faked as easily as the cookie.
With HTTPS it gets a bit easier for the server. HTTPS has the concept of a session (the duration for which the session keys negotiated are valid) and because only the originating server should know about the session key the server can be fairly sure that the client is the one that originally logged in. The HTTP session (unless you are using client auth) doesn't know anything about who you logged in as though, because the HTTPS session is established before you log in. Most modern HTTP servers will connect the HTTP session cookie with the HTTPS connection, which makes it a lot easier for the server to ensure the session is aligned to only one (HTTPS) connection, but this functionality can break in some scenarios (such as if you want to allow a user to log in using FORM authentication if client-cert authentication failed), or when using certain SSO providers.
TLDR; Because plain HTTP is stateless, its easy to steal HTTP session cookies, HTTPS can sometimes make this easier because you can tie the HTTP Session cookie to an HTTPS session.
"Nor does the ad giant discuss whether or not it made any money when channel owners lost access and the crooks took over."
Lots I suspect. Just like it does with all the scam adverts that appear, before, during or after a video. The ones for fake products or services. I've finally found the option to report these. I know it's on the mobile app and PC, not sure about TV app. Seeing so many of them, surely they have a team that could remove these instead of leaving it up to the viewer to have to constantly pissing report. Its under the "Why am I seeing this advert" option.
Its shocking how many of these exist. Knowing they'll have paid for the time and Google makes money whether its a scam or not. I'm pretty sure Google never returns any of the money it makes from these adverts, so for them its a win win. Having looked into this before they also constantly blame AdSense for the problem, ignoring the fact they fucking own AdSense.
The whole reporting system is a mess. I've mentioned before about the copyright strike I got hit with (now finally removed) by a bocus report. Then I spot the other day, whole channels by the traveller community threatening violence to other travellers and some of their channels just showing the fights they have. Both breaking the T&C of YouTube yet those accounts still exist. I went on a reporting spree but I bet if I check in a months time, those accounts will still exist, along with the videos and the adverts that are on them. Googles AI will seemingly ignore them while they still make lots of money from the adverts until it becomes big news and you get another ad-apocalypse.
It seems to be the only time when Google/YouTube take action is when they themselves are indanger of lossing money when advertisers pull out of the platform.