Solved: Re: Account Security, Chrome Cookie Hijacking, Pas...

dominik · 03-24-2023 03:23 AM

Some of us may have followed the just now completed saga of LinusTechTips’ YouTube channel take over and are wondering how we can protect ourselves and what the Google Workspace/Authentication, Chrome, and other Account Related Teams are doing to ensure this is being stopped.

What we know is that LTT and other channels taken over in a similar way are using the Google Authentication infrastructure. We know that LTT is also using a corporate Google Workspace edition to manage their accounts. Thus even though most of us do not manage any YouTube Channels it means that we are all vulnerable to these same attack vectors through spearphishing and other similar methods. See also ThiloJoe: https://youtu.be/xf9ERdBkM5M

Now we all know to secure our accounts with 2FA but these ways do seem to bypass password and 2FA through Cookie Hijacking. Thus it seems like this isn’t enough.

My Suggestions for end users and admins

Handle Access to YouTube Channels the same way you handle Access to admin.google.com: Create a Second Account (licensed with CI Premium! or similar) for each user who needs access to the Channel and limit the session cookie time to 1 hour.
Enforce 2FA through Hardware Keys (Titan / Yubi) for these accounts
If you can enforce uploading to youtube through Chromebooks
Enable Advanced Protection https://support.google.com/accounts/answer/46526

My Question to Google (the Workspace & Chrome Teams)

What is being done about this issue?
Are there steps being implemented to ensure Cookies can’t be captured or can’t be reused?
What teams are actively working on this from the Google Side?
Will similar protections to the Google Cloud Platform settings be introduced on the Google Admin side?
Are there disaster recovery plans being suggested by the Teams of YouTube, Google Accounts Team, and others?
Will YouTube enforce Security Keys/Advanced Protection for all account admins (similar to how you require us Google Cloud Partner Admins to have 2FA enabled)?
Are there better and deeper available suggestions from the Google and YouTube teams being suggested that haven’t been posted to Creators or Workspace Account Admins?

And finally Questions to the community:

What are the communities suggestions around account security that I haven’t mentioned yet?

KAM

@kim_nilsson Google is working on the issue. They just aren't likely to talk about it. Search cookie in the NDA roadmap for Q4.

But yes, Cookie Monster would agree that Cookie Theft is a real thing. -KAM

View solution in original post

dominik

@Willie_Turney can you pull in relevant Googler’s to this discussion?
@JesseNowlin as a Channel owner and CTO: what are your thoughts and suggestions to add?

cryptochrome

The root cause of this incident wasn't some flaw in Google's security. The root cause was that the victim's computer was breached, and that is the only way a threat actor can steal your session cookie. So besides all the things you already mentioned as security precautions, there are some quite effective approaches to combat these types of attacks:

1.) Use a proper, modern endpoint protection solution. I am not talking about your Symantec or Norton antivirus here, but something way more sophisticated: EDR. Endpoint detection and response. Think of this as next-gen antivirus that works entirely differently than traditional AV systems and is way more capable of detecting and stopping breaches happening on your computer. Some notable vendors in this area are SentinelOne, CrowdStrike or Cynet (amongst others).

2.) The number one attack surface for these attacks to start is email. 99% of all attacks start with a malicious email, typically phishing. So, deploying proper email security is imperative. While Google's own detection engine is already one of the best in the business, it's not perfect, and it is advisable to plug in additional email security gateways that detect malicious emails. Some very good options here are Area 1 Security (now owned by Cloudflare), IronScales, or Avanan (now owned by Check Point). All three that I mentioned plug right into the Gmail API, so these solutions are easy to set up and don't require complicated email re-routing.

3.) User awareness training. This is absolutely key and paramount. Get your users trained on security issues. There are quite a lot of professional tools available for that which run your users through easy-to-digest videos, puzzles, and questionnaires to help them be suspicious enough or even detect phishing themselves. Most of these providers also offer phishing simulations, which train and assess your users. Some notable vendors here are (again) IronScales, Knowbe4, Riot (very unique and special) or SoSafe.

4.) If you want to put some cherry on the top, get a security service edge solution that routes your entire internet traffic through a cloud-based security stack of a specialized security vendor like Zscaler, CloudflareOne, Cisco Umbrella and similar.

Unfortunately, there is no 100% security, but the closest you can get is through a multi-layered security stack that takes a bite at the apple from multiple different angles. Meaning, deploying multiple different point solutions, that as a whole, increase your security posture.

kim_nilsson

Session cookies should not be valid on a different device, period.

cryptochrome

Agreed. But they are. So protect yourself.

Mysidia

Strongly agree. The security flaw is that there is a cookie in existence that can be stolen to spoof a device. I am wondering why there is not a public key exchange with private keys secured in hardware, such as the Computer's Trusted Platform Module, with a digitally-signed request header required to validate the client device's ability to use that particular session key.

seth11

All good suggestions, but YouTube does have some responsibility here.

Similarly to what @kim_nilsson mentioned, the idea that passwords and second factors can be changed without providing passwords or those second factors is absolutely unacceptable.

Seems like YouTube should prioritize closing that gaping security hole.

cryptochrome

It is my understanding that this - for some reason - only works on personal Google accounts. On Google Workspace accounts, when you try to change the second factor, you will be challenged with a password prompt.

Regardless, these security flaws exist. Browser session hijacking existed for a long time and plagues users of a lot of platforms, not just Google. The root cause of this is still an unprotected computer that someone was able to take over. This should be of *much* bigger concern to anyone.

Everyone is always responsible for their own security. Pointing fingers at somebody else, after something has already happened, is easy, but won't protect anyone.

dominik

Also why the heck is there a difference in feature availability between YouTube Studio Permissions (no Community Posts and others) and Brand Account Permissions (only 3 available roles).

dominik

You are totally correct. We as admins are to blame too if this attack surface is being exploited. Thus i have posed this as a two part question. What are we doing and what is Google/YouTube doing?

I love your additional suggestions for the additional multiple layers and what to look for in addition.

markusf

I haven't worked with 'content aware access', but would this be a possible solution perhaps @dominik ?

newman

Context-aware access and Security Keys for second factor would be my suggestions. They might meet your CAA rule so be as restrictive as possible with.

I am also not sure the behavior of getting access this way and then your not meeting a CAA rule. My understanding is it will continuously check but not sure how quickly it would be discovered.

kim_nilsson

With session cookies in the hands of the attacker, it is quite likely that the browser doesn't consider the new device to actually be new, and then it will not trigger CAA or 2FA.

Which is why I say that such session cookies should never authorise a different device than they were created on.

New problem arises, of course, how is a device specific cookie created in a way that makes it impossible, or at least extremely hard, to spoof on another device?

cryptochrome

Cryptographic signatures might help here, maybe even tied into a computer's secure enclave / TPM, if available.

When imported into a new computer, the browser will see a signature that came from a different computer (not itself) and deny loading the data.

dominik

Sadly not. Context Aware Access can only be applied to all Google Workspace Core Apps and some other Google applications (continuous) as well as true third party (SAML) apps (on Sign-in) but it cannot be applied to YouTube.

Team YouTube should really push to get added to that list (similar to the Google Play Console!) and allow Admins to restrict access to YouTube Studio to say on-prem access for example.

If Context Aware Access where possible that check would conceivably be continuous thus blocking access once a session cookie been moved to a browser without the Extension or other noncompliance situations (outside the Office Subnet for example).

KarisaE

Hi @dominik ! I hope you are doing well! Thank you so much for posting here - I am identifying the relevant Googlers for this discussion. I will be in touch soon.

kim_nilsson

Thank you, @KarisaE !

KarisaE

Thank you @dominik for posting and all for the discussion here! I appreciate your patience. Here is what our internal teams have shared in response to your question:

As for what users can do to protect themselves, our general advice is to follow standard security best practices. Those best practices include:

Be very careful when downloading software, and do not install anything from sources you are not familiar with.
Make sure you have an AV, such as Windows Defender, running on your computer, and if possible use a more secure platform like ChromeOS.
Use unique, strong passwords for every site (which is easier with a password manager), and turn on two-step authentication.

There are some additional tips at the end of these two blog posts from the Threat Analysis Group.

GregA_RW

Do we have an answer to Dominiks excellent questions yet? Whilst it is always good to understand security as an end user, unfortunately most do not.

Dominik's questions were excellent, and I would like to know what Google is doing also.

The question is not what I can do (that can be found elsewhere) the question is - "What is Google doing to help prevent cookie extraction from being the damaging attack vector it is?".

KAM

@GregA_RW Off the cuff, many of his questions involve specifics about an incident for a specific customer. That type of information is not going to get publicized by Google as a privacy issue. -KAM

kim_nilsson

Still, cookie theft is a real thing and shouldn't ever have been possible.

KAM

@kim_nilsson Google is working on the issue. They just aren't likely to talk about it. Search cookie in the NDA roadmap for Q4.

But yes, Cookie Monster would agree that Cookie Theft is a real thing. -KAM

dominik

Especially thinking of recent arguably bigger issues with them it seems very important to do something about it.

#Okta 🫣

Glad to see some stuff on the roadmap. I'm pinning your comment for now, @KAM

BenBurke

Hi everyone,

This is a great thread and I appreciate all your posts. Sadly, I was not aware of the flaw(s) which I would summarise as .... cookies can be nicked and used from another IP. I feel dumb to have never thought about that or tried it for myself. I would, if you will pardon the pun, say that issue is baked in to the cookie design, so awareness is the answer for now.

The differences with free gmail vs. paid workspace accounts indicated in this thread don't surprise me... it does have me think about making a change (and maybe recommending it to friends) to my own setup, which has been...

Current setup:
- Keep a free gmail account and use that for all general purpose stuff, including the main account for an android phone.
- Use my google workspace for business activity, corralling off services or forwarding as is convenient.

When I first did this, storage on gsuite/workspace was way more expensive. I'm considering the following 'flip' to the scenario
1) Make Workspace my daily driver for personal stuff, including the primary sign on for android.
2) Keep the free gmail for friends and casual stuff, but lock it up hard and only use if for certain purposes... maybe forward it's inbox to my workspace for convenience.

Does anyone have any comments on this strategy? In the past, it seemed that paid for google accounts were not really up to scratch for mobile products - at least that was my impression.

Thanks for any thoughts

dominik

I want to add that in light of the Okta issue I created this Bug Report on Chromium. If you'd like to see another way to reduce cookie theft please star this bug to give it some light (it is currently available; ie no one is currently working on it).

https://bugs.chromium.org/p/chromium/issues/detail?id=1495801

Account Security, Chrome Cookie Hijacking, Password Reauth, Multi Factor, and LTT