Linus Tech Tips's YouTube channel was compromised a year ago. The YouTube staff conducted a 24-hour investigation, but the hackers continued to broadcast cryptocurrency frauds on the channel. Later on, it was found that cookie theft, also known as session hijacking, allowed attackers to view the whole of LTT's YouTube channel.
An employee opened an email attachment that seemed to be a PDF file, but it was really an executable infected with malware. After running on the machine, the malware provided the attacker the session token and encrypted the cookie database.
An attacker may access all of your signed-in accounts that are kept in the browser using session hijacking, not only YouTube. In fact, it can even circumvent 2FA or multi-factor authentication.
Such cookie stealing malware, which targeted YouTube producers, has been reported by Google themselves. This is not limited to YouTube artists; anybody may experience this . A instance nearer to home: the identical cookie stealing method was recently used to breach my brother's Twitter account.Google has now developed a unique method known as Device Bound Session Credentials (DBSC) to combat cookie stealing. By essentially binding the authentication session to the device, it is almost hard for an attacker to utilize the stolen token on another device.Google is using TPM (Trusted Platform Modules) to safely store the private keys on the gadget in order to do this. Because the stolen cookie cannot be used to login on another device, it will be useless even if the attacker manages to access it.As of Google Chrome version 123.0.6312.123 or later, the stable channel is where DBSC is currently in prototype. To activate DBSC, a flag must be enabled. This is the procedure.
Google Chrome: How to Turn on DBSC
- Launch
chrome://flags
in your Chrome browser. - Search for “Device Bound Session Credentials” and enable it. You can also copy and paste the below address directly into the browser.
- Now, simply restart your browser and you are done. You won’t see any change in how you interact with your online accounts.