Listen up, Google: Here's what YouTube should do to prevent channel hijacking

Over the past couple of days, the big news was that Linus Tech Tips, a huge YouTube channel with over 15 million subscribers, was hacked. The hackers were able to change the channel name and live stream a fake Elon Musk video trying to get viewers to send Bitcoin to them.

2

Linus Sebastian, founder of Linus Media Group (Image Credit: Linus Tech Tips Twitter)

Thankfully, Google helped Linus and his team recover his channel. Still, I can only imagine it would have been an incredibly stressful and nightmare-type situation while the recovery was in process. And it's not just Linus Tech Tips that was hacked. A few weeks ago, Andy from eTeknix suffered the same fate after being conned by a fake video sponsorship scheme where the victim is tricked into opening what appears to be an agreement PDF - the "PDF" file is the malware.

Once opened, the malware sends the user's data to the hacker. It does not matter how strong your password is or if you have enabled two-factor authentication. It's not entirely clear which data is sent, but the critical data we know that is sent includes the user's browser data, including actively logged-in session tokens and cookies. Once obtained, the hacker can carefully plan an attack on the unsuspecting victim, usually when they are asleep.

Linus explains what happened during the takeover of his YouTube channel

In the hands of the hacker, the browser data, at least how Google currently handles things on their end, allows them to access the victim's YouTube channel as if they were logged in on the victim's device. YouTube can easily fix this by binding a single IP address to the session token and cookies. The hacker will access the internet from a different IP address, and the session tokens and cookies would be invalidated if a different IP address is detected.

It's baffling that YouTube doesn't require users to authenticate themselves again more often. Change the channel name? Sure, but ask the user to authenticate. Delete or unlist a few videos? That's okay. But delete or unlist more than five videos in a short timeframe? Come on, ask the user to authenticate again. It makes sense for YouTube to make the user experience as seamless as possible and not ask the user to log in too many times since it will annoy them, but a balance needs to be met, which clearly requires more focus on security.

YouTube should have acted faster once these channel hijackings became commonplace. Now that a big channel has become a victim, let's hope they will work quickly and improve channel security. We can't blame YouTube for someone getting infected with malware, but we can lean on them to make the hacker's job a lot more complicated.