Thread about this on the LTT forum <a href="https://linustechtips.com/topic/1495948-the-ltt-youtube-channel-got-hacked-to-push-a-crypto-scam/" rel="nofollow">https://linustechtips.com/topic/1495948-the-ltt-youtube-chan...</a>
A lot of YouTube channels are getting hacked recently with the same "sponsorship offer" hack. Wonder if this was the case here as well.<p>Paul Hibbert got hit recently. This video has more details on this works and how the bypass 2FA : <a href="https://youtu.be/YIWV5fSaUB8" rel="nofollow">https://youtu.be/YIWV5fSaUB8</a>
This attack is absolutely the Google's fault, here is why (most to least severe):<p>1. Password/2FA change must require reauthentication<p>2. Session tokens must be limited to a single browser fingerprint (broser/device specific infomation)<p>3. Changing the password must terminate all active sessions<p>4. Session termination must invalidate session token for future use<p>5. It must be trivial to the user to terminate all active sessions<p>6. Serious actions like changing account handler/main info must require reauthentication<p>Any of the first 3 would've made such attack impossible. Any of the first 5 would've made regaining full access to the account trivial as a single button press.
In a timely fashion, their most recent tweet [1] asks:<p>"We need YOU...<p>... to reply with a clip of your worst tech fail!<p>Our favorite submissions might make it into an upcoming Techquickie video."<p>Think this might get included? :)<p><pre><code> [1] - https://twitter.com/LinusTech/status/1638680638185435136</code></pre>