Thanks to bitt for the ping!
Posted on 08/04/2024 12:35:56 PM PDT by Openurmind
I have detected a serious YouTube security threat that needs exposure. All IT and security experts welcome to please check into my findings and chime in. Here is what I found so far.
Years ago this was a problem. Just going to youtube or Google mail at all even on another tab without logging in would load strong spyware in your browser and even in your machine permanently which required reinstalling your OS to remove. It tracked logins on other tabs and was gaining access to keyboards, microphones, and cameras even if you just landed on their site by accident. Folks caught on and exposed it and then it stopped.
It is back... I am starting to get the warnings again so they are up to their old tricks again. You can't even load Youtube up on another tab and be safe on the one you are already in. As soon as you do it crosscripts and tries to hitchhike with you into the site you are logged into or logging into giving them direct over the shoulder API account access. I discovered it because our site has IP detection security that kicks you out on the fly if there is any change of your IP address status forcing you to log back in and verify it is actually you. But my IP address remained the same.
So it detected the second IP address trying to access my account along with my current IP address as soon as I landed on youTube. Our site immediately kicked me out and made me log back in with warnings about the crossscripting from Youtube coming from my developer tools. They are attaching a real time cross domain API to our browsers that gathers credential and identity data about our logins. I had to go clear all my data and history cache before I could login safely without it.
This is serious, this is not just for sites like the FR, it is every site you log into with credentials. Work, business, shopping, banks... Everything. So If you use youtube or Google be sure and clear everything in your cache before you go log in anywhere else. And DO NOT use it while already logged in anywhere. It immediately jumps in bed with you and is also logged in with you. I am testing now but the only cure I see that might be easy and work to prevent it would be to bring up Youtube in a second browser to run YouTube in separate from the other browser where you are logged into or logging into other sites. I am still testing this option to make sure the browser does actually keep them apart from each other. hopefully it will not take tweaking to make them secure from each other. Any and all help from the experts here is welcome.
They just went off and ruined it for those who like to share YouTubes...
Digging into “cache isolation”.
Elections coming up.
They need more blackmail material, particularly on the down ballots.
Thanks to bitt for the ping!
Well that would be the simple answer, just don’t use YouTube at all. But who can do that and still share videos here. All the good ones are at Youtube because not enough folks participate and post video to Rumble and the others.
Could someone suggest a browser for usage, please ?
Thanks for Duck Duck Go suggestion. Are there other ones ?
brave
youtube is free but you will see ads
Glad you popped in Dayglord. I know it can be done in Linux but how hard would it be to install two separate browsers of the same version next to each other but isolated from each other in Windows?
Good question. I'd guess at least it would depend on what data the browsers place in the Windows Registry; you wouldn't want them overwriting each other. So perhaps try installing one, make sure it runs correctly and remembers what you want it to remember, then install the other, and see if the first one breaks.
Thank you sir, I was curious if you will get a “this browser/app is already installed” block? I don’t remember if windows does this or not when you try to install the same app twice.
I clear all cache, cookies, history etc every time I close my browser. I have malware that blocks all trackers and in privacy badger I block every Google service.
Pretty simple to do.
Other than the Registry (as I mentioned above), of course you have to install twice, into two distinct locations on the disk volume (C:), or ideally on different volumes (like one on C: and the other on D:). I don't know if it would complain about "already installed" -- that's probably a function of the Registry keys, and whatever data the browser puts there.
You -might- get away with installing two different releases of the same browser. For example, it's possible to install different releases of Java JDK/JRE software side by side.
“I have malware that blocks all trackers and in privacy badger I block every Google service.”
I do too. My Noscript blocks everything thrown at me by Youtube. But to load a Youtube page and have the video play you have to allow at least their one main JS script. This is when you are in trouble. This is where this script is coming from. So if you want to watch the video and have it play you are going to deal with this problem I am speaking of no matter what.
In all of this I am not thinking of myself, I am considering those who do not have the safeguards you and I have. The average user is a sitting duck. But it affects everyone, even with safeguards if you want to view the video you have to allow that JS. You are locked out until you do.
There is another factor you must have missed in my explanation. This is happening on the fly if you open youtube in a new tab while you are already in a previous tab. Please read it again. You cannot hit Youtube and prevent it from affecting your login on the other tab. So clearing cache is not practical if you are using both tabs at the same time. It jumps over into the site you are logged into with you such as trying to post a video here. You would have to copy the Youtube link, close your browser and clear your cache, then load your browser back up and paste that link in your post here. That is the only way you can keep it from gathering data from the other site you are logged in or logging into. You would have to clear your cache after each visit to Youtube and not log into any other sites at the same time.
Thank you very much Dayglord! Got it!
📌
If you're not the customer
You're the product.
I use Firefox with Privacy Badger and Ghostery to keep me mostly clean, but an API would be able to get around them, I suspect.
If Google is using an API would they get the information from /AppData/Local or AppData/Roaming to get around any security and track me?
This seems to be more than tracking my movement around the web.
Is there an IP address or range of addresses I could block as a simple way to thwart their intentions?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.