They are pretty much undetectable. I just happened to have the right environment to alert me. I had to have two tools together expose it.
Now here is the thing. They are ALL doing this hidden tracking and fingerprinting script browser con. but this was unique, it was an actual bot with it’s own IP address riding into my log in with me.
Our site has a default security tool to prevent someone from hijacking our user’s accounts while they are logged in. It is constantly watching for IP address changes.And when it sees one it kicks us out and makes us log back in. Just to be safe and make sure it is just us and not a bot hijacking the account while it is being used.
And I strictly take the extra time and effort to use the “NoScript” tool which blocks ALL scripts and gives warning of any crosssite scripting efforts. The two worked together to alert me of the problem and how serious the problem was. Not only did the site kick me out because it detected a highjacker, the NoScript instantly gave me a warning about how logging into our site was not safe because Youtube (by name) is riding in with me and trying to identify me.
So once this bot is attached to your browser it is making note of your credentials, your IP address, and the IP address of the target site you are logging into in efforts to identify you. This is a huge security issue for not just the user but also the domain you are logging into. They can basically gain access to your accounts anytime they like.
So even though it is a lot of extra effort to use NoScript, it has become absolutely the best tool you can get to help prevent this from ALL sites. And any time after you even land on Youtube your cache needs to be cleared before you even think about logging in anywhere else. This is why I am making efforts to figure out how to run two browsers completely separated and isolated from each other. One for youtube and it’s bot/scripts if you really need it, and the other to log into your favorite sites safer.
It is the only way you can safely go grab stuff from Youtube and post it in the other site without compromising your account on the site where you are logged in and posting like the FR. Everything else needs to be completely separated from Youtube in it’s own browser now. And just bringing up two will not do this because they will still share the same cache folder. I am working on making each have their own cache independent and isolated from the other.
So for the common user, NoScript appears to be necessary. I think I tried that once many years back but it made the user experience so tedious that I removed it. It appears that we also need to clear the cache and browsing history, especially after visiting YT. Is there anything else we should do? You mentioned that your site has a security tool that it employs. Is there anything similar for the everyday user?
I use different browsers for different things. I use Brave for most everyday stuff, but I also have the plain Chromium browser where I back up old URLs that I don't need much anymore but that I don't want to part with. I try to back up and store everything I've used over the years just in case. I also use the Palemoon browser, an offshoot of Firefox. I use it for websites that are simple, like FR.
I really appreciate you bringing this to our attention.
Probably a dumb question but is Safari vulnerable to this? I know Apple and Google are kind of cats and dogs corporate rivals. Just wondering if Apple might be extra motivated to keep Safari patched against Google ploys like this. I would think the smart tech guys on the Safari development team would be on the lookout for this kind of thing.