Posted on 08/04/2024 12:35:56 PM PDT by Openurmind
I have detected a serious YouTube security threat that needs exposure. All IT and security experts welcome to please check into my findings and chime in. Here is what I found so far.
Years ago this was a problem. Just going to youtube or Google mail at all even on another tab without logging in would load strong spyware in your browser and even in your machine permanently which required reinstalling your OS to remove. It tracked logins on other tabs and was gaining access to keyboards, microphones, and cameras even if you just landed on their site by accident. Folks caught on and exposed it and then it stopped.
It is back... I am starting to get the warnings again so they are up to their old tricks again. You can't even load Youtube up on another tab and be safe on the one you are already in. As soon as you do it crosscripts and tries to hitchhike with you into the site you are logged into or logging into giving them direct over the shoulder API account access. I discovered it because our site has IP detection security that kicks you out on the fly if there is any change of your IP address status forcing you to log back in and verify it is actually you. But my IP address remained the same.
So it detected the second IP address trying to access my account along with my current IP address as soon as I landed on youTube. Our site immediately kicked me out and made me log back in with warnings about the crossscripting from Youtube coming from my developer tools. They are attaching a real time cross domain API to our browsers that gathers credential and identity data about our logins. I had to go clear all my data and history cache before I could login safely without it.
This is serious, this is not just for sites like the FR, it is every site you log into with credentials. Work, business, shopping, banks... Everything. So If you use youtube or Google be sure and clear everything in your cache before you go log in anywhere else. And DO NOT use it while already logged in anywhere. It immediately jumps in bed with you and is also logged in with you. I am testing now but the only cure I see that might be easy and work to prevent it would be to bring up Youtube in a second browser to run YouTube in separate from the other browser where you are logged into or logging into other sites. I am still testing this option to make sure the browser does actually keep them apart from each other. hopefully it will not take tweaking to make them secure from each other. Any and all help from the experts here is welcome.
They just went off and ruined it for those who like to share YouTubes...
Your posts are always detailed, enlightening, and accurate. I very much appreciate your expertise and willingness to share.
Along with dayglord I much appreciate you sharing also. Now keep in mind, this issue would have gone completely undetected if it had not been for the unique IP change security tool at our site. It was hidden until the tool detected the new IP address that the Google bot was using. So while it may look like it is not happening it is. Implement NoSript and it should catch it and warn you when you try to log in here and other sites you log into.
I enjoyed the Tomatoes just as well... :)
Thanks again!
Does anyone know if this is still a thing? I now makes me nervous logging onto Youtube.
Yep, the scripts are still there. And you don’t even have to log in. Just landing on the page attaches it to your browser until you go clear your cache data and history.
I haven’t gone there since I found it. It is not safe.
Thank you. I will be avoiding YT until they stop this nonsense. Question though, how does one about finding the scripts you found?
They are pretty much undetectable. I just happened to have the right environment to alert me. I had to have two tools together expose it.
Now here is the thing. They are ALL doing this hidden tracking and fingerprinting script browser con. but this was unique, it was an actual bot with it’s own IP address riding into my log in with me.
Our site has a default security tool to prevent someone from hijacking our user’s accounts while they are logged in. It is constantly watching for IP address changes.And when it sees one it kicks us out and makes us log back in. Just to be safe and make sure it is just us and not a bot hijacking the account while it is being used.
And I strictly take the extra time and effort to use the “NoScript” tool which blocks ALL scripts and gives warning of any crosssite scripting efforts. The two worked together to alert me of the problem and how serious the problem was. Not only did the site kick me out because it detected a highjacker, the NoScript instantly gave me a warning about how logging into our site was not safe because Youtube (by name) is riding in with me and trying to identify me.
So once this bot is attached to your browser it is making note of your credentials, your IP address, and the IP address of the target site you are logging into in efforts to identify you. This is a huge security issue for not just the user but also the domain you are logging into. They can basically gain access to your accounts anytime they like.
So even though it is a lot of extra effort to use NoScript, it has become absolutely the best tool you can get to help prevent this from ALL sites. And any time after you even land on Youtube your cache needs to be cleared before you even think about logging in anywhere else. This is why I am making efforts to figure out how to run two browsers completely separated and isolated from each other. One for youtube and it’s bot/scripts if you really need it, and the other to log into your favorite sites safer.
It is the only way you can safely go grab stuff from Youtube and post it in the other site without compromising your account on the site where you are logged in and posting like the FR. Everything else needs to be completely separated from Youtube in it’s own browser now. And just bringing up two will not do this because they will still share the same cache folder. I am working on making each have their own cache independent and isolated from the other.
So for the common user, NoScript appears to be necessary. I think I tried that once many years back but it made the user experience so tedious that I removed it. It appears that we also need to clear the cache and browsing history, especially after visiting YT. Is there anything else we should do? You mentioned that your site has a security tool that it employs. Is there anything similar for the everyday user?
I use different browsers for different things. I use Brave for most everyday stuff, but I also have the plain Chromium browser where I back up old URLs that I don't need much anymore but that I don't want to part with. I try to back up and store everything I've used over the years just in case. I also use the Palemoon browser, an offshoot of Firefox. I use it for websites that are simple, like FR.
I really appreciate you bringing this to our attention.
“You mentioned that your site has a security tool that it employs. Is there anything similar for the everyday user?”
For detecting hitchhikers riding along with you all I know of is NoScript as preventative maintenance to keep most of them from attaching in the first place. Detecting IP changes like that is going to have to come from the website side of things. But most websites do not care enough about their users to implement security like that. Most of them are doing the same thing anyhow.
Tell you what, install NoScript again and what is going on now will scare you. Every site out there is serving up hidden 3rd party real time API scripts that are tracking and fingerprinting. It really is out of hand. I have only been to three sites in the last couple years that did not have these. The FR, our site, and one lonely website I ran across that was built in the late 80s and never updated.
Now Brave blocks a lot of stuff like NoScript, but it also lets a lot of stuff through. NoScript blocks EVERYTHING and then you have to go “allow” just the minimum to be able to see elements of the page or media. But better safe than sorry and after using it a couple weeks you will catch on to which ones do what for you yet it is still blocking the other sometimes 30-70 tracking scripts. It really is now worth the extra work. You will see... It is incredible, and just try to find a site that doesn’t also use Google 3rd party services. It is almost impossible.
If folks just knew, they would be screaming bloody murder. But it is all hidden so they don’t even know.
I wish the world wasn't so "digitally" connected. I'll tell you what, if I can ever get back to the place where I wasn't so dependent on my computer for paying bills and keeping track of my finances, I would gladly ditch it all for a small cabin in the woods isolated from it all.
“I wish the world wasn’t so “digitally” connected. I’ll tell you what, if I can ever get back to the place where I wasn’t so dependent on my computer for paying bills and keeping track of my finances, I would gladly ditch it all for a small cabin in the woods isolated from it all.”
Amen. I am disgusted with it too. I am right now doing exactly what you speak of...
I just have some matters of responsibilities to catch up on and then I’m going fishing with minimal bills and minimal possessions and no tech except a phone for emergency situations.
I've packed up everything I don't absolutely need, resulting in 21 boxes, 14x14x14, all packed and just sitting in an interior closet. I also got rid of a lot of stuff, tools, gardening equipment, stuff like that. My garage is pretty empty now. I also have just what I need to prepare food and eat. Half of my kitchen cabinets are empty now as well.
I'm doing all this so that when I can move, I'm ready. I'm retired and I'm looking for just the right place to move to, no matter where it is.
Probably a dumb question but is Safari vulnerable to this? I know Apple and Google are kind of cats and dogs corporate rivals. Just wondering if Apple might be extra motivated to keep Safari patched against Google ploys like this. I would think the smart tech guys on the Safari development team would be on the lookout for this kind of thing.
Honestly I don’t know about Safari. Might want to get in the Apple tech forums and search around or ask. But it seems it is an industry standard for them to do all this.
The reason being they package it up in a way with the Javascript so that the page will not render the needed elements to see it or use it. At that point no matter what browser it is it has to be accepted to see or use the site at all.
So if Safari is rendering it then it is also allowing the scripts even if just temporary while you are there.
It was a great question... :)
Okay, good, I’m glad it wasn’t too tech unsavvy! I just did a super quick search and Apple does say that Safari blocks cross site tracking but what you’re describing seems like something different.
Well basically my NoScript warned me of the cross sight issue. But it couldn’t prevent it. So if Safari actually prevents it then that might help. But I wouldn’t put trust in it. I would clear your cache before logging into sensitive systems like banks, Etc.
Bookmarked.
...youtube.com - TRUSTED
...google.com - TRUSTED
...googlevideo.com - TRUSTED
...ytimg.com - TRUSTED
...returnyoutubedislikeapi.com - DEFAULT
...gstatic.com - DEFAULT
...jnn-pa.googleapis.com - DEFAULT
Do I need to change anything?
Oh wow, that never happens by default. EVERYTHING should be blocked and untrusted by default. So it looks like Google got to NoScript too. Set those each to default/untrusted. The only one needed to play the videos is the top “youtube.com” as trusted. The rest can be set to default. But now keep in mind most sites are going to require that top one in the list, which is usually the JavaScript, To be on or it will give you a “Java required” notice. Or the site will not render.
So go to the red icon with the wrench “Options”. Then “per site permissions”. Go though and switch them to default/untrusted except these as trusted:
…afx.ms
ajax.aspnetcdn.com
…bootstrapcdn.com
tinymce.cachefly.net
…mozilla.net
addons.mozilla.org
…noscript.net
Now here is the problem though. To see the videos on Youtube and turning on that top listing you are allowing the JS to deliver that bad package. But at least it is blocking all the rest. So this is again why your cache will still need to be cleared before logging in anywhere else.
I’m telling you, they got us with that top JS package requirement to use sites. That is where they load the bad stuff. And almost all sites will require that top JS listing to be turned on to see it. But it is better than also being connected to the other sometimes 30 3rd party APIs too. I have gotten used to just using broken sites as best I can because NoScript is breaking it by blocking elements. As long as just the text is there to read that is enough for me. But usually turning on just that top listing will render a website as it should be except embedded videos. I’m good with that to be much much safer without all those other 3rd party connections.
It is going to be a learning curve. But it is the only way to be halfass safe. They are ruining our internet experience with this garbage. They are making sure their sites are broken unless you allow their crap. This is why I only go to about four sites and know the minimal NoScript settings for those particular sites. I’m going to PM you...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.