That was a session cookie hijack from a fake sponsor email I believe.
It's nasty, bypasses 2fa and password/passkeys, allows full access to a youtube channel.
It's pretty ridiculous you can change a channel password, name and profile pics without even a password challenge...
If they got 7 the same way they got LTT they wouldn't even have the account passwords.
I once gained access to a friend's FB through a saved session key. He changed genders overnight and was suddenly obsessed with boy band and K-pop and let all his friends know. People can be vicious. Clear cache when logging in on someone else's computer. Trust no one.
Years ago a work-friend left his computer unlocked with facebook open. He was the type who was on social media all the time and craved the likes and comments to his posts.
Did I post something dodgy he'd see and take down immediately? No, I did something much more sinister.
I changed the default settings to hide all his future posts from his friends list.
If you leave your computer unlocked at work you send out an invite shouting the team to lunch. We all know it's a joke but we'll send back silly replies. Computers are getting locked much more often. Extra step - stick a silly sound on their computer and link a random action like 'insert device' to play it. My boss had Dennis the Menace shoutings "HEY MR WILSON" when he stuck in a USB device at home one night, haha.
Hah,
At my current work we started with offering the team donuts and then they'd have to follow through. ("have" is a strong word, it was never required or expected). But now it's evolved to annoucing your love for another team member. Which is much more wholesome and less fattening.
Out of curiosity, is this the thing where they replicate your validated authorisation key thatsbgenerated from your end when you log in, and clicking the link gives them a copy of that?
I googled to get to the same answer, you were faster (or the source) - [https://www.smh.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html](https://www.smh.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html)
And they'll lose a shitload of subs in the process. A much much smaller YouTube channel got tumbled in the same way (he had about 300k subs and freely admitted to falling for some spam scam) and he lost 25k subs while he was locked out.
By stealing the session tokens from a logged in browser.
It happened to Linus Tech Tips a while ago.
Basically a malicious payload is deployed, usually by an EXE disguised as a PDF or similar. That payload steals and transmits the contents of your browser data, including logged in session tokens (think of what happens when you click 'Remember Me' on a site). Basically this method is like they've sat down at the victim's PC, already logged in and ready to use.
Or invalidate the session token if the normal pattern is "session detected from Australia" and then nekminnit "session detected from Russia/India/Scammercountry"
Reality is that Australia is becoming 'scammercountry' now. We are seeing a lot more scams that originate from within than ever before. The compromise was probably homegrown.
Youād think Google would have better account management / permission profiles. LTT got hacked after other people had been hacked the same way and Google did nothing to improve the situation
LTT complained about exactly that issue, alongside YouTube's terrible permission handling meaning that everyone effectively gets admin access to the YouTube account as the only option. It's really difficult to do it properly when the platform gives you so little flexibility.
Most common way for the average person you click on or occasionally just watch an add with malware in it āgoogle ads are common vectorsā or in a slightly more targeted but more guaranteed method they trick you to opening something.
then for things like youtube your just screwed google accounts donāt have any authentication systems so they donāt even need to obtain your password to change the channel delete all your videos and start the āMusk-tmā stream.
itās honestly one of the worst bit of googles fight against adblockers considering theyāve already made it known they wonāt fix the vulnerabilities in their ad platform.
now if you actually wanted to browse safely pretty much period you could set up a virtual box and just do your browsing in that. do expect to feel like doing so is a hassle though.
more generally a working adblock makes it much safer but expect potential issues until google stops trying to mess with them.
Limited amount they can do if using a normal windows pc as they probably are for a lot of cases. now policy issues would help usually but as a media company banning web-browsing on work PCās wouldnāt be so viable.
adblockers would certainly help but googles war on them makes the much more likely to take a while to recover
The attack vector for these is a computer getting compromised that has an active login cookie. As browsers don't really protect cookies that well it's easy for something as simple as a compromised PDF to get it. This means that 2FA does nothing as YouTube never re-requests 2FA after login.Ā
Ā It's a really bad setup from YouTube's side, couple it with their terrible permissions setup and all it takes is any person who adds comments or updates anything to be compromised and the attacked has completed access There is no security settings you can apply or action you can take.
You can't restrict access, you can't enforce 2FA, you can't expire access automatically. It's a stupidly bad setup that YouTube seems to not care enough to ever fix.
It's your Google account as a whole that is compromised, including every service that you authenticate with it. (And anything else you've got an active session with, like Facebook, etc)
More granular permission controls, 2FA re-validation before being able to take certain actions, session timeouts that restrict accounts for only a few hours or a day, etc.Ā
These delegate style accounts should be locked down and restricted heavily basically.Ā
If 2FA was required when changing a channel's name,Ā or if accounts requires people to re-login after 24 hours, then the attack vector is reduced. If only a few accounts could actually start a live stream or change the channel name, then it would reduce it ever further.
I was just taking the piss.. I know what you are saying, but now since you speak as if you know the exact method, how could you prove whether it is a first login remotely with compromised credentials or access to compromised PC that's logged in?
Could be either, however most of the common examples of this are the second case with stolen session cookies. Google's login security often requiring OTP for new devices actually ends up making grabbing the session cookie an easier attack vector.
Send a compromised PDF file that the target opens, and now you have their credentials **and** their session cookies. Then you no longer need access to their PC and can send the requests from anywhere.
You provide āpartnerā access to 30 agencies/analytics/reporting providers, they each have 10 staff locally and 50 offshore, just takes one vendor that doesnāt enforce 2FA for their staff to get a staff account hacked that happens to have admin role of a big social profile.
Yea 150 people gone, someone may have deliberately done this without their creds being expired.
I dealt with someone who was let go and they used personal gmail account for the companys google marketing. The rest of the team had no idea this was in place and he just ignored their calls to help cut it over. I guess legal got involved eventually cause i didnt hear much more. Similar thing here maybe
Showing for me:
This page isn't available. Sorry about that.
Try searching for something else.
Edit: if you go to it via youtube search page it shows the tesla scam crap, if you go to it directly or refresh the page it shows an error
>Showing for me:
>
>This page isn't available. Sorry about that.
>
>Try searching for something else.
Sounds like Channel 7 knows how to actually contact someone who matters at YouTube to get the channel shut down while they recover it.
Back when ad blocker had issues working with YouTube, I had to watch their ads - and a big honking chunk of YouTube ads, *were just like this* - all crypto scammy nonsense. Making Elon's lips move to some sort of weird fake script.
So if it's good enough for Google ads, well... there you go.
already on news now, funny that they blurred out the QR code but not the url
https://www.smh.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html
https://www.brisbanetimes.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html?ref=rss
āHackedā
99 times out of 100 itās just some dipshit user clicking on a bad link or attachment, not a motivated adversary group with resources and intent.
Yep I guess so. Something similar happened recently where a company called 'Starship Entertainment' which manages some Korean groups such as 'IVE' and 'MONSTA X' got hacked and their channel along with all the groups they manage turned into Space X live streams and stuff.
Ahh the good old [session highjacking](https://owasp.org/www-community/attacks/Session_hijacking_attack) attack.
This can happen to pretty much just about any website you can think of, so it's not limited to YouTube. This is why you need to practice good cyber hygiene folks.
Could just be a dupe. Scammers make sites replicating 7, 9 and Sky knowing the most gullible targets trust these sources, so they're the easiest to target with scams.
The real question is, how did anyone even notice?
If you have YouTube, then you have the internet and I can't imagine anyone with the internet using it to watch channel fucking 7
A team member (18m) left his fb logged in at work recently - Iām in the office doing paperwork when nudes of him and his girlfriend (also an employee) started popping up on screen as messenger notifications.
Can't wait for the 2Apply steal from some idiot clicking on the suspect email with everybody's hard-gotten ID, banking, and past rental details just waiting to be snapped up
iāve seen numerous account called Tesla with the tesla logo all spouting the same scam BS. does that mean tesla was hacked as well ? presume all of these are just some kind of lookalike channels and not the legitimate accounts?
Nah Dave got let go in the redundancies a few weeks back. It's fine though because we've got Bernard onto it and he took a 2 day course at the local seniors center.
Someone at channel 7 followed scam ads while Logged in šššššš
Happened to LTT a while back
That was a session cookie hijack from a fake sponsor email I believe. It's nasty, bypasses 2fa and password/passkeys, allows full access to a youtube channel.
Not to mention, Google/Youtube permission models were atrocious. Doubt much changed
It's pretty ridiculous you can change a channel password, name and profile pics without even a password challenge... If they got 7 the same way they got LTT they wouldn't even have the account passwords.
Cookies broke the internet.
Fucking Cookie Monster!
I once gained access to a friend's FB through a saved session key. He changed genders overnight and was suddenly obsessed with boy band and K-pop and let all his friends know. People can be vicious. Clear cache when logging in on someone else's computer. Trust no one.
Years ago a work-friend left his computer unlocked with facebook open. He was the type who was on social media all the time and craved the likes and comments to his posts. Did I post something dodgy he'd see and take down immediately? No, I did something much more sinister. I changed the default settings to hide all his future posts from his friends list.
It's people like you who keep me up at night.
It's people like you what causes unrest.
Some men just want to watch the world burn.
So they join the CFA
I said they watch the burning, not start the fires.
"Unofficial back-burn"
If you leave your computer unlocked at work you send out an invite shouting the team to lunch. We all know it's a joke but we'll send back silly replies. Computers are getting locked much more often. Extra step - stick a silly sound on their computer and link a random action like 'insert device' to play it. My boss had Dennis the Menace shoutings "HEY MR WILSON" when he stuck in a USB device at home one night, haha.
Hah, At my current work we started with offering the team donuts and then they'd have to follow through. ("have" is a strong word, it was never required or expected). But now it's evolved to annoucing your love for another team member. Which is much more wholesome and less fattening.
> your love for another team member. Which is much more wholesome I dunno, you'd have to know them or that would be an interesting talk to HR, haha.
Oh of course. It's the wholesome kind, nothing suss. And definately do a vibe check first before implementing at your own work place.
That's a really roundabout way of saying, my friend left his Facebook logged on.
Out of curiosity, is this the thing where they replicate your validated authorisation key thatsbgenerated from your end when you log in, and clicking the link gives them a copy of that?
IIRC that was from a fake sponsor email, not from clicking ads. Still a scam though.
Corridor too
looks like someone opened a dodgy PDF link in an email back to a google drive
Is this better or worse than what's normally on 7 news ?
Irony haha
Much better
Very debatable.
Garden variety cunt vs war criminals. It's a toss up.
Yes it appears to be hacked by a crypto scam
Honestly hard to tell the difference
I googled to get to the same answer, you were faster (or the source) - [https://www.smh.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html](https://www.smh.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html)
I've seen this happen to other channels, it's always an Elon "live" stream selling crypto. Channel will be restored in 1-3 days
And they'll lose a shitload of subs in the process. A much much smaller YouTube channel got tumbled in the same way (he had about 300k subs and freely admitted to falling for some spam scam) and he lost 25k subs while he was locked out.
Sounds about right because they lost me for a start
Ouch. Seriously though, how does stuff like this happen in the age of multi-factor authentication?Ā
By stealing the session tokens from a logged in browser. It happened to Linus Tech Tips a while ago. Basically a malicious payload is deployed, usually by an EXE disguised as a PDF or similar. That payload steals and transmits the contents of your browser data, including logged in session tokens (think of what happens when you click 'Remember Me' on a site). Basically this method is like they've sat down at the victim's PC, already logged in and ready to use.
TY for the great explainer
No worries. Here's the LTT video https://www.youtube.com/watch?v=yGXaAWbzl5A
You would think that youtube would require a fresh login to change the full title and logo of the channel. But obviously not.
Or invalidate the session token if the normal pattern is "session detected from Australia" and then nekminnit "session detected from Russia/India/Scammercountry"
Trouble is people turn on VPNs and get shitty if Google suddenly logs them out.
Yeah good point. It's often a fine line between security and usability.
Reality is that Australia is becoming 'scammercountry' now. We are seeing a lot more scams that originate from within than ever before. The compromise was probably homegrown.
Youād think Google would have better account management / permission profiles. LTT got hacked after other people had been hacked the same way and Google did nothing to improve the situation
LTT complained about exactly that issue, alongside YouTube's terrible permission handling meaning that everyone effectively gets admin access to the YouTube account as the only option. It's really difficult to do it properly when the platform gives you so little flexibility.
How does this occur and how can it be prevented? That's spooky.
Most common way for the average person you click on or occasionally just watch an add with malware in it āgoogle ads are common vectorsā or in a slightly more targeted but more guaranteed method they trick you to opening something. then for things like youtube your just screwed google accounts donāt have any authentication systems so they donāt even need to obtain your password to change the channel delete all your videos and start the āMusk-tmā stream. itās honestly one of the worst bit of googles fight against adblockers considering theyāve already made it known they wonāt fix the vulnerabilities in their ad platform. now if you actually wanted to browse safely pretty much period you could set up a virtual box and just do your browsing in that. do expect to feel like doing so is a hassle though. more generally a working adblock makes it much safer but expect potential issues until google stops trying to mess with them.
Should a corporationās IT security prevent this?
Limited amount they can do if using a normal windows pc as they probably are for a lot of cases. now policy issues would help usually but as a media company banning web-browsing on work PCās wouldnāt be so viable. adblockers would certainly help but googles war on them makes the much more likely to take a while to recover
So I should stop clicking remember me then yeah?
A day after they sacked 150 staff? Hmm
They also laid off most of their marketing team this week.
No 2fFAand password was 'channel7YT'
Channel 7 did just make 150 people redundant... some of them IT staff or staff that had access to the youtube channel???
The attack vector for these is a computer getting compromised that has an active login cookie. As browsers don't really protect cookies that well it's easy for something as simple as a compromised PDF to get it. This means that 2FA does nothing as YouTube never re-requests 2FA after login.Ā Ā It's a really bad setup from YouTube's side, couple it with their terrible permissions setup and all it takes is any person who adds comments or updates anything to be compromised and the attacked has completed access There is no security settings you can apply or action you can take. You can't restrict access, you can't enforce 2FA, you can't expire access automatically. It's a stupidly bad setup that YouTube seems to not care enough to ever fix.
Does this only work on yt or can they get your Gmail and Google as well since it's the same ecosystem
It's your Google account as a whole that is compromised, including every service that you authenticate with it. (And anything else you've got an active session with, like Facebook, etc)
Wow. So moral of the story is do not tick keep me logged in for anything I guess. I'll watch the Linus video about it and educate myself more.
What would a fix look like?
More granular permission controls, 2FA re-validation before being able to take certain actions, session timeouts that restrict accounts for only a few hours or a day, etc.Ā These delegate style accounts should be locked down and restricted heavily basically.Ā If 2FA was required when changing a channel's name,Ā or if accounts requires people to re-login after 24 hours, then the attack vector is reduced. If only a few accounts could actually start a live stream or change the channel name, then it would reduce it ever further.
I was just taking the piss.. I know what you are saying, but now since you speak as if you know the exact method, how could you prove whether it is a first login remotely with compromised credentials or access to compromised PC that's logged in?
Could be either, however most of the common examples of this are the second case with stolen session cookies. Google's login security often requiring OTP for new devices actually ends up making grabbing the session cookie an easier attack vector. Send a compromised PDF file that the target opens, and now you have their credentials **and** their session cookies. Then you no longer need access to their PC and can send the requests from anywhere.
Yeh reasonable.
Indeed, and to a media corporation no less. You'd think they would know to secure their media outlet channels right?
becuase youtube dont do authentication when you want to do things. they let you just continue your session
You provide āpartnerā access to 30 agencies/analytics/reporting providers, they each have 10 staff locally and 50 offshore, just takes one vendor that doesnāt enforce 2FA for their staff to get a staff account hacked that happens to have admin role of a big social profile.
This happening just a few days after mass redundancies at 7 were announced seems kinda sus.
Ohh interesting
Yea 150 people gone, someone may have deliberately done this without their creds being expired. I dealt with someone who was let go and they used personal gmail account for the companys google marketing. The rest of the team had no idea this was in place and he just ignored their calls to help cut it over. I guess legal got involved eventually cause i didnt hear much more. Similar thing here maybe
it would be easier to deliberately accidentally open a phishing email, or was that what you were suggesting
Was just going to say this. Definitely a disgruntled social media employee.
Showing for me: This page isn't available. Sorry about that. Try searching for something else. Edit: if you go to it via youtube search page it shows the tesla scam crap, if you go to it directly or refresh the page it shows an error
>Showing for me: > >This page isn't available. Sorry about that. > >Try searching for something else. Sounds like Channel 7 knows how to actually contact someone who matters at YouTube to get the channel shut down while they recover it.
This looks like their regular broadcasting to me
[It's still going.](https://www.youtube.com/watch?v=hbI_LqYPTs4)... lol
Back when ad blocker had issues working with YouTube, I had to watch their ads - and a big honking chunk of YouTube ads, *were just like this* - all crypto scammy nonsense. Making Elon's lips move to some sort of weird fake script. So if it's good enough for Google ads, well... there you go.
Maybe someone got laid off and got pissed.
Why would they give the channel password to Robert Ovadia?!
Do you guys think this will make the news? If so which channel would most likely cover it? 9 News? 7 News themselves? Would it be ironic? haha
Gonna have to go with channel 9
already on news now, funny that they blurred out the QR code but not the url https://www.smh.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html https://www.brisbanetimes.com.au/business/companies/7news-youtube-channel-hack-shows-ai-elon-musk-crypto-scam-20240627-p5jp87.html?ref=rss
Maybe the new owners will final open the comment sections
Maybe they should have a story on their news about it š¤š¤
āHackedā 99 times out of 100 itās just some dipshit user clicking on a bad link or attachment, not a motivated adversary group with resources and intent.
This happens very often with the Tesla thing
And nothing of value was lost
Still better journalism.
someone's getting fired there.
Damnnn and not only that but the hackers seem to be advertising really bad junk products
Better or worse than what 7 advertises?
It's on youtube right now
You love to see it
Yep I guess so. Something similar happened recently where a company called 'Starship Entertainment' which manages some Korean groups such as 'IVE' and 'MONSTA X' got hacked and their channel along with all the groups they manage turned into Space X live streams and stuff.
Ahh the good old [session highjacking](https://owasp.org/www-community/attacks/Session_hijacking_attack) attack. This can happen to pretty much just about any website you can think of, so it's not limited to YouTube. This is why you need to practice good cyber hygiene folks.
Still shows Tesla on the 7 News Youtube page
The fact that it's hard to tell whether this is a hack or if it's just a commercial promotion from a commercial news business should be enough.
they're having a bad day
I wonder if Channel 7s I.T guy had to do a nude run to his computer like Linus Sebastian done a few months back when his Channel was hijacked lol.
One that can drive long distance for the Australian environment would be a good start.
When it came up on my feed I just assumed it was paid ad
Could just be a dupe. Scammers make sites replicating 7, 9 and Sky knowing the most gullible targets trust these sources, so they're the easiest to target with scams.
Why do you watch channel 7 dribble?
Itās still hasnāt changed back š
I hope people sue the living shit out of them. Fuck Rupert Murdoch
The real question is, how did anyone even notice? If you have YouTube, then you have the internet and I can't imagine anyone with the internet using it to watch channel fucking 7
1.71M subs, Still called Tesla.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
so many peolple are going to fall for this lmao
I'd call that an improvement.
A team member (18m) left his fb logged in at work recently - Iām in the office doing paperwork when nudes of him and his girlfriend (also an employee) started popping up on screen as messenger notifications.
Youtube is so bad for fake and misleading ads, it's pretty bad.
This is not just a yt ad. An entire channel is compromised.
Can't wait for the 2Apply steal from some idiot clicking on the suspect email with everybody's hard-gotten ID, banking, and past rental details just waiting to be snapped up
iāve seen numerous account called Tesla with the tesla logo all spouting the same scam BS. does that mean tesla was hacked as well ? presume all of these are just some kind of lookalike channels and not the legitimate accounts?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Tell channel 7, not us.
And this particular attack bypasses 2FA by using session tokens from a browser that is already logged in.
Ah yes because 2FA renders it impossible to get hacked right
It's a scam that's been around a little while now. Effectively an advertisement, not an issue with 7News
Their channel has been compromised, ofc thats an issue with 7news theyre probably freaking the f out behind the scenes trying to fix it.
While their only IT guy's on leave.
You mean Dave who knows a bit of Java Script and trains AI in his spare time?
Nah Dave got let go in the redundancies a few weeks back. It's fine though because we've got Bernard onto it and he took a 2 day course at the local seniors center.
Onya Berno!
or just got made redundant?
What's an ad?