YouTube

That and why should they bother if it brings more engagement?

Except that people aren't literally giving the hackers their passwords. Here's a Theo Joe video that explains how it works, but the short version is that malware is used to hijack a session cookie, meaning that the hacker in possession of the hijacked cookie is now logged in without having to enter their password. Then, because YouTube does not consistently require re-entering passwords or two-factor authentication when performing such actions as changing your password, the hacker is able to lock the victim out of their account.

As for why YouTube hasn't fixed it yet, I don't know for sure. Information security is always a balance between security and convenience, and YouTube seems to have that balance set at a level that's too far towards convenience considering the way many people are using their platform. I'd assume incompetence, rather than malice, especially considering the level of competence YouTube has shown in other areas.

Funny you mentioned that: Chrome is prototyping a function to tie cookies to the device's TPM chip specifically to defeat session cookie theft.

NYT claims that OpenAI scraped over a million hours of Youtube videos through speech-to-text software to train ChatGPT. Claims are contradictory over whether Google knew or not: officially they didn't, unofficially they did but ignored it because they too are doing the same thing, regardless of the copyright harm it did to them.

My first-approximation solution to the problem would be to automatically expire the user's session cookie if their IP address changes suddenly, or at least require re-authentication. I'm sure somebody more educated in the matter will explain to me why that's impractical.

It's unlikely that I would suddenly move from the US to Lithuania.

As I think about it, I guess VPNs screw that up. Dammit. But still, I'd make someone reauthenticate in that situation. Might decrease "convenience" for VPN users, but frankly I don't care about that nearly as much as about account security.

Edited by Fighteer on Apr 9th 2024 at 8:46:45 AM

Because it'd make for really annoying user experiences, especially on mobile devices. Especially as youtube is trying to compete with another video site who specializes in quick on the go videos. It'd also make it all the more annoying to pause and resume videos if doing that can be followed by random re-auth requests. It also just wouldn't work for any user in an SD-WAN or multi-wan setup, among a bunch of other technical limitations. DHCP leases, especially from the ISP tend to be invisible to the user (when users know of them at all) so it'd just give the appearance that your site is unreliable, flightly, and just constantly bothers you with demands for reauthentication.

Plus frankly, Google wants you to have the cookie. It's how they track you for user data harvesting and Ad reasons. It's in Google's vested interest to make sure you stay logged in with their cookie and have this sucker on your machine as long as you can. That's how they make their money.

Edited by Ghilz on Apr 9th 2024 at 8:54:15 AM

Okay, let's step back for a second. YouTube account theft isn't mainly an issue for viewers of the site. It's for creators. 99% of the issues we hear about are people whose active, established channels get stolen, and the thefts mainly seem to occur in a PC environment. That's a much more stable IP situation than someone walking around town on their phone.

Further, my experience at TV Tropes is that we can fairly easily tell if you're on a dynamic residential IP or mobile connection. If we can figure that out, surely Google's techs can.

The problem space is much smaller than this post would make it seem.

Edited by Fighteer on Apr 9th 2024 at 8:59:18 AM

The main issue there isn't that youtube doesn't expire the cookie, it's that youtube/google has notoriously shit admin tools, so people cannot make admin accounts with limited permissions, or even sub admins who all have partial rights to the same channel. It's all "Your own google account" which if you're in a group, you're sharing (Unless that's been changed recently), which makes it way easier to steal access to the channel.

If youtube had separate login for viewers and uploaders, the later could have more stringent security criteria. It doesn't. There's some not-unvalid reasons for that - youtube wants to make uploading easy and available and spontaneous, and not hit you with a wall asking for you to make a creator account when you spontaneous filmed a cute cat video or a video of a cop being a bastard in action.

Yeah there's plenty of things youtube could do, heck, even without a separate log in they could make it so any change to the channel requires a re-auth.

Yeah I don’t think the You Tube back end really differentiates between account activity as a viewer or activity as an uploader, which is a problem if you want a security layer for uploaders that doesn’t harm the viewer experience.

I mean, the basic "require authorization to change your password" would prevent getting locked out by hackers. I think most social media sites do that these days, and they're usually not business fronts that involve potentially thousands of dollars.

You know what I hate? When a video starts playing the stuff you clicked on for, like a top 10 list, but the person put the sponsorship a fair bit into the video. That shit is so annoying. Fortunately, the Sponsorblock extension you can get skips the video anytime the sponsorship comes up and highlights where in the video it is.

Sponsorships might have requirements that force creators to do them that way. And I don't think ots much of an inconvenience to skip ahead.

It is surely better than random You Tube ads.

And they don't really interrupt much on top of content creators making their own spin on the ad.

Also you can skip them without a waiting period.

On the other hand, there's often no clear separation between sponsored segment and video content. Some creators put a disclaimer or countdown on screen. But a lot of creators try to have a really smooth sponsor segue, essentially trying to trick you to watch the sponsored part. The segue itself can be considered an unmarked ad, since it only introduces the sponsor.

At least with YouTube's ads you know the creator isn't paid to misrepresent the product or change the video at the whim of that specific sponsor.

Yeah, but at least sponsors pay the content creators.

Which is better to keep channels in the air than YT's policies that end up demonetizing channels over trivial bullshit.

I'll accept sponsors since the youtuber can add some flair and character to it and actually persuade me to check out whatever's being advertised.

Honestly, I prefer Youtube sponsorships over You Tube ads because at least with sponsored videos, the content creator would usually warn people ahead of time that a sponsored section of the video is coming and as others have pointed out, the content creator can make the sponsorships look fun, unlike the You Tube ads. Also, you have the option to skip over the sponsored section of the videos, while with You Tube ads, they just show up in the videos without any warning and you can barely skip through most of them.

Some use chapter separation and are honest enough to put the sponsor chapter so that it's skippable.

It's not that hard to scrub past the sponsor plugs if you don't like them. I don't really care about the fact of the plugs' existence. It's more a matter of their honesty. If anyone's still shilling for crypto or NFTs, for example, or if they're pushing known scam sponsors, that's a quick trip to abandoning their channel. If they don't disclose that it's a sponsor read, likewise.

Just display integrity and it's not a problem.

Ahh good ol' Established Titles. I think everyone fell for it.

No they didn't

Like seriously, what brain dead idiot actually believed owning a foot of land in Scotland gave you a nobility title.

Like the thing was so transparently a scam I can't actually feel pity for anyone who fell for it. Anyone stupid enough to fall for this shouldn't be allowed to manage their own money at all.

It's a scam so stupid it makes the Nigerian Prince scam feel sophisticated.

Edited by Ghilz on Apr 11th 2024 at 10:44:09 AM

The whole reason these scams work through sponsorships is that they prey on the trust that viewers have for content creators. Surely, if a lawyer hawks Established Titles, they must have done their diligence, right?

It's called affinity fraud, and it is a very powerful tool for the unscrupulous.

Now I'm curious about if that (lawyers hawking for Established Titles) actually happened?

Did the Established Titles company eventually go downhill because of them being exposed?