WeChat ID
aaronpk_tv
-
Photo - “Wear a damn mask” - Joseph
https://twitter.com/photojoseph
•
Sep 10
WOW. You should put that on a Tshirt. “IT Security… it’s best if you don’t think about it”
I just might do that haha. The shirt i'm wearing today says "I find your lack of security disturbing" -
Photo - “Wear a damn mask” - Joseph
https://twitter.com/photojoseph
•
Sep 10
And the cookie doesn’t verify the machine it’s on? You’d think it’d only work if the MAC address and IP address were a match. This seems so very insecure.
tbh it's like the "security" involved in writing checks, it's best if you don't think too much about it
-
Photo - “Wear a damn mask” - Joseph
https://twitter.com/photojoseph
•
Sep 10
And the cookie doesn’t verify the machine it’s on? You’d think it’d only work if the MAC address and IP address were a match. This seems so very insecure.
The browser doesn't have access to the MAC. Google *could* (and probably is) checking the IP address, but it's all heuristics because your IP address may change at any time, e.g. cell phones have very unstable IPs, hop in a plane and land with an IP from another country, etc.
-
Photo - “Wear a damn mask” - Joseph
https://twitter.com/photojoseph
•
Sep 10
That is CRAZY that all you need is the cookies to access any account — especially a google one! So if I just sent you my cookies folder… you’d have access to anything I was logged into?!
💯
There aren't really any other tools browsers can use for this right now. The process of logging in looks like basically: you type your password in google, google gives you back a cookie, your browser makes a request with that cookie and the server knows who it's for. -
Gary
https://twitter.com/every_daydad
•
Sep 10
So would have two separate email accounts help? One solely for the YouTube channel, and one for business in case of a malignant file?
Interestingly that doesn't even matter for this since it wasn't the "normal" phishing style attack. Don't open files you download is the only safe thing, or open them on a machine that isn't logged in to anything. That obvs isn't practical, so it's a lot harder in practice. -
Photo - “Wear a damn mask” - Joseph
https://twitter.com/photojoseph
•
Sep 10
And the browser cookies had the passwords stored in a way that was readable?!
No, the cookies are how the browser is logged in to google. No passwords needed, 2fa doesn't matter. I'm thinking I might need to make a video on this.
-
Photo - “Wear a damn mask” - Joseph
https://twitter.com/photojoseph
•
Sep 10
Damn. So the download was a virus, or keylogger? You on Mac or PC? We Mac users like to think we’re immune to stuff like this but probably not…
It was a windows executable disguised as a .scr file, no keylogger needed for this, it was able to pick up the browser cookies from the hard drive. It could have happened on Mac just as easily.
-
Kevin - Basic Filmmaker
https://twitter.com/BasicFilmmaker
•
Sep 9
LOL @aaronpk when we both realize we don’t follow each other. 😂😂😂
I was gonna ask how you're doing with all the fires nearby! Couldn't remember how close you are to that area -
fun fact not even fax machines are safe from viruses https://blog.checkpoint.com/2018/08/12/faxploit-hp-printer-fax-exploit/
