Good UX as a cybersecurity vulnerability

BbyA...nMtW

20 Apr 2023

268

Prominent tech YouTube channel Linus Tech Tips was hacked recently, having many videos deleted and a scam video streamed on their (renamed) channels for over an hour before YouTube intervened and shut the channels down. Unfortunately this type of attack on YouTube channels has not been uncommon in recent times.

Yet they, and plenty of other channels who've been affected like this, had the full security measures that Google affords and none of their passwords, nor 2FA, were compromised. Instead they fell victim to a session token (also known as a session cookie) hack, which started with a malware infected email attachment from a personally targeted email (a sponsorship inquiry to their sales team). That malware, once activated, scanned the device it was on and downloaded all the session tokens it could find.

Those session tokens are far more valuable than they might first appear.

Why do we use Session Tokens?

Session tokens, which are stored locally, are a very dangerous vulnerability which are increasingly being used to great effect by fraudsters . Social media creator accounts are particularly vulnerable to these cyber attacks , but anyone is at risk.

A session token exists to do things like keep you logged into a website and remember recent settings (e.g., links visited) to make for a better UX. They're stored locally so the only way to gain access to to them is to either intercept and decrypt them in flight (hard) or access them from the local machine (easy if you can get access).

How Session tokens work

These two excellent flyers from Security Zines explain two common type of session tokens and their uses. Security Zines is an excellent resource which I recommend to anyone with any interest in cyber security.

HTTP Cookies

Download the full version on the website and check out their other excellent content.

JSON Web Token

Download the full version on the website and check out their other excellent content.

Your Password (with an expiry date)

Session tokens don't hold your passwords BUT they are used as your password to access websites. As this is obviously a huge security risk there's all kinds of rules around expiry times for these. When a session token expires you'll often notice it by having the app you're using prompt you to login again. Banking applications will often sacrifice UX for security. You'll find yourself logging back into your banking app way more than Facebook. And many social media apps have expiry times in the weeks/months.

The problem comes when these long expiry times are also applied to sensitive accounts. In the case of YouTube the same expiry times for a passive user like myself watching videos is also applied to a multi-million dollar creator account like Linus Tech Tips. Our risk profiles are dramatically different so it doesn't make sense to apply the same session expiry policies.

What can we do?

At the end of the video Linus lays out a reasonable set of improvements Google can make to close this security hole in their infrastructure (after all, for YouTube, they literally control the whole stack from browser to backend). There's a lot of good points he makes about treating security as a first class citizen when it comes to increasingly valuable digital properties.

In the battle between security and UX we've seen the balance tilted towards UX way too far. We're all targets for this sort of hack. At some stage we all need to accept that the UX of our favourite apps has to get a little bit worse to make us a lot more secure. Financial applications have long resisted the move away from safety to "nicer" UX, and that's to their credit.

Web3 is was founded on high levels of user driven security. In web3 we have a lot of control over our security, and we have the choice to be be very mindful of it if we choose. That's at the core of decentralisation and self custody. I fear for those principles in web3 affords under the pressure of "better user experiences". We should teach up not dumb down.
There's a lot at stake if we don't.