the attack is not precluded by 2FA 2FA arguably makes you more vulnerable, not less the attack does not require social engineering it does not require phishing, or keylogging passwords in fact it does not require passwords at all that's why changing passwords doesn't kill it

@securityblvd the google oauth vector is evidently not new now that you know it exists, you can go read everything written about it in late 2023, early 2024 this particular case intersects two known vulnerabilities: this one in google, and another in lg tvs only one's still not patched

@ITBrew @MorningBrew @cloudsek we hardly use the tv nothing's ever been downloaded, nothing's ever been plugged in it was, however, purchased on amazon it's well known now, even when 'sold by' amazon dot com itself, goods are binned by sku not seller inventory is commingled with unvetted third parties

the native youtube app on the lg tv seems real indeed it'd have to be, third-party oauth can't be parlayed into a gaia session google's own app, however, is first-party oauth, notably with 2FA satisfied at issuance this is then exfiltrated to the attacker

@cloudsek @CSOonline oauth is designed to delegate access without passing user credentials the attacker does not have your password the attacker is not technically logging in he has your active session, legitimately authenticated by 2FA, and he replays it

tvs are what google calls a limited-input device, the form factor means people don't want to log in over and over again youtube oauth keeps refreshing, until revocation this is retarded if you exfil someone's netflix or disney+ oauth, you don't get access to their entire life

@RockHudsonRock the exploit is so valuable, the hackers wouldn't even deploy it unencrypted lest the rivals steal their steal i couldn't make up a better story if i'd tried

@cloudsek alas, no risk is worth reducing minutes on youtube

@RockHudsonRock people who know me would say i'm a bit disagreeable, and that may have spared me once an attacker has your gaia session, the blast radius expands massively with any chrome instance i've not used chrome since december 12, 2020, when this went viral on here for the first time

likewise, i've never used google sso, not once sso means third parties are also only one tap away i wish openai did hardware keys you can enable otp via authenticator you cannot disable otp via email it's a compromised loop if your google is owned, your chat is owned too

"but google does hardware keys" ok even in the advanced protection program, google's self-professed strongest account security, they literally advertise the fact that hardware keys aren't ever invoked except at login

google openly admits that modern attacks don't happen at login

@TheVerge the call is coming from inside the house

as a kid i was just as disagreeable i first got gmail back when humans still worked there i was livid when a youtube account spawned without explicit opt in i raised hell, until they hard deleted youtube as a service off the account

i'd actually forgotten in studying the logs, and starting to put it together that youtube was suspect, i checked my own settings and saw the deletion of course, getting it hard deleted was all for naught by even checking youtube settings, google automatically respawned it gg

if you're thinking how can you protect yourself, well, you can't on the one hand, you've got strong authentication at login but a login is a single event after that, there's no 'authentication' there's only a session, as proof you once authenticated

@glueckkanja_ if you think about risk management from the standpoint of an online banking session, the set of suspicious actions is fairly small it's pretty trivial to tell when there's a bad actor however the surface area for unusual activity in google suite is enormous

in this sense, 2FA may inadvertently be the reason this oauth attack vector is so durable risk scoring is a black box, that said, any login with 2FA is obviously considered hardened a 'stronger' authenticated session is less likely to ever flag

@glueckkanja_ among other actions, we changed one account's password 3x in ~5 mins in activity logs, i can see the hacker back in 12h, 24h, and 48h later in this time frame our ip pings ~400 times in the same span, the hacker's ip pings ~4,000 his session never even flags as active again

tldr you cannot revoke google's own gaia at least not on non-workspace accounts 'sign out all sessions' was as close as you could get and it ceased to exist around 2020 currently, you can only end each session one by one but even if you end all, i can confirm access persists

@CyberArk malware's customer support far exceeds google's

@glueckkanja_ "hello! how can we help you?" "hi, yes, i'd like to do crime"

i am weirdly grateful for the front row seat i feel more camaraderie with the hacker than whoever designs some of these systems

i will not be telling you things you can do to feel safe on google i'm not sure you should feel safe on google

north korea's nuclear program thanks us all for our service

@melissa How did your session token get exfiltrated? Insecure / malicious TV software or something?

@IsZomg doa

@melissa I guess we can buy from Best Buy and be more secure?

@garybasin forthcoming

@melissa another awesome book review. tnx

@dan_ddyo writes itself really

@melissa dumb question but what about something similar to code signing for oauth use? would get a lot of coverage from a simple automate/escalate

@melissa You connected your TV to the internet?

@melissa @threadreaderapp unroll

@melissa The question is, how can I man-in-the-middle my own account so that my sessions stop expiring?

@melissa @anabology “Hard to believe”