A US man, Matthew A. Buchanan, has admitted that he and his accomplices jimmied open YouTube accounts via Google’s password-reset recovery process and then set the YouTube channels up with AdSense to milk them of at least $55,897 (£33,891).
Court papers filed on Thursday detailed how, over the course of squeezing YouTube for AdSense profits, Buchanan and his conspirators also came across a vulnerability that gave them access to AOL employee’s email accounts, right up to the inbox of the AOL CEO himself.
According to the Washington Post, Buchanan told a federal judge in Alexandria, Virginia that he had modest formal education – he holds only an associate’s degree in general studies from Montgomery College – and the only professional experience he could recall was working at a grocery store when he was 16.
None of that stopped Buchanan from cooking up two ways to weasel accounts from their rightful owners.
Starting around June 2012 up until 11 September 2013, Buchanan and his accomplices, including John T. Hoang Jr., used these two methods to take over Google accounts:
- They wrote a script that searched YouTube and returned publicly available account names associated with popular videos that hadn’t been monetized with AdSense. The script identified 200,000 of these accounts. They then submitted bogus password resets on the account names, exploiting a flaw that revealed a Google account holder’s primary email address during the password reset process. After finding the primary email address, the conspirators then got at victims’ accounts by guessing their security question answers or by using password-cracking software.
- The second method involved exploiting secondary email addresses. Some Google users had concocted what they thought were nonexistent email accounts during the Google account registration process because they couldn’t be bothered to open a genuine secondary account. While some of those email accounts were truly nonexistent, some of the accounts in fact were controlled by Buchanan, including firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com and firstname.lastname@example.org. The conspirators submitted bogus password resets on the primary email address, and then they picked up the temporary passwords that were delivered to the secondary email addresses under their control.
Taking over a Google account gets somebody access to all the G-goodies, including the Google-owned services YouTube, AdSense and, of course, Gmail.
So after they’d hijacked the Google accounts, Buchanan and his buddies linked the YouTube channels to AdSense accounts under their control.
The advertising revenue then skipped over victims’ pockets, flowing into the crooks’ AdSense accounts before being transferred into their personal bank accounts.
Buchanan and his accomplices dazzled themselves with the brilliance of the scheme.
Excerpts from a few of their awe-struck online chat conversations:
On or about 4 November 2012, Buchanan to Hoang: just imagine if we get away with hacking nonstop for the next year[.] … we'll have so much money[.]
On or about 18 November 2012, Hoang to Buchanan: like had we not started [this] project i'd of probably had to get a job[.]
Buchanan, on 14 November 2012, also sent instructions to Hoang on how to lock the door after shutting out the victimized Google users:
when u take the google account[,] put 2 step verification on them[.] that way the owner cant get the back for 5 days[.] … when u go into these youtubes[,] ideally youd want to make a new google account[,] and then move the yt to the new account[,] that way the owner cant recover it[.] … if I dont go to jail this will be a good night for us 🙂
You are so right, Mr. Buchanan: if you don’t go to jail, that will be great for you!
Buchanan is, in fact, looking at a possible five years in prison at his 28 March sentencing.
The story should make us all stop and wonder at how easy it would be for our Google accounts to get taken over and for us to get locked out of getting them back.
Not that Google’s the only one to suffer from password reset vulnerabilities, mind you.
In June 2013, Facebook fixed a password-reset problem that could have let an attacker manipulate the way that Facebook handles updates to mobile phones via SMS.
In November 2012, a serious security problem was uncovered in Skype that allowed hackers to hijack accounts just by knowing users’ email addresses.
In April 2012, Microsoft fixed a serious password-reset vulnerability in Hotmail that involved using a Firefox add-on called Tamper Data to bypass the normal protections put in place to protect Hotmail accounts.
The flaw let hackers reset account passwords, locking out real owners and giving attackers access to users’ inboxes.
How should we protect our accounts from getting hijacked?
A first step is to make sure that our secondary email accounts are real, and that they’re under our control. These things are free, and they’re easy to set up, so there’s no good reason not to create one.
As for Buchanan’s advice about two-step verification, he was spot-on technically, though of course we’d all rather do the locking-others-out thing to our own accounts, rather than be the ones who are locked out.
Two-step verification, also known as two-factor authentication (2FA), is an authentication process where two of three recognized factors are used to identify a user:
- Something you know – usually a password, passcode, passphrase or PIN.
- Something you have – a cryptographic smartcard or token, a chip enabled bank card or an RSA SecurID-style token with rotating digits.
- Something you are – fingerprints, iris patterns, voice prints, or similar.
As Paul Ducklin noted back in April 2013 when WordPress boosted security with 2FA, Naked Security itself is hosted by WordPress VIP, and we’re now using Google Authenticator for 2FA to generate one-time login codes on iOS, Android or BlackBerry devices.
It’s easy. Hell, if I can use it, it has to be.
It pops up a code on your smartphone, and that in turn keeps the bad guys from getting into your business if they get their hands on your password.
Take that, YouTube pirates!