Episode: 3906
Title: HPR3906: The Oh No! News.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3906/hpr3906.mp3
Transcribed: 2025-10-25 07:48:46

---

This is Hacker Public Radio Episode 3906 from Monday the 24th of July 2023.
Today's show is entitled The Oh No News.
It is part of the series' privacy and security.
It is hosted by some guy on the internet, and is about 29 minutes long.
It carries a clean flag.
The summary is, Scotty discusses the threat of convenience.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet, and this is The Oh No News.
Oh no!
And if those said, the language of security.
Today I want to discuss browser security with you, but to be more specific, the convenience
that's built into our browsers, as well as other web-based technology, this convenience.
At the levels for which we currently have it, it's more of a threat than we realize.
For example, you log in to one of your favorite websites like Reddit or wherever, you authenticate,
so that you may gain access to the content.
These services like Reddit and others will create something known as a session ID or
a session token, and store that token on your system for convenience.
The convenience is the workaround in authentication.
You will no longer have to authenticate on that site or service because of that session
ID token.
So in short, authenticate once, access many times afterward.
This is very convenient because whenever you close your browser, you're done with this
session, and then, you know, the next day or whatever you load up again, you will access
that content again.
And when you go to the site for that service, it automatically loads, and you can begin
accessing the service immediately, very convenient.
However, the security is lessened by this convenience.
The session ID or session tokens are stored on your hard disk, and they leave you vulnerable
if these IDs tokens were to fall into the wrong hands.
An attacker could then gain access to your data on these services without authenticating
because the site recognizes that this token is a sign of preauthentication.
I want you to think about it like if you have to badge into a building once you've went
through the employment process and confirmed who you are, they issue you a badge.
Now with that badge, that, that's your ID token, right?
You can now walk around with that badge, wave it against the scanner on the door.
It will unlock, and then you can walk forward.
No one has to then physically identify you over and over again.
So if somebody steals that badge from you, they, they, for all intents and purposes, are
you.
They can now gain access to that facility and wherever else in the facility you once
had access to.
Now, they're supposed to be best practices put in place whenever issuing these session
ID tokens, and they're, they're known as session IDs or session tokens, but I'm combining
it to say session ID tokens with the service providers are supposed to do as things like
adding like IP locks.
So if you attempt to authenticate with this token from a separate IP, that could be assigned
to something's wrong.
So if, if you want to access this service, you would have to reauthenticate.
They should also be timeouts.
If you have not access the service in X amount of time, you would need to reauthenticate.
They should also be limits to the service, such as if you wish to change the password
or the email address or whatever tied to the account, you would need to reauthenticate.
Things like that need to be in place for these online services, but we often find in many
cases they are not.
There's examples of major YouTubers.
Many of you have heard of a Linus media group.
They have the Linus tech tips, as well as other major YouTubers have had their livelihood
hijacked, you know, their YouTube channels, simply hijacked, because attackers, they sent
over email pretending to be sponsors willing to, you know, form some form of agreement.
The agreement looks like a PDF file.
Really it's an executable, but it's designed to look like a PDF file.
It'll have the Adobe icon on it and Windows has several different forms of executable,
one being the .com and .scr, which stands for Screen Saver.
It's actually an executable, as well as an understanding to how Windows file manage your
handles these things whenever, depending on your view.
If you're using the detailed view, you may catch it, but many people use the large icon
view, which will sort of hide it.
For you, you can name a file contract .pdf.src, and it'll hide the .src and only show
they contract .pdf.
So depending on the view that you're using, you know, you can have it abbreviate the
file name, and most users will just see the Adobe icon, click on it, and it will run that
dangerous executable, which in many cases, it'll steal your session ID tokens.
Now there's many different applications, not just a browser that uses these session ID tokens.
Things like a Discord, if you use Discord, other chat applications, use these session ID tokens
like Thunderbird.
However, I will say this, Thunderbird does have what's called the primary password, which
will, you know, encrypt your login session.
So if someone does steal the session tokens, they will still be required to have their
primary password in order to do anything with it.
So there is some protection there from Thunderbird.
Firefox is a different matter, though.
They do have the session ID tokens on Firefox, however, you can just navigate around it
and still gain access to the content.
You may not gain access to the actual data behind the session ID tokens, like passwords
and things that are stored in Firefox, but you can still gain access to the content that
Firefox has access to via the session ID tokens, even with the primary password.
So that one very, very sketchy, I don't know why, but it just does not work in a way
that I imagine it should.
Maybe I have a flaw to understanding of how it's supposed to work.
So one of the things that these guys do wants to steal your session tokens, well, they
try to, well, resetting the password through most sites will prompt for reauthentication.
So they may not attempt that.
However, depending on the service, they may not prompt you for reauthentication if you
wanted to change like the backup or recovery email address or backup or recovery phone
numbers, things of that nature, they may not prompt for that.
So those bits of information will be changed, meaning when you try to gain access to your
account again, the person who's currently in there will kick you out because a lot of
these services allow you to view current sessions and they'll just manually keep kicking
you or you can probably set the script or something as well to only allow their session
that's on and then kick automatically kick any other session that tries to come online,
making it difficult for the actual owner to regain control of their account.
Because as they log on, it'll show a new session has gained access, you know, usually
with the session ID tokens or if you revoke the tokens beyond that device, they'll have
to log in manually, which means it's much slower for them to try to get on board the service
and gain control of their account again.
They'll continuously be kicked out by the attacker.
Now what you'd imagine that same thing happening to you, but with something more important,
because I mean, for most of us a YouTube channel, you could just make a new one, it's
not even a bigger deal, right?
If YouTube is not your livelihood, it's no big deal that somebody took a YouTube channel
for me, you don't care.
However, Discord may be a little bit different, even though Discord was never designed to
be handling business secrets and such, it happens.
It's very convenient, therefore people just use it and they just, you know, they put far
too much trust into this thing.
So if those ID tokens are stolen, suddenly all of that data is now in hands of the attacker.
And you have to also think about this.
Your entire friends list or your company list, whoever else you interact with using that
data, they can now pretend to be you and request more data.
They can also continue the attack onto all the other co-workers by sending them files
that, you know, obviously they will open and now they have more cookies, more session
ID tokens to continue the attack.
So now that you understand more about how this attack works and why it's so dangerous
and very annoying because these companies, these companies are not interested in who
you are as a person.
They're interested in what data they can gain from you and then sell that data to advertisers.
That's their money maker, right?
That you're, you're the product, not the consumer.
So they could care less that you, you know, lost your account and all this and that.
I mean, usually that doesn't matter.
So just make a new one, continue being the product.
Now, for me personally, I have tested out different ways of using the Firefox web browser
on both Linux and Windows.
That's when I found out things like with Firefox, even though you implement the primary password,
this does not necessarily stop anyone from gaining access to the data.
Because you still have those session tokens stored and they will be used once you open
a browser, you can simply click Cancel when it prompts you for a primary password or
just ignore it and continue browsing gaining access to all of the sites that have been pre-authenticated
using those session tokens.
Thunderbirds a little bit different, they will fight you to gain access to the emails if
you try to, you know, continue going forward without putting in the primary password.
So it will be a little more aggressive and hindering you.
I'm not a pen tester or anything, so I can't tell you about any techniques that are used
to try and break through that any further.
I don't know of any either, so, you know, this is just regular user trying to find out
whether or not he's safe or not.
All right, back to my experiments and with Firefox.
I use the Firefox profile manager and created multiple different profiles, trying to separate
things, hoping that the attacker would not attempt to take from all of the profiles, but
usually they're all stored in one main directory.
It would not be difficult for the script to kind of be written to search through that
one parent directory for all of the profiles in the sub-directories.
So I figured that's a no-go, it's not going to really serve you to have a separate profile
for this type of attack, mainly if you were to be fished through email or whatever else,
some malicious attack that is designed to search your directory for the tokens.
Sorry about that, let me put my phone on mute here.
Okay, so the profile manager was not the way to go, but it was a nice little learning tool.
People tried multi-account containers, which is a very fun and valuable extension for Firefox.
I've made the best effort to get away from extensions all together, and I've talked
about it numerous times, I'll give a brief here.
We really don't know who's writing the extensions and it's not difficult for an attacker to clone
a project, a deprecated extension at everybody likes, put it out there, maybe do it honestly
for like a month or two, get a bunch of good reviews, then go black hat on you.
You're dealing with code from multiple different repositories or developers, different update
cycles, some may not be audited.
There may be these different coding practices that are unsafe that are used in the extension.
So you would have to basically take on a ton of risk when using all of these different
extensions for that sweet, sweet convenience.
And that convenience, ladies and gents, is like a drug.
I switched my Firefox browser into private mode, meaning I deleted the browser from my
system.
It was installed as a dev, I'm using Papa West, and then I installed the snap.
Who is this guy using a snap?
I went through the settings, you can go into privacy and security and change your browser
to it's always in privacy moment.
It will not remember any history, it will not cache any data and any, well, basically any
data that gets cached is deleted whenever you end your browsing session.
So every time you close the browser, browser, it does a wipe.
So I ran like that for a couple of months, just to see what the, what the hardship would
be like, every single site that I use that requires authentication, I would have to manually
authenticate every single time.
And it wouldn't that bad, honestly, the problem would be for things like my workflow with
the drug of convenience, I can open and close tabs and just, you know, on the fly.
No problem with all of these different services logged in, you know, pre pre logged in.
However, under the more secure setting that I was using, I would need to think about which
sites I wanted to go to first, because once I close those tabs, I would have to reauthenticate,
not to mention cleaning out all of the craft on the site itself, meaning when you,
when you log on the certain services and sites, they'll show you all of your login sessions.
And they'll show you which sessions are currently logged in, which ones that have been used
in the past blah, blah, blah.
Well, you got to clean that out after a while.
Otherwise, you'll have like a million, you know, login sessions in there.
And if you do run it to a problem, it'll be difficult to figure out which one is the bad one.
So there are those things to consider whenever attempting this.
So I had to build my workflow around, you know, whenever a certain time of the month would
come around where I needed to get all of my obligations together.
I needed to pick a time out of the day to get that done first.
So that way, once that's out of the way, I can close my session to wipe all of the cookies
and everything that stored, then reload and go back into the entertainment side of things,
you know, watching YouTube going to mastodon and an element and everything else,
you know, the more social side of things where the problem would come in,
because I had, I had no problem doing it this way,
but where the problem will come in is if you have a significant other that likes to just show up
and go, Hey, could you go look at the account for blah, blah, blah?
And it's like, why don't you go get your computer and look at the account for blah, blah, blah?
I've already done my portion here.
I just want to relax now.
And your significant other will be just sitting there right beside their laptop on their phone.
And like, now I don't feel like opening it.
Could you do it?
You're at your computer.
Yours is bigger with all the monitors.
Could you do it?
And that's, that's where some of the problems will come in dealing with outside factors.
So then I have to shut down the browser again to wipe the session, load it back up,
go into the account, look at the thing, make click, make the significant other happy,
then close the session again and then load back up and we all think it,
you get what I'm saying?
It would be a, a problem, but only when dealing with the outside factors.
So long as you can set up your workflow to where, okay,
when I have to do this important thing, this, this holly secured thing, I can do that first
or, or I can save that for a certain time of the day to authenticate for that.
You're good to go because I don't like to have things like say, for instance,
my bank authenticated at the same time I have something like mastodon or, or element
and knowledge, you know, you get what I mean, or Reddit or anything like that.
I want only one of those things up at a time.
Now, I don't mind having Reddit and mastodon and element.
I just don't want any of those with the more secure items.
Now, using this setup, if I were to fall for an attack where the user would attempt
to steal my session ID, well, if there were any on the system, they'd be very limited
just because during the time that the attack happened, if a browser session was open,
they'd only have access to a certain type of information at that time, meaning,
this is a good chance I'm not going to have any of my banking or really personal
private accounts, that kind of information authenticated at that time.
I'm going to manually clear that and close the browser before loading up for a social
session. So if they do get any information, it'll be, you know, whatever social
session was authenticated at that time.
By the time I realized there's a problem, I can then begin trying to trace back,
figuring out where the threat came in that and trying to recover my session from the
attacker or recover my account from the attacker.
Now, another thing I noticed as well, when you're logging on to YouTube, and again,
this is on the Firefox web browser and the difference between Windows and Linux.
On Linux, when I log on to YouTube, I use my Ubiqui as well.
So I have to do the username, password, and user key.
I'm a Ubiqui on Linux.
After I thought after I authenticate with the Ubiqui, there'll be this screen that shows
a little checkbox that says, would you like to maintain the session, you know,
basically store a session token?
You know, remember this browser, whatever the terms they use.
And I leave that unchecked or I will manually uncheck it.
I think it is pre-checked.
So you have to uncheck it, then click OK to go forward with the account.
That's how Firefox behaves when authenticating on Google's YouTube in Linux.
On Windows, it's different.
The moment I put in that Ubiqui and authenticate, it'll show that screen for the session ID token
for like half a second and immediately jump right into YouTube.
So you don't get time because I take my Ubiqui out of the PC.
I don't leave it in there.
I take it out as I'm withdrawing the Ubiqui.
I noticed the screen shows up for like half a second and then boom automatically takes you in.
So my, I don't know why it does this.
But I can assume that it's for convenience.
They just automatically go on, OK, it'll be more convenient for you to have this token.
So here you go. Take the token.
We are the Google and you will have the convenience.
Take it now.
I've been trying to do more research and learning about the rather not the standards for this kind of thing.
But it's hard.
I don't know what terminology is used other than session tokens and ID tokens.
And there's also like a JSON web token.
I don't know if companies are even required to have standards for how long these session IDs are supposed to last
or what restrictions to the service the token is allowed to cover.
So you know, just using YouTube as an example.
Maybe you can watch videos with it, but the moment you try to gain access to the YouTube studio or anything
and the private information or or anything that would allow you to edit the YouTube channel.
In any way, you would need to reauthenticate.
You know, that there should be limitations to access with these tokens.
And they should be like hard numbers encoded in the token, making clear this thing is only going to last or
or the user should be given the option, right?
I should be able to go into security settings.
And if I chose to have the token, I should be able to set that this token, any of my tokens only last for one week, two weeks, you know, whatever.
So at the end of this one week or two week, mandatory, reauth indication and all sessions must be removed.
So even if someone does get that token and gain access to my account, they only have a week before I'm going to gain access.
Because only I can reauthenticate, you know, I've got the two factor and the credentials to get back in, where's the attacker only has the token.
I don't know who to propose this type of change to other than the company themselves.
And I've done this with certain companies, but I mean, mostly my bank, I've made tons of proposals to my bank.
And, you know, they they listen to me, but I've seen no changes.
Do you have a degree?
No, within get out, they invite me to, um, I guess community sessions or whatever it is that they do.
But only thing they do at the community session is just talk to you about more crap that they want to, you know, you'd think that they want to hear from you at the session, but you get there.
And all of a sudden they're talking about mortgage rates and all kind of crap is like, I didn't come here for that.
I came here to talk to you about why you're crap.
So outdated and busted, you know, why on earth are you still in 2023, putting a limitation on the password.
You know what I mean?
I can't have a strong password on the banking site, but I can on the social media site.
Why on earth?
Can I use a ubiquit on Facebook or Gmail?
But I can't on my banking, you know what I mean?
You give what I'm saying?
Why is everything more secure than the bank, but that there I go off often on another tangent.
So let me go ahead and end this now before before I end up somewhere else again.
Be careful using your browser and any web based technology, you know,
this coordinates are the apps that will allow you to authenticate and store session token.
See what options they have for those tokens and way rather not the risk is worth it or not.
I have gone back to using Firefox in private browsing mode.
Once I attempted that, you know, months ago and then went back to using it the way that most people would use it,
where it was store session ID tokens.
And then I used a multi account container extension to help try and separate everything.
That convenience that is provided through those tokens feels like a drug.
That's how good it is.
I'm telling you, when you step away from it for a couple of months, like cold turkey, don't use it.
You get used to using that setup to where you set up your workflow to wear.
Okay, I know I'm going to have to immediately load up my keypad sexy,
get the important stuff out of the way first, check my email and everything.
Make sure I got it all out of the way.
Then close that session, erase all the data and then begin my more social activities.
Once you get that workflow down, it's not as painful as you think it is.
It's actually really nice knowing you're secured.
But then when you try that convenience again, oh my God, you're hooked.
You're once again back in the corner, rocking back and forth in the fetal position.
More, more, give it to me.
I must have it more.
You have to have the convenience, you know, I'm telling you, it's like a drug.
You have to have it in the companies.
They don't have any obligation to your to your security.
So if anybody's going to care about your security, it better be you.
I encourage all of you.
You know, I don't recommend you living with the same settings that I live with.
I do it because I want to feel safe.
That and I'm interested in knowing if I'm really safe with some of these things, right?
Like how practical is it to try some of these things out?
So I go out and I test them out, but I encourage you to try this one.
erase all your cookies.
You don't have to use the snap version of Firefox like that.
But I mean, just of course, not you for using a snap.
Just delete your browser and everything on it, reinstall it, set it up to where it's in private browsing mode.
It's easy to do.
I can now talk to you about it real quick when you pull out my browser.
All right.
So you click on the hamburger menu.
You go over to settings on the left hand side is going to be privacy and security.
I have strict set under the enhanced tracking protection.
I have always set up for do not track, you know, sending sending the websites to do not track signal.
I have that selected as always cookies and site data.
I have the box down there checked for delete cookies and site data when Firefox is closed.
But because I'm in private browsing mode, it's going to do that automatically.
I still manually click the button.
It says clear data.
It'll be on the right hand side where it says your stored cookies site data and cashed.
I still manually click that after I've done more private activities banking and the such.
Because I want to make sure it's gone.
I unchecked the stuff that says logins and password where it asks to save your logins and passwords.
And if you scroll down where it shows a history.
If you click on that, you can put never remember history.
And then it's the check box that says always use private browsing mode.
I have that checked.
So it will then switch Firefox.
You have to reload Firefox after clicking that.
And then it'll show that Firefox will be using a custom settings for history.
And again, once I've done my private banking and blah, blah, blah.
I also click the clear history just to make sure it's gone.
So I manually click the clear data and clear history to make sure it's all out the way.
Now the permissions down there again, they have like location, camera, microphone, notification, auto
play and virtual reality on those settings.
And when you click on them, I, there's a check box down there that says block new requests.
I click that I want no new request for anything to come in.
If you're in school and depending on what your school uses, some schools will use like Zool
and things like that.
So if you're using it in the browser because on Linux, a lot of these applications don't exist.
You're going to have to use the browser.
You may have to change that if the if it even works in Firefox.
Because with some of them, you'll have to use Chrome as well.
I'm trying to remember.
I think teams is one of the ones you have to use Chrome with.
I can't remember right off the top of my head.
It's not about that.
And with this show is not about that.
So I just wanted you to know how to test this out for yourself.
See what life is like when you, when you're sober, free of all of this
convenience that they provide you, give it a while.
You know, you really need to sober up for, I'd say give it about two weeks,
setting up your workflow, getting comfortable, manually authenticating every time
and just adjusting yourself to that workflow.
And then go back to that convenience lifestyle.
I'm telling you, it's going to hit like you, like you're taking a drug.
All right.
So if you go ahead and this is the end of the show, folks, I got some links down in the show notes.
That way you can learn some more about these type of attacks and gain some
information on these session IDs, you know, to session tokens, educate yourselves.
But that's it for me.
I'm out of here.
Get you guys in the next episode.
Thank you for listening to Hacker Public Radio.
I'm some guy on the internet.
And this concludes the Oh no news.
Oh no.
You have been listening to Hacker Public Radio at Hacker Public Radio does work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording broadcast,
click on our contribute link to find out how easy it really is.
Hosting for HBR has been kindly provided by an honest host.com,
the internet archive and our sync.net.
On this advice status, today's show is released under Creative Commons
Attribution 4.0 International License.