Streaming unencrypted YouTube videos can infect your computer

Hackers use YouTube videos and Microsoft Live to install surveillance

Published Date
18 - Aug - 2014
| Last Updated
18 - Aug - 2014
Streaming unencrypted YouTube videos can infect your computer

A new report by Morgan Marquis-Boire says watching unencrypted YouTube videos and checking your Microsoft Live account can be used by hackers to infiltrate home computers.

According to a paper published by Morgan Marquis-Boire at the University of Toronto's Citizen Lab, spies can use unencrypted YouTube streams and Microsoft Live log-ins by intercepting traffic and use them to inject malware in your PC. Hackers can easily view your e-mails, bank accounts, IMs and sensitive personal information with the malware.

"It’s “hacking on easy mode,” explained a new report by Citizen Lab; “compromising a target becomes as simple as waiting for the user to view unencrypted content on the Internet.” Network injection “allows for the ‘tasking’ of a specific target. Rather than performing a manual operation, a target can be entered into the system which will wait for them to browse to an appropriate website and then perform the required injection of malicious code into their traffic stream.”

Marquis-Boire identifies two companies called 'Hacking Team' and 'FinFisher' that are known to sell law enforcement agencies "network-injection" technologies used for surveillance for around $1 million dollars. Hacking Team uses the traffic from YouTube and Microsoft's servers to install YouTube videos with surveillance software to track the target's activities online. The company works with governments like Morocco and the United Arab Emirates, but Marquis-Boire says similar technologies have been used by intelligence agencies in Britain, US, China, Russia and more.

HTTPS encryption used by Google and Microsoft are useful in preventing injection attacks. Internet giant Google is offering incentives to sites to switch over to encrypting, including better rankings in search results. Marquis-Boire says both Microsoft and Google "have taken steps to close the vulnerability by encrypting all targeted traffic." Also Read: Yahoo,Google team up to create spy-free email systems

Source: Intercept