Green lock icon by Karol Szapsza

Update: It turns out the mysterious iOS device was due to the fact I was using purple-hangouts to connect to Google’s chat service. Since it uses undocumented APIs, it must identify itself as an iOS device. When I revoke the iOS device, my chat client disconnects and I am required to re-authenticate. I’m guessing the YouTube plays problem stem from a current issue about paused videos randomly starting in background tabs which I have experienced.

The other day I was searching through my YouTube history and discovered a ton of garbage pop music videos that I’ve never viewed. I always turn auto-play off, so the presence of these videos in my history was puzzling. I immediately checked my Google account history to look for unauthorized access. Within the list was an iOS device. I haven’t owned any Apple productions since my MacBook was stolen two years ago, so I immediately revoked access to that account and changed my password.

Crappy pop music in my YouTube history that I've never played
Crappy pop music in my YouTube history that I've never played

I use a secure password algorthym and my Google password isn’t used for any other sites. It’s not written down anywhere or stored digitally on any of my systems. Could I have inadvertently entered it into a phishing site without realizing it? Another thing that is puzzling stems from a security mechanism Google has that e-mails users whenever they add a device. I verified that I have received an e-mail every time I’ve re-flashed or added a new device to my Google account for at least the past year:

E-mail Google notifications for account changes
E-mail Google notifications for account changes

Yet there is no e-mail for this mysterious iOS device. There isn’t even a suspicious login attempt e-mail. I currently don’t have two factor authentication, but I’m curious if this device would have still been connected if two factor was enabled.

An unknown iOS device
An unknown iOS device

I haven’t yet re-authorized any of my Android devices. Although one is on the latest Cyanogen, the other has a locked boot loader and is dependent on the few and far between updates from the manufacturer. Because Android has no real package management and its system data is stored on a read-only system partition, security updates require considerably more work than on other operating systems and manufactures are known to leave unpatched versions of glibc, openssl and the built-in web browser in the wild for months, if not forever.

There is a possibility one of my Android devices could have been compromised, but that should have only given an attacker access to that device’s security token, not the ability to add new devices, and certainly not the ability to add devices without a notification e-mail.

Although a paid Google Apps for Business subscription would potentially give me a full audit history to see the potential damage, a free personal Google account does not. My location history, device information history and voice/audio activity logging have all been disabled in Google’s account management. The mysterious You Tube videos, over 70 of them, start May 4th at 12:30pm and ending at 5:57pm. (No timezone information is given). There is nothing unexpected in my Google Search history for that time period and nothing odd on my Google payment history.

I know what you’re thinking. I had auto-play enabled, someone sent me a link for a garbage shitty pop song and I started listening and walked away from my laptop. That would make the most sense, and I’d be willing to entertain the idea if it wasn’t for the fact that I didn’t recognize the first mysterious video, auto-play is disabled on my account and that I had a mysterious iOS device authorized.

I do run my own e-mail server, so it is possible my password was compromised and I simply missed the new device e-mails. I find this unlikely since my e-mail server has significantly lower false positives for spam than G-mail’s. The lack of an e-mail for the iOS device is what disturbs me the most. It raises my suspicions that this particular attack may have been accomplished using a vulnerability within Google’s architecture and not directly on my account credentials.

If this was an attack, the results seem odd. A Gmail account wasn’t added (I currently do not have a Gmail account associated with my Google account), no payments were made and I haven’t found any other noticeable signs of activity. So why would an attacker use my account to simply play YouTube videos?

These were all monetized music videos with literally millions of views. Access to real accounts (versus accounts created just for spam) could allow an attacker to generate revenue off those videos while avoiding Google’s detection system for view generating robots. The content creators may not even be aware that hacked accounts are being used to inflate their revenues. They may simply have a contract with a marketing company that promises video impressions, which accomplishes it via exploited accounts.

Whatever the situation may be, it’s impossible to find out for sure. Google’s account management interface lets me see when a device last accessed my account, but doesn’t show me when that device was added or give me an audit trail of what was done under a given connection. Unless I can report a specific vulnerability, the standard security and product forums simply direct users to remove untrusted devices and change their passwords.