Some days ago computer scientists have revealed a critical bug in the video streaming service of Google called YouTube and what is important to mention by the exploitation of this programming error everyone could copy comments between all of the videos without any consequences. We will show you how the security researchers found out this tricky vulnerability.
YouTube – similarly to other web services used by a wide range of users – is a popular experiment field for those who work on revealing web security vulnerabilities. These researchers work in the hope for a bounty or fame and/or simply for gratification. Certainly a lot of white hat hackers are trying to find security holes just only to make online services safer. Two Egyptian researcher was led by curiosity when they overhauled the video sharing site’s so called function.
Ibrahim El-Sayed and Ahmed Aboul-Ela few weeks ago devised analysing the comment handling system you usually find under videos. Although they believed the service of the site is a hoary old chestnut by the aspect of security but in the end they started to work on the analysis.
Now we know they did not do it for nothing, after all they found an interesting vulnerability. Principally it did not give the chance to damage or seriously destruct the system but with the exploitation of this programming error anyone would have had been able to put upon with the contents generated by YouTube users in a way which could easily be automatized in the future.
How they found out the error?
The researchers set up their test account not to display comments automatically, just after approval. After that they linked a comment to their video and approved it. During the experiment they continuously monitored (with the help of the freely available Burp Suite) the network requests between the client and the server. They started to manipulate two parameters: at first the identifier of the video was changed but they got stuck with an error message, so we can say this parameter was properly protected against modification. Unfortunately it is cannot be said about the identifier of comments.
When the researchers modified this identifier they experienced the manner of the website with surprise. It was unravelled with the swapping of the comment identifiers in network requests they could link all the comments on YouTube to their own video. Moreover the copied comments stayed intact on their original place and no one got noticed about the actual procedure. Google patched the security hole in a flash and paid the $3133.7 reward to the Egyptian researchers.
However there is the question which type of problems would have had been able to cause if the vulnerability had come to light. For instance anyone could link comments from popular videos to their own, and with this act could suggest that their own work was rated by the users. It could have been done with videos created in context of products or services which could easily lead to the delusion of users.
Another revelation from the last month
Kamil Hismatullin, another security researcher started to monitor YouTube closely not a long ago. He started his research in connection with the YouTube Creator Studio and primarily XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Form) vulnerabilities was found. In the meantime he did a fascinating discovery. Kamil realized with a simple URL hack he could delete arbitrary videos without any given permission. Google has also patched this security hole out of turn.
Source: Biztonság Portál
