Today, I’m going to write about an intriguing vulnerability I have found with my friend, Ibrahim M. El-Sayed in Youtube. The vulnerability allowed us to duplicate/copy any comments from any video on youtube to our video without any user-interaction.
Imagine for instance a celebrity or public figure leaving a comment on some video on Youtube saying “Wow, This is an Amazing Video“. You then come along, exploit that vulnerability, and quite simply make this comment appear on your own video.
The vulnerability also allows us to copy the comments on channels – AKA “discussion boards” – from any Youtube channel and make it appear as a comment on our video or as comment on our channel discussion board.
It is worth noting that a big segment of user engagement on Youtube is manifested through user comments on videos and on discussion boards. Theoretically, if you manage to find a good number of comments by a certain user, you can use them to impersonate that user. Thus, making copies of engagement gives you entry to impersonate users.
So how did we find the vulnerability ?
Well, we wanted to think a little bit outside the box and find something in Youtube that not many bug hunters have tested, so we’ve decided to test the feature of reviewing comments. Usually, the comments get posted immediately to the uploaded videos, but the author of the channel can control this by changing the settings to hold the comments for review before it gets posted. We thought that not many researchers have tested that feature since it is not the default option.
If you enable this option, your settings should then show an option of approving or removing comments. We hoped to find a flaw in the functionality of that approval setting and luckily, we did!
What was the vulnerability and how does it work?
If someone posted a comment on your video after you’ve enabled the “hold comments for review” option, you will find the comment listed in a new tab on https://www.youtube.com/comments as such
By pressing on the approve button ✔ and intercepting the http request, you will see:
POST /comment_ajax?action_approve=1 HTTP/1.1
X-YouTube-Page-Timestamp: Mon Apr 13 11:05:13 2015 (1428948313)
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: [Your Cookies Here]
comment_id=z13weljbzumagnr2u22yubxh5xvxjddlm&video_id=CPzDx1vlb8s&session_token=[Session Token Here]
You can see clearly the comment_id and video_id in the POST parameters. Now, if you change the video_id to any other video id, you will get an error. Yet, if you keep the video_id untouched and change only the comment_id to any other comment id on any youtube video, the request will get accepted and that comment will be copied and appear on your video.
The original comment from the original video doesn’t get removed, and the author of the comment does not get notified that his comment is copied onto another video.
Finally here is a video demonstration for the vulnerability
As usual, Google security team fixed the bug in almost no time.
March 25th 2015: Bug Submission
March 26th 2015: Confirmation Received
March 31st 2015: Fix
March 31st 2015: Reward Payment