Hello all
Today, I’m going to write about an intriguing vulnerability I have found with my friend, Ibrahim M. El-Sayed in Youtube. The vulnerability allowed us to duplicate/copy any comments from any video on youtube to our video without any user-interaction.
Imagine for instance a celebrity or public figure leaving a comment on some video on Youtube saying “Wow, This is an Amazing Video“. You then come along, exploit that vulnerability, and quite simply make this comment appear on your own video.
The vulnerability also allows us to copy the comments on channels – AKA “discussion boards” – from any Youtube channel and make it appear as a comment on our video or as comment on our channel discussion board.
It is worth noting that a big segment of user engagement on Youtube is manifested through user comments on videos and on discussion boards. Theoretically, if you manage to find a good number of comments by a certain user, you can use them to impersonate that user. Thus, making copies of engagement gives you entry to impersonate users.
So how did we find the vulnerability ?
Well, we wanted to think a little bit outside the box and find something in Youtube that not many bug hunters have tested, so we’ve decided to test the feature of reviewing comments. Usually, the comments get posted immediately to the uploaded videos, but the author of the channel can control this by changing the settings to hold the comments for review before it gets posted. We thought that not many researchers have tested that feature since it is not the default option.
If you enable this option, your settings should then show an option of approving or removing comments. We hoped to find a flaw in the functionality of that approval setting and luckily, we did!
What was the vulnerability and how does it work?
If someone posted a comment on your video after you’ve enabled the “hold comments for review” option, you will find the comment listed in a new tab on https://www.youtube.com/comments as such
By pressing on the approve button ✔ and intercepting the http request, you will see:
POST /comment_ajax?action_approve=1 HTTP/1.1
Host: www.youtube.com
Connection: keep-alive
Content-Length: 346
X-YouTube-Page-CL: 91004291
Origin: https://www.youtube.com
X-YouTube-Page-Timestamp: Mon Apr 13 11:05:13 2015 (1428948313)
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
X-YouTube-Variants-Checksum: 44615475844a61a0815f3a5c63bf5598
Content-Type: application/x-www-form-urlencoded
Accept: */*
X-Client-Data: CIm2yQEIo7bJAQiptskBCIqSygEIspXKAQ==
Referer: https://www.youtube.com/comments?filter=all&highlights=False&tab=moderate
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: [Your Cookies Here]
comment_id=z13weljbzumagnr2u22yubxh5xvxjddlm&video_id=CPzDx1vlb8s&session_token=[Session Token Here]
You can see clearly the comment_id and video_id in the POST parameters. Now, if you change the video_id to any other video id, you will get an error. Yet, if you keep the video_id untouched and change only the comment_id to any other comment id on any youtube video, the request will get accepted and that comment will be copied and appear on your video.
The original comment from the original video doesn’t get removed, and the author of the comment does not get notified that his comment is copied onto another video.
Finally here is a video demonstration for the vulnerability
As usual, Google security team fixed the bug in almost no time.
Timeline
March 25th 2015: Bug Submission
March 26th 2015: Confirmation Received
March 31st 2015: Fix
March 31st 2015: Reward Payment
Hmm. Tricky, so wouldn’t you mind if the public be notified of how much Google paid for this specific bug sir ?
Thanks! , google decided to pay the 3l33t reward for the vulnerability which was $3133.7
Congrats!
Nice one. how much does google pay for functionality abuse?
Google usually pays $5k for the insecure direct object bugs in Youtube. but they decided to reduce the a bit and paid $3133.7 for this bug
What a great write up and a great finding ! thanks for sharing
Thanks Yassine
That’s Awesome Secuirty Vuln. , Bro
Keep On =))
Thanks bro
Google Bug Bounty:
http://www.google.com/about/appsecurity/reward-program/
Could you have deleted the comments if you wanted to?
we have tried to do that but unfortunately it only removed the comment from our video and didn’t get removed from the original one .
Nice job ! What tool do you use for intercepting http requests ? Would it be Charles ?
Thxks !
Thanks Maxence
, no the tool was Burp-Suite http://portswigger.net/burp/
Nice write up.
I mean to have read at least in one comment on a video couple of weeks ago where the user replied on his/her comment saying that he/she had never commented on that video before. Maybe people were already abusing this vulnerability or maybe that user was making a joke!
I will post the youtube link if I can find it again..
Nice find!
Thanks Mazin
Awesome tips. Can i test it now?
Test what ? the bug was fixed by Google and it won’t work now
It’s Great, congrats !!.
thanks for sharing.
Now waiting for your next report.
Thanks Vatsal , keep your eyes on the blog I will share another vuln in Youtube soon
الله ينور يامعلم!
اول كومنت بالعربي
, تسلم يا باسم
ماشاء الله عليكم
المعنى الحقيق لـ كلمة فطنه
ع فكرة العرب متابعينك وانا منهم بس شكله الوضع على الصامت ههههههه
awesome catch … write up is awesome (easy to understand )