Jan 24, 2021 21:00:00

Vulnerability in which playback history and private movies are leaked from YouTube's 'embedded player'

YouTube has the ability to output HTML tags that allow you to embed a player playing a YouTube movie on another website. The embedded player is a convenient existence that allows you to access playlists as well as play and stop movies. However, the discoverer,

David Schütz , said that such a YouTube embedded player was vulnerable to leaking 'playback history and private movies'.

bugs.xdavidhu.me --xdavidhu's bug bounty writeups.
https://bugs.xdavidhu.me/google/2021/01/18/the-embedded-youtube-player-told-me-what-you-were-watching-and-more/

Your YouTube account has a 'Playback' list, a 'See Later' list, a 'Favorites' list, and an 'Upload' list, but Schütz said the URLs for these lists were 'guessable'. I found that. For example, in the upload list that includes the uploaded movie, the first three characters of the channel ID part of the URL 'https://www.youtube.com/channel/channel ID' that displays the channel are 'UUB' or 'UUD'. It was possible to access by changing to.

If you weren't logged in to your account, you could only access 'published' movies for your upload list, so if you could only guess the URL of the list, there was no possibility of a private movie leak. However, Schütz also found that YouTube's 'embedded player' could create a logged-in state for the account of the person who played the player.

YouTube movies can be installed as embedded players in the website, and the installed players can be controlled by JavaScript using the

YouTube Player API . The YouTube Player API uses the postMessage method for cross-domain communication between 'YouTube' and the 'embedded website', and plays, stops, and lists movies such as the playVideo method, pauseVideo method, and getPlaylist method in the API. Operations such as movie acquisition are possible.

When Schütz was working on a YouTube hack, the YouTube Player API had a getVideoData method that could get information about the movies in the playlist. The VideoData object that can be obtained with the getVideoData method contained information such as the movie ID, creator, and title. In addition, if the person who played the player was logged in to YouTube, the embedded player would also be logged in, giving the embedded player full access to the account.

For this reason, if you set up a YouTube embedded player on your website and combine the YouTube Player API method with the guessed URL, you could access private movies.

This vulnerability was discovered in October 2019 and has been fixed at the time of writing the article. Schütz received $ 1337 from Google as a reward for the vulnerability, but 'I think now that the impact of the vulnerability was small,' he said at the time. Looking back on the amount of the reward, he said, 'The more you understand the system, the more ideas you can think of how to break it.'

Related Posts:

Jan 24, 2021 21:00:00 in Software, Web Service, Security, Posted by darkhorse_log