Safety researcher earns $6,000 bug bounty for pondering outdoors of the field
A safety researcher earned a $6,000 bug bounty after uncovering a set of internet safety flaws that allowed attackers to play supposedly personal YouTube movies.
David Schütz (@xdavidhu) reported the privateness weaknesses to YouTube’s father or mother firm Google, which acted promptly to shore up safety controls after verifying the issue final July.
This cleared the way in which for Schütz to supply an in depth technical write-up on the privacy-related situation, which he printed on Monday (April 5).
Distant management
Schütz first started exploring the difficulty some years in the past after noticing the YouTube app on his Android cellphone gave him the choice of enjoying personal movies on a buddy’s internet-connected smart television.
The researcher wasn’t signed into the TV on the time – an element that later inspired Schütz to discover how the expertise labored after he had joined Google’s Vulnerability Reward Program.
The YouTube for Android TV App is, because it transpired, is actually an internet site moderately than a posh Android software. Schütz found that the expertise hundreds content material in a WebView-like browser, referred to as Cobalt.
RELATED Details of YouTube viewing history exposure bug made public
After altering the Consumer-Agent header on his PC-based browser to Cobalt, Schütz was capable of get on the YouTube TV app and start testing.
On the time, customers have been capable of management a TV through the desktop YouTube website, even when they have been on a special community. This function has subsequently been faraway from the consumer interface, in line with Schütz.
After pairing an emulated sensible TV with one other browser operating on a PC, Schütz found that he had the choice of enjoying personal YouTube movies on the tv.
This setup allowed Schütz to look at the pairing course of between a cellular system and a wise TV, permitting the researcher to uncover some fascinating conduct within the course of.
Going to the polls
After beginning the pairing course of, the TV switches right into a ‘polling’ mode, which is kind of a typical factor at Google.
As a substitute of WebSockets, Google often makes use of these bind requests, that are principally HTTP requests that take very lengthy if there are not any new occasions however return instantly if there are some. And the TV calls this /bind endpoint again and again.
Read more of the latest security research from around the world
Analyzing how this course of labored allowed the researcher to determine that Google was utilizing an additional video-specific token, referred to as ‘ctt’, to be able to allow a consumer to play personal YouTube movies:
When the consumer requests to play a personal video, the occasion the TV receives from the /bind endpoint contains an additional ctt parameter subsequent to the videoId.
When enjoying the video, the TV then requests the uncooked video URL from the /get_video_info endpoint and contains the ctt token as a GET parameter named vtt (for some motive).
With out the ctt token, the TV can’t watch the personal video.
This ctt token supposedly solely offers permission to look at that particular video moderately than every other personal video.
After analyzing the method utilizing Burp Suite, Schütz uncovered an internet safety flaw on this “distant management” expertise involving a POST request to a /bind endpoint.
“Because of a lacking CSRF [cross-sire request forgery] safety within the YouTube Lounge API (an API for distant controlling YouTube TVs), a malicious web site may management/ship instructions to YouTube TVs, within the title of the sufferer who visited the web site,” Schütz instructed The Each day Swig.
Exterior the field
Left unaddressed, the flaw a way for an attacker to view and/or movies marked as personal on YouTube after solely a minimal quantity of social engineering trickery.
Schütz defined: “An attacker may have arrange an evil TV, and utilizing a malicious web site, instruct the sufferer’s browser to play all the sufferer’s YouTube movies on the attacker’s evil TV, thereby stealing all the sufferer’s personal and unlisted movies.”
To be able to repair the flaw, Google made adjustments in order that the /bind endpoint now requires an Authorization header with an OAuth Bearer token to be authenticated, in line with Schütz.
DON’T FORGET TO READ Google awards researcher $133,337 top prize in cloud security competition
Earlier than the flaw was resolved, an attacker may have stolen all private and unlisted movies from a sufferer (and even the contents of personal playlists such because the ‘Watch Later’ checklist), just by engaging them to open a malicious web site.
All a sufferer would wish to do would have been to trick a sufferer into clicking a hyperlink whereas signed into YouTube, in line with Schütz.
The Each day Swig invited Google to touch upon Schütz’s analysis. No phrase as but, however we’ll replace this story as and when extra data comes at hand.
READ MORE Bug Bounty Radar // The latest bug bounty programs for April 2021
