David Schütz, a security researcher, just published a report detailing a YouTube security vulnerability that could make private videos visible at reduced resolution. To exploit the flaw, an attacker would need to know (or guess) the video identifier. Of course, technical know-how is also needed to use this flaw.
Fortunately, the YouTube vulnerability has been fixed since January 2020, and it was reported to Google via its Vulnerability Rewards Program. However, it wasn’t until a couple of days ago that the issue became known to the public.
So, how did the researcher come across the YouTube vulnerability?
“Back in December 2019, a few months after I started hacking on Google VRP, I was looking at YouTube. I wanted to find a way to get access to a Private video which I did not own,” Schütz shared in his report.
He found a vulnerability in a system called Moments, which allows advertisers to mark a specific frame in any video. Long story short, he discovered that marking a moment via this system generated a POST request to the /GetThumbnails endpoint and returned a base64-encoded thumbnail image from the video. Making this request using the identifier of a private video would still produce a thumbnail image.
“Looking at the proxy logs, every time I “marked a moment”, a POST request was made to a /GetThumbnails endpoint, with a body which included a video ID,” he said. To request a series of individual frames and create a sequence close to the original private video, the researcher used the Insecure Direct Object Reference (IDOR). According to his technical writeup, he also wanted to create a PoC code:
I wanted to make a proof of concept Python script which generates an actual, moving video. I searched for some calculations, and figured out that if the video is in 24 FPS, one frame stays on the screen for 33 milliseconds. So I just have to download every image starting from 0 milliseconds, incrementing by 33 milliseconds every time, and then construct some kind of video using all of the images I have acquired.
Using this method, Schütz could download thumbnails for a frame sequence.
I wrote a quick and dirty POC which downloaded the frames for the first 3 seconds of a video, decoded them, and then generated a GIF. To test it, I have ran it against an old video of mine, which I had previously privated due to, of course, the high level of cringe.
Of course, the YouTube vulnerability he discovered and the method to exploit it have limitations. First of all, the attacker would have to know the ID of the targeted personal video. Since the technique is only based on images, the attacker couldn’t access audio. And finally, the result comes in a very low resolution.
The moral of the story is that the interaction of two products (YouTube and the Moments system) can lead to vulnerabilities if developers are not careful. This intersection area is also an excellent area for research, as he pointed out.
In May 2020, Cisco Talos researchers reported that the infamous Astaroth Trojan was using YouTube channel descriptions as a part of “a redundant C2 mechanism with both primary and secondary C2 infrastructure”. The attackers established a series of YouTube channels, leveraging the channel descriptions to establish and communicate a list of command-and-control domains.