Tuesday, 18 November 2014

Youtube URL Redirection..

Hi Guys,

Another bug in Google.. This time is with youtube.com

Hmm.. Found a bug in Youtube.. but unfortunately, this bug is out of scope.. Anyway, a bug is a bug.. Lets see..

The issue is an URL redirection vulnerability that existing in upload.youtube.com. When you upload a video which is not proper (invalid), the application redirects you to error URL. This URL is being sent to the server as a parameter, error_redirect. I tried changing the url to some random domain, and guess what, it redirected as i have uploaded an invalid video.

Then, in the request i observed there are two user specific tokens going to the server. They are nothing but anti-csrf tokens and working properly with a valid video. But in the case of an invalid video, they are no longer validated and are being ignored. So i tried to send the request with invalid file, but this time i removed the user specific tokens user_token and session_token. And as i expected, the application issued an 302 redirection to the url in error_redirect parameter.

So finally, i got a URL Open Redirection vulnerability in Youtube. Unfortunately, the bug is out-of-scope. But they fixed the bug nevertheless, by accepting all videos to the processing stage without validating the video.

A video presentation for the same can be found here...


Suggestions and Queries/Corrections are always welcome...

1 comment: