Jay Taylor's notes

back to listing index

bugs.xdavidhu.me - xdavidhu's bug bounty writeups.

[web search]
Original source (bugs.xdavidhu.me)
Tags: security Google vulnerabilities youtube insecure-direct-object-reference idor bugs.xdavidhu.me
Clipped on: 2021-01-11

11 January 2021

Stealing Your Private YouTube Videos, One Frame at a Time

Back in December 2019, a few months after I started hacking on Google VRP, I was looking at YouTube. I wanted to find a way to get access to a Private video which I did not own.

When you upload a video to YouTube, you can select between 3 privacy settings. Public, which means that anyone can find and watch your video, Unlisted, which only allows users who know the video ID (the URL) to watch the video, and Private, where only you can watch the video, or other accounts you explicitly given permission to do so.

First thing I did was to upload a video to my second testing account’s YouTube channel, and set the video’s privacy to Private, so I can use that video for testing. (Remember, always only test against resources/accounts you own!) If I can find a way to access that video with my first testing account, we have a bug.

With my first account, I started using YouTube, trying every feature, pressing every button I could find, and whenever I saw an HTTP request with a video ID in it, I changed it to the target Private video, hoping that I can leak some information about it, but I wasn’t really getting any success. The main YouTube site (at least the endpoints I have tested), seem to always check if the video was Private or not, and when trying to request info about the target Private video, they always returned errors such as This video is private!.

I needed to find an other way.

A great thing to do in a situation like this, is to try to look for other products/services which are not your main target, but are somehow interacting with it’s resources internally. If they have access to it’s resources, it might be possible that they don’t have every level of protection that the main product has.

An interesting target which matched these requirements were Google Ads. This is the product which advertisers use to created ads across all Google services, including YouTube. So, the ads you get before YouTube videos are set up by advertisers here, on the Google Ads platform.

So I created a Google Ads account, and created a new advertisement, which would play a video of mine as a skippable ad for YouTube users. During the ad creation process, I also tried to use the target Private video’s ID wherever I cloud, but no success.

After creating the ad, I started looking at all of the different Google Ads features. The thing was huge, it had a bunch of different settings/tools. I was trying to find anything that could be YouTube-related.

There was a page called Videos, where I could see a list of videos used by my advertisements. Clicking on a video opened up an Analytics section for that specific video. It had an embedded player, some statistics, and an interesting feature called Moments. It allowed advertisers to “mark” specific moments of the video, to see when different things happen (such as the timestamp of when the company logo appears). To be honest I am not quite sure what advertisers use this feature for, nevertheless, it seemed interesting:

Image (Asset 1/1) alt= [Dec 12, 2019] - Initial triage
[Dec 20, 2019] - Bug accepted (P4 -> P1)
[Jan 08, 2020] - Bug mitigated by temporarily disabling the Moments feature
[Jan 17, 2020] - Reward of $5000 issued
[??? ??, 2020] - Moments re-enabled, now it checks if you have access to the video