A pair of security researchers from Egypt recently found an intriguing comment authentication bug on YouTube.
Except that this time, instead of deleting other people’s data, Ahmed Aboul-Ela and Ibrahim M. El-Sayed figured out how to clone it!
You could “borrow” other people’s approvals and positive reviews so that it looked as though they were promoting your videos, too.
How it worked
Simply put, this is how the phoney-comment workflow starts:
- Turn on “Hold comments for review” on your own YouTube channel.
- Wait for a comment to arrive, and go in and approve it.
- Sniff and record the HTTP data from that approval operation.
At this point, you may be thinking, “But Google insists on HTTPS for security, so how do you sniff the encrypted data out of the approval request?”
The answer is that you’re not trying to eavesdrop someone else’s conversation with YouTube.
You’ve logged in yourself, and you’re carrying out a perfectly normal transaction inside your own browser, on your own computer.
Both your browser and your computer are entirely under your control, so you can easily capture and decrypt your own traffic, or log the data right inside the browser itself before it’s encrypted for transmission.
Now comes the switcheroo:
- Change the comment identifier in the approval request to match someone else’s comment on someone else’s channel.
- Keep your own video ID in the request, and keep your own authentication token. (That’s the session data that proves you’re already logged in.)
Bingo: the other person’s comment now appears under your video.
The comment doesn’t get moved from the original channel to yours, and the owner of the original comment doesn’t receive a notification.
As far as they’re concerned, nothing has gone wrong: they still have exactly the same “comment love” as they had before.
But if you’ve chosen an upbeat comment – one left by an influential celebrity, for example – that is generic enough to apply to your video…
…you get to share undeservedly in that “comment love”.
As the bug finders put it:
Imagine for instance a celebrity or public figure leaving a comment on some video on Youtube saying "Wow, This is an Amazing Video". You then come along, exploit that vulnerability, and quite simply make this comment appear on your own video instead. 🙂
→ As indicated above, the word “instead” isn’t quite accurate here. As the bug-finders themselves note, the comment appears under your video as well as under the original. That’s actually worse: it’s much less likely anyone would notice, because nothing gets deleted or modified in their channel.
So, by choosing carefully, you could clone any number of influential, positive remarks and thereby greatly enhance the apparent popularity of your own video.
In the Google ecosystem, that could mean a significant, and dishonest, boost in ad revenue.
Additionally, as the bug-finders suggest, you could also use this bug to attack particular users, for example to make them look bad, or to imply they hold opinions they do not.
Imagine that your victims had commented positively on various videos supporting a cause of which they approved, or had argued in favour of an issue they supported.
You could publish a negagive or inflammatory video that took a contrary position, and make it look as though they approved of your video, too.
Lessons to learn
In short, this bug was an authentication mismatch by which being authenticated to approve some comments meant that you were effectively authenticated to approve any comments.
As the bug-finders wryly pointed out, they decided to go digging where they did (inside the “Hold all comments for review” feature) because it’s not YouTube’s default setting, and as far as they could see, few people bothered to use it.
In other words, they deliberately chose the road less travelled in the hope – a hope that was confirmed, it seems – that it might also be the road less tested.
They received a bug bounty payout of $3133.70. (That’s a Google witticism: “31337” is the hacker-elite way of writing “eleet,” which is the hacker-elite way of saying “elite”.)
As users, we don’t need to do anything; Google quickly closed this hole.
But if you’re a web developer, remember this: all code paths are important, because if you don’t try them, someone else will!