Opening a website with an embedded YouTube video potentially allowed miscreants to access a user’s viewing history, favorites, and playlists.The security bug which earned a modest $1,337 bounty from Google was uncovered by security researchers
YouTube has an embedded player that allows website developers to embed videos into their own site. This player also has an API, which enables users to control and obtain information about the player.
This allows a user to, for example, play/pause the player, load a new video/playlist, and list the contents of the currently playing playlist.
There was also a special uploads playlist which, “when viewed by the channel owner, listed all uploaded videos, including unlisted ones.
Since the Youtube embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g. the ‘HL’ playlist and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website.The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos
The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” he concludes.