April 1, 2023

Opening a website with an embedded YouTube video potentially allowed miscreants to access a user’s viewing history, favorites, and playlists.The security bug which earned a modest $1,337 bounty from Google was uncovered by security researchers

YouTube has an embedded player that allows website developers to embed videos into their own site. This player also has an API, which enables users to control and obtain information about the player.

This allows a user to, for example, play/pause the player, load a new video/playlist, and list the contents of the currently playing playlist.

There was also a special uploads playlist which, “when viewed by the channel owner, listed all uploaded videos, including unlisted ones.

Since the Youtube embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g. the ‘HL’ playlist and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website.The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos

The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” he concludes.

Tags:

Leave a Reply

You may have missed

Cylance Ransomware Dissection

Cylance Ransomware Dissection

April 1, 2023
WordPress Elementor Pro Plugin Vulnerability

WordPress Elementor Pro Plugin Vulnerability

April 1, 2023
QNAP Critical Sudo Vulnerability

QNAP Critical Sudo Vulnerability

March 31, 2023
AlienFox Malware Toolset -SwissArmy Knife

AlienFox Malware Toolset -SwissArmy Knife

March 31, 2023
3CX Application Malvertised

3CX Application Malvertised

March 31, 2023
Microsoft Azure Super FabriXss Bug

Microsoft Azure Super FabriXss Bug

March 31, 2023
%d bloggers like this: