Creating a YouTube TV that could steal your private videos

Creating a YouTube TV that could steal your private videos - $6,000 CSRF

Рет қаралды 4,317

Күн бұрын

📧 Subscribe to BBRE Premium: bbre.dev/premium
✉️ Sign up for the mailing list: bbre.dev/nl
📣 Follow me on Twitter: bbre.dev/tw
🖥 Get $100 in credits for Digital Ocean 🖥
m.do.co/c/cc700f81d215
This video is an explanation of a vulnerability found in Google bug bounty program. The bug was a CSRF (cross-site request forgery) that allowed stealing private and unlisted videos from KZfaq.
Report:
bugs.xdavidhu.me/google/2021/...
Reporter's twitter:
/ xdavidhu
POC script:
gist.github.com/xdavidhu/b264...
Follow me on twitter:
/ gregxsunday
00:00 Intro
00:35 Pairing YT TV with the browser
03:35 The bug
04:48 Pairing the victim with our TV
05:48 Video ID?

Пікірлер: 18

@BugBountyReportsExplained 2 жыл бұрын

Hi there! Welcome to the comment section. I hope you liked the video. If you like what I'm doing, sign up for the newsletter to learn with me even more: mailing.bugbountyexplained.com/

@reo4680 2 жыл бұрын

awsome video! keep going man! im proud that people from my country are finding bugs like this :)

@renganathanofficial 2 жыл бұрын

good one as always :D

@DavenSec 2 жыл бұрын

Nice video like always ;)

@unurbayaramarsaikhan1362 2 жыл бұрын

Thank for your work. It help me to understand a bug. :)

@stoner6161 2 жыл бұрын

Keep up the good work

@pratyakshsingh7834 2 жыл бұрын

Perfectly explained.

@mnageh-bo1mm 2 жыл бұрын

duh ... but 6k is too low for such a vuln

@BugBountyReportsExplained 2 жыл бұрын

I also think it could be more

@cyberpirate007 2 жыл бұрын

Google should hire him! 👏👏

@BugBountyReportsExplained 2 жыл бұрын

yes!

@zTech300 2 жыл бұрын

Super

@mnageh-bo1mm 2 жыл бұрын

Hey how did he bypass cors policy that allows a site to send get requests in the browser to another site that it doesn't own ??

@BugBountyReportsExplained 2 жыл бұрын

That's a good question. In this case, we send a POST request with application/x-www-form-urlencoded content-type. As per understanding of CORS rules, this is considered a "simple request". Thus, the browser does NOT send the preflight request (the OPTIONS request which the browser sends to what is the Access-Control-Allow-Origin header). Instead, straight away it sends the POST request that we want and only then observes headers in the response (ACAO in particular). In our case, the request will originate from the bad domain - one is not whitelisted by CORS policy. The browser will block us from reading the response bur the request was already sent. In case of CSRF, we don't need to read the response - sending a request is enough for us. Reference: developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests This topic is not easy - feel free to ask if you need any clarification.

@mnageh-bo1mm 2 жыл бұрын

@@BugBountyReportsExplained oh ... i get it ... i thought that you need to read the response to get the attack to work ... thanks a lot

@BugBountyReportsExplained 2 жыл бұрын

@@mnageh-bo1mm no problem mate, It's good to hear a good question in comments 😉