Two Egyptian security experts, Ahmed Aboul-Ela and Ibrahim M. El-Sayed, recently identified an intriguing comment authentication bug on YouTube. The bug could enable crooks to “borrow” one’s account’s approvals and positive reviews and then make them look as though they were helping in promoting your videos, too.
The bug at work
In simple terms, this is how the fake-comment bug does its job:
- You turn on the “Hold comments for review” option that is on your YouTube channel.
- You wait for the comment to be sent, and you go in and then approve it.
- You sniff and record the HTTP information from that approval.
Now, you may remember that Google insists on HTTPS for extra security. If that is so, how is it even possible to sniff out the encrypted data right from the approval request?
The answer is simple – it is because as a user, you are not trying to snoop on others’ conversation with YouTube. Since you have logged in and you are performing a normal browsing, your browser and your computer are totally under your control. As a result, you are able to easily capture and decrypt your own traffic, or even log the data right in the browser itself before it is encrypted.
Then, here comes a switcheroo:
- Change a comment identifier from approval request to match other someone’s comment on someone’s channel.
- Keep your unique video ID in the request and keep your own authentication token. (That is the session data that proves you have already been logged in.)
That’s it! The comment of the other person will now appear right under your video.
Strangely, the comment will not move from your channel, and the person who makes the original comment will not receive a notification. So far so good, nothing has gone wrong: both persons will still have exactly the same comment love just as they had before.
However, if you have chosen a rather upbeat comment – the one left by maybe an influential celeb, for example – that is generic enough to apply to your own video. Then, you will be sharing that undeserved comment love.
Here’s the video demonstrating the bug in action:
The finders of this bug say:
Imagine for instance a celebrity or public figure leaving a comment on some video on YouTube saying “Wow, this is an Amazing Video.” You then come along, exploit that vulnerability, and quite simply make this comment appear on your own video instead. 🙂
As mentioned above, the word “instead” is not exactly accurate in this case. They said that the comment appears under your own video as well as under the original, which is not a good sign. It is unlikely anyone will notice as nothing really gets deleted or is modified in their own channel.
So, if you choose carefully, you will be able to clone any number of influential users’ positive remarks and thereby enhance the popularity of your own videos. That would be a dishonest way of boosting advertising revenue in Google’s network.
In addition, finders of the bug suggested that you could also be using this bug to attack a particular user and you can make them look bad, or to simply imply they hold opinions they really do not. For example, if your victim leaves a positive comment on various videos which supports their cause, you can publish some negative video that is contrary to the victim’s position and make it look as if they approved of that video as well.
Lessons you can learn
To keep it short, the bug was an authentication mismatch through which being authenticated to approve some comments meant you were effectively authenticated for approving any comments.
The experts who identified the bug also pointed out that they decided to dig where they did (i.e. right inside the “Hold all comments for review” feature) as it is not YouTube’s default setting. And they added that only few people bothered to try it out.
In the end of the story, two bug-finders were given a bug bounty reward of $3133.70.
YouTube users don’t have to worry and do anything now. Google has already come up with a solution and closed this hole.