IDOR leads to leaked the likes count even though is hidden by victim | YouTube ($XXXX)

Description:

IDOR leads to leaked the likes count even though is hidden by the victim and can find out the dislikes count

Note: Green is "likes (👍)", red is "dislikes (👎)" and orange is "likes (👍) and dislikes (👎)".

If you know how many the "likes" count, you can find out the "dislikes" count, with the following steps:

[POST] https://www.youtube.com/youtubei/v1/player?key=...

"videoId":"your_video_id" ---> "videoId":"victim_video_id"

When I try to click the likes and also dislikes in the victim video, the result:

"averageRating": 1 - 5

1 like(s) / 0 dislike(s) = averageRating: 5 (without dislike) %100
2 like(s) / 0 dislike(s) = averageRating: 5 (without dislike) %100
3 like(s) / 0 dislike(s) = averageRating: 5 (without dislike) %100
-
1 like(s) / 1 dislike(s) = averageRating: 3 (like and dislike is the same) %50
2 like(s) / 2 dislike(s) = averageRating: 3 (like and dislike is the same) %50
3 like(s) / 3 dislike(s) = averageRating: 3 (like and dislike is the same) %50
-
0 like(s) / 1 dislike(s) = averageRating: 1 (without like) %0
0 like(s) / 2 dislike(s) = averageRating: 1 (without like) %0
0 like(s) / 3 dislike(s) = averageRating: 1 (without like) %0

averageRating | Percentage

5.000      |      100.0%     (4.000)
4.000      |      75.00%     (3.000)
3.000      |      50.00%     (2.000)
2.000      |      25.00%     (1.000)
1.100      |      2.50%     (0.100)
1.010      |      0.25%     (0.010)
1.001      |      0.025%     (0.001)
1.000      |      0%     (0.000)

How I can find out the "dislikes" count in the victim video?

For example, the victim video have 100 likes and dislikes count.

averageRating: 3 (50.00%)

100 likes count, 100 / ... = 0.(50%)? 100 / 200
100 likes count / (100 likes count + 100 dislikes count) = 0.50
100 / (100 + 100) = 0.50
100 / 200 = 0.50
100 / 200 * 100 = 50
100 / 200 * 100 = (50% = averageRating: 3)

If the video do not have a like or dislike, the averageRating = 1 or 5, and the percentage = 0% or 100%.

You must click like or dislike, so that the percentage is not 0% or 100%.

PHP:

<b>Percentage</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>averageRating</b>
<br>
<br>
<?php
$averageRating = 5.00;
for(
$Percentage=100;
$Percentage>=0;
$Percentage-=0.025
)
{
    echo $Percentage,"%&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(",$averageRating,")<br>";
    $averageRating-=0.001;
}
?>


Percentage         averageRating

100%             (5)
99.975%             (4.999)
99.95%             (4.998)
99.925%             (4.997)
99.9%             (4.996)
99.875%             (4.995)
99.85%             (4.994)
99.825%             (4.993)
99.8%             (4.992)
99.775%             (4.991)
99.75%             (4.99)
99.725%             (4.989)
99.7%             (4.988)
99.675%             (4.987)
99.65%             (4.986)
99.625%             (4.985)
99.6%             (4.984)
99.575%             (4.983)
99.55%             (4.982)
99.525%             (4.981)
99.5%             (4.98)
...             ...
0.025%             (1.001)

Steps to reproduce:

Victim:

1. Create ---> Go live.
2. Create a live video or scheduled video.
3. Edit video.
4. Show how many viewers like and dislike this video ---> Don't show how many viewers like and dislike this video.
5. Save.

Attacker:

1. Create ---> Go live.
2. Create a live video.

    Request:

[POST] https://studio.youtube.com/youtubei/v1/live/get_broadcast_status

"videoIds":["your_video_id"] ---> "videoIds":["victim_video_id"]

    Response:

"voteStats": {"likesTinyText": {"simpleText": "simpleText"}, "likesCount": "victim_likesCount"}

Will show the likes count even though is hidden by victim and can find out the dislikes count.

PoC video: https://youtu.be/6_nYRT08yRQ


Timeline:

mm/dd/yyyy

04/03/2021 - Bug Found
04/03/2021 - Submit Report
04/07/2021 - Triaged
    Priority: P4 - P2
    Status: New - Assigned
04/09/2021 - Duplicate
    Status: Assigned - Duplicate of 31337
04/13/2021 - Assigned
    Status: Duplicate of 31337 - Assigned
04/14/2021 - 🎉 Nice catch!
    Type: Customer Issue - Bug
    Severity: S4 - S2
    Status: Assigned - Accepted
04/21/2021 - Bounty awarded by Google VRP. ($XXXX)
04/21/2021 - Fixed

LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando

Comments