Steps to reproduce:
1. Go to the victim video. (members-only video)
Response:
"Join this channel from your computer or Android app to get access to members-only content like this video."
You must join to access the video and video comment.
2. Upload video.
3. Open the video: https://m.youtube.com/watch?v=your_video_id
4. Click "Comments".
Request:
[GET] https://m.youtube.com/watch_comment?action_get_comments=1&ctoken=...&pbj=1
URL decode:
URL decode:
Base64 decode:
Change to victim_video_id.
Base64 encode:
URL encode:
URL encode:
Response:
Attacker can access the members-only video comment.
PoC video: https://youtu.be/6wVKbCkSe3E
Timeline:
mm/dd/yyyy
05/15/2021 - Bug Found
05/15/2021 - Submit Report
05/17/2021 - Triaged
Priority: P4 - P2
Status: New - Assigned
05/21/2021 - 🎉 Nice catch!
Type: Customer Issue - Bug
Severity: S4 - S2
Status: Assigned - Accepted
05/28/2021 - Bounty awarded by Google VRP. ($5,000)
02/07/2022 - Fixed
LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando
1. Go to the victim video. (members-only video)
Response:
"Join this channel from your computer or Android app to get access to members-only content like this video."
You must join to access the video and video comment.
2. Upload video.
3. Open the video: https://m.youtube.com/watch?v=your_video_id
4. Click "Comments".
Request:
[GET] https://m.youtube.com/watch_comment?action_get_comments=1&ctoken=...&pbj=1
Response:
Attacker can access the members-only video comment.
PoC video: https://youtu.be/6wVKbCkSe3E
Timeline:
mm/dd/yyyy
05/15/2021 - Bug Found
05/15/2021 - Submit Report
05/17/2021 - Triaged
Priority: P4 - P2
Status: New - Assigned
05/21/2021 - 🎉 Nice catch!
Type: Customer Issue - Bug
Severity: S4 - S2
Status: Assigned - Accepted
05/28/2021 - Bounty awarded by Google VRP. ($5,000)
02/07/2022 - Fixed
LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando
Comments