Steps to reproduce:
PoC video: https://youtu.be/6wVKbCkSe3E
Timeline:
mm/dd/yyyy
05/15/2021 - Bug Found
05/15/2021 - Submit Report
05/17/2021 - Triaged
Priority: P4 - P2
Status: New - Assigned
05/21/2021 - 🎉 Nice catch!
Type: Customer Issue - Bug
Severity: S4 - S2
Status: Assigned - Accepted
05/28/2021 - Bounty awarded by Google. ($5,000)
02/07/2022 - Fixed
LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando
- Go to the victim video. (members-only video)
- Upload video.
- Open the video: https://m.youtube.com/watch?v=your_video_id
- Click "Comments".
Response:
"Join this channel from your computer or Android app to get access to members-only content like this video."
You must join to access the video and video comment.
Request:
[GET] https://m.youtube.com/watch_comment?action_get_comments=1&ctoken=...&pbj=1
Response:
Attacker can access the members-only video comment.
PoC video: https://youtu.be/6wVKbCkSe3E
Timeline:
mm/dd/yyyy
05/15/2021 - Bug Found
05/15/2021 - Submit Report
05/17/2021 - Triaged
Priority: P4 - P2
Status: New - Assigned
05/21/2021 - 🎉 Nice catch!
Type: Customer Issue - Bug
Severity: S4 - S2
Status: Assigned - Accepted
05/28/2021 - Bounty awarded by Google. ($5,000)
02/07/2022 - Fixed
LinkedIn: Alessandro Rumampuk
YouTube: R,ando
Facebook: Ando
Twitter: R ando
Comments