Tuesday, January 14, 2014

Again, from Nay to Yay in Google Vulnerability Reward Program!

Happy new year to everyone. This is my first post for 2014.

On 9th January 2014, I posted this on my twitter
So is this post related to that? Will get to it soon or probably next month.haha..
In this post I'm going to share to you a bug that manage me to be inside  Google Vulnerability Reward Program G+ Community here

The bug is a Self Stored XSS in Youtube. Yerp..

Let us see how the XSS exist.
  1. In Youtube video manager, there's a function for a user to create Captions for his/her video(s).
  2. Put our XSS payload in the script box and save.
  3. Once we play the video, our XSS will be executed.
  4. Check on below screenshots :)

But..there's a problem! The XSS only executing in Caption's Video Manager. Which in other word the XSS is only stored for that user only.
There's must be a way to exploit or to manipulate this vulnerability. Last time I managed to find a way to Yaying this Nay in Google Adwords. You guys can check on it http://c0rni3sm.blogspot.com/2013/12/google-adwords-stored-xss-from-nay-to.html

I browsed a few times to see is there any share or embed function in this Captions thing. And then..


I noticed that, there's a function where a user can request for a translation from 3rd party or other users. So how this function working?
  1. User request for his/her video for a translation.
  2. User able to choose either from 3rd party or by other Google Users.

Manipulating time.Let assume that, there's a community for English series, Movies, Korean dramas that have some translator for Youtube's caption..and among them, there's an attacker >: )
  1. Attacker will received the invitation.
  2. Attacker put his/her evil code in the middle of translations.
  3. Send to the requester for approval.

Once done, the requester will get an email notification and what she/he need to do is review the translated caption and approve it. So what happen next? The XSS will be executed 


Till next time, adios!


03 December 2013 - Reported via VRP form
07 December 2013 - Received a reply from Martin,Google Security Team
07 December 2013 - Google Team asked for more information to reproduce
08-10 December 2013 - Fixed around these dates.
11 December 2013 - Received a reward email from Google
10 January 2014 - Kevin,Google Security Team confirmed the fix.