Sunday, February 2, 2014

Youtube - Stored XSS Strikes Back!

Hi,
Remember above picture? Most of you might thought its an XSS vulnerability in Gmail, sad to say it is not.haha..The bug actually exist in Youtube Api. Yes, similar to my previous post Yay the Nay in Youtube, this bug also came from the same Youtube Api.

The vulnerable parameter was track's name. Interesting part is, if you try to use XSS payload directly as track's name, it won't working. An error will appear saying you're trying to use special characters that are not allowed.

But due a glitch occur in this section, I was able to change the track's name by using "edit" function. By directly replay the request or tamper it, I can change the old_name into a new name with my XSS payload as shown below.


Once saved, the XSS successfully stored in my video. So does it mean if you watch the video from www.youtube.com it'll executed? Sadly, no. However, the XSS can be executed in Gmail, Google Docs/Presentation and Google Plus. This is because the video will be played using Google's player that was affected with this vulnerability.




Simple right?
Till next time,adios!

@yappare

10 January 2013 : Reported to Google
11 January 2013 : Received notification from Aleksandr, Google Security Team
12-14 January 2013 : Bug noticed was fixed around this date.
15 January 2013 : Received email regarding reward
22 January 2013 : Confirmation of fix from Google's team.


#edit: Prakhar my friend said that this XSS actually execute on youtube main domain as well since he was double check for me on that day and it work in www.youtube.com. sadly I dont have the screenshot as a proof