Send request to Martians. Earthlings are already your friends.
Hello everyone,
I'm back with another write up. This time it's a Google bug. YouTube is Google's video sharing site and a great place to explore. As a bug hunter, you can spend hours or days or even weeks in YouTube without hesitation.I always used YouTube to play some music when I worked as a developer last year.
When I started bug hunting, I tried YouTube multiple times and can't find any. Then I started hunting on another google services.
After hunting for more than 2 hours, I found a bug on one of Google's acquisition. According to Google, a video PoC is required only if it is contributing something that the text can't. But I'm a great fan of videos and my first bug to google (duplicate) contained a 15min video 😎.
I recorded a video of that bug I found and visited YouTube to upload it. when I clicked upload button, I noticed something strange aside it, something new. It looked like a message button.
But then, the upload page has loaded suddenly and the button is not there. I confused. It looks like a new feature. And the bug I already have in my hand is from an old service. If I continue to report the bug I have in my hand, someone else may found and report bugs in the new service. Now, I don't want another duplicate (I already have 2).
I decided to test this new feature and clicked back button. When clicked on the messenger icon, it's a new feature and I saw a message from YouTube 5 mins ago. I thanked god. I'm not late to the party.
I clicked on the thread and a chat window, similar to hangouts' and Facebook's opened at the bottom. I saw a message there and a link to a video. Below that, there's a button "Send an Invitation link". Clicking on it, a link revealed. It was something like https://youtu.be/addme/{hash}.
I opened it on another browser where one of my alternate google account logged in. It takes us to a page with a button to accept the request. I suddenly think about the possibility of csrf there. When inspected source code, there is no csrf token is present. Still I am not sure whether it is vulnerable to csrf. May be it is added by some dirty JavaScript code.
I navigated to network tab and then clicked on the accept button. It sends a POST request to `https://www.youtube.com/add_contact?action_connect` and the only parameter present is `c` with value {{hash from the url}}. Whoa I was really excited to see there is no csrf token present in it and The next window shows that the you're connected with person X and a button start sharing.
I made a PoC with an ajax request. I aware of Cors and I don't want the response. Even if the response is blocked by CORS, no issues. But, something weird happened. I noticed a new term CORB. Chrome, first send an option request to the target and if ACAO header is not present, the request will be cancelled. Since I've took a break for ~10 months from the field, I didn't knew such a thing was implemented in chrome.
The only choice I've left with is, making a normal HTTP post. But it will directly take the victim to "you're now connected" page and they'll know what just happened. Still it is a vulnerability and I reported it ASAP. All of this happened in 30 minutes.
The PoC code looked like this
I'm back with another write up. This time it's a Google bug. YouTube is Google's video sharing site and a great place to explore. As a bug hunter, you can spend hours or days or even weeks in YouTube without hesitation.I always used YouTube to play some music when I worked as a developer last year.
When I started bug hunting, I tried YouTube multiple times and can't find any. Then I started hunting on another google services.
After hunting for more than 2 hours, I found a bug on one of Google's acquisition. According to Google, a video PoC is required only if it is contributing something that the text can't. But I'm a great fan of videos and my first bug to google (duplicate) contained a 15min video 😎.
I recorded a video of that bug I found and visited YouTube to upload it. when I clicked upload button, I noticed something strange aside it, something new. It looked like a message button.
But then, the upload page has loaded suddenly and the button is not there. I confused. It looks like a new feature. And the bug I already have in my hand is from an old service. If I continue to report the bug I have in my hand, someone else may found and report bugs in the new service. Now, I don't want another duplicate (I already have 2).
I decided to test this new feature and clicked back button. When clicked on the messenger icon, it's a new feature and I saw a message from YouTube 5 mins ago. I thanked god. I'm not late to the party.
I clicked on the thread and a chat window, similar to hangouts' and Facebook's opened at the bottom. I saw a message there and a link to a video. Below that, there's a button "Send an Invitation link". Clicking on it, a link revealed. It was something like https://youtu.be/addme/{hash}.
I opened it on another browser where one of my alternate google account logged in. It takes us to a page with a button to accept the request. I suddenly think about the possibility of csrf there. When inspected source code, there is no csrf token is present. Still I am not sure whether it is vulnerable to csrf. May be it is added by some dirty JavaScript code.
I navigated to network tab and then clicked on the accept button. It sends a POST request to `https://www.youtube.com/add_contact?action_connect` and the only parameter present is `c` with value {{hash from the url}}. Whoa I was really excited to see there is no csrf token present in it and The next window shows that the you're connected with person X and a button start sharing.
I made a PoC with an ajax request. I aware of Cors and I don't want the response. Even if the response is blocked by CORS, no issues. But, something weird happened. I noticed a new term CORB. Chrome, first send an option request to the target and if ACAO header is not present, the request will be cancelled. Since I've took a break for ~10 months from the field, I didn't knew such a thing was implemented in chrome.
The only choice I've left with is, making a normal HTTP post. But it will directly take the victim to "you're now connected" page and they'll know what just happened. Still it is a vulnerability and I reported it ASAP. All of this happened in 30 minutes.
The PoC code looked like this
<html>
<head></head>
<body>
<form action="https://www.youtube.com/add_contact?action_connect" method="post">
<input name="c" type="hidden" value="{{hash fr}}" />
<input type="submit" value="Continue" />
</form>
</body>
</html>
I added the button there to record PoC video. After that, I changed it to
documents.forms[0].submit()
so that the form gets submitted automatically. The impact changes from user interaction needed to no user interaction needed.In next panel meeting, Google rewarded with $ ████ bounty
And Google fixed it in 15 days.
Impact
1. Connect with anyone
2. Add this code in an iframe in your website and you will get Google account details of everyone who visited your site.
Fix
The session token is added to the form, which will protect against csrf attack.
PoC Video
TimeLine (timezone is in IST)
25 Jul 2018 06:51 PM - Issue Reported
25 Jul 2018 10:37 PM - Initial Triage ( Priority from P4->P3)
26 Jul 2018 07:10 PM - Send the updated PoC link
27 Jul 2018 12:59 AM - Accepted, P3 -> P2 and the Nice catch.
31 Jul 2018 08:50 PM - Bounty Rewarded $ ████
10 Aug 2018 10:04 AM - Issue Fixed.
Thank you google for the bounty.
Comments
Post a Comment