Just a few weeks ago we reported about a simple logical vulnerability in YouTube that could have been exploited by anyone to delete any video from YouTube in just one shot.
Now:
Again a small trick in the popular video sharing website could allow anyone to play with the comments posted by users on YouTube videos.
Ahmed Aboul-Ela and Ibrahim M. El-Sayed, two Egyptian security researcher, found a simple trick that allowed him to copy any comments from any video on the popular video sharing website to his video, even without any user-interaction.
Not only this, but also:
This vulnerability allows you to spoof, duplicate or copy the comments on discussion boards from any YouTube channel and make it appear as the comments on your video or as a comment on your YouTube channel's discussion board.
How did this happen?
While testing the reviewing comments feature, the researcher noticed that the comments posted to any video on YouTube can be controlled by the author of that YouTube channel by changing the settings to "Hold all comments for review" before it gets posted.
After enabling this option, all the comments posted by different users on your video will be listed in a new tab on https://www.youtube.com/comments with an option to approve or remove it.
Now:
When you approve any listed comment and intercept the HTTP request, you'll find a comment_id and a video_id in the POST parameter.
If you change the video_id with any distinct video_id value, you'll get an error.
But, Here's the deal:
If you change only the comment_id to any other comment_id value on any YouTube video, keeping the video_id untouched, the request will get accepted by YouTube, and the comment will appear on your YouTube video.
However, this does not remove the original comment from the original video and even the author of the comment does not get notified that his comment is copied onto another video.
You can also watch the video demonstration of the YouTube vulnerability below:
Of course, the vulnerability have been fixed after the researcher reported it to Google. The search engine giant also paid Aboul-Ela a cash reward of $3,133.7 under its bug bounty scheme for finding and reporting the critical issue to the company.
