Menu
YouTube flaw allowed copying comments from one video to another

YouTube flaw allowed copying comments from one video to another

Google has fixed the flaw and paid a bug bounty

An Egypt-based security researcher said Google has fixed an interesting vulnerability he and a colleague found in YouTube.

Ahmed Aboul-Ela wrote on his blog that he and a fellow researcher, Ibrahim Mosaad, wanted to find a problem in a feature on YouTube "that not many bug hunters have tested."

They focused on a setting in YouTube that holds comments for review before they're published. If that feature is enabled, comments are then listed in a control panel labeled "held for review."

Aboul-Ela wrote he intercepted the http request that is sent to Google when a comment is approved. The request contains two parameters: "comment_id" and "video_id."

An error is returned if the video_id is changed to a different one, he wrote. But YouTube accepted changing the content_id number to a different video, which then caused the comment to get copied to that video.

"The original comment from the original video doesn't get removed, and the author of the comment does not get notified that his comment is copied onto another video," Aboul-Ela wrote.

The flaw could have been used in many ways. It could be used to make it appear that a video is more popular that it actually is. Or it could have been used to falsely make it appear a celebrity or public figure commented on something, Aboul-Ela wrote.

Google fixed the vulnerability within a week of being notified on March 25 and paid a US$3,133.70 bug bounty.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Read more: Google, Microsoft serve up security treats for productivity suites

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags GooglesecurityExploits / vulnerabilities

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments