Embedded risk

Details of YouTube viewing history exposure bug made public

Opening a website with an embedded YouTube video potentially allowed miscreants to access a user’s viewing history, favorites, and playlists.

The security bug – which earned a modest $1,337 bounty from Google – was uncovered by security researcher David Schutz, who went public with his findings earlier this week through a detailed technical blog post.

Schutz explained that he uncovered the vulnerability by connecting two things together in a somewhat “unexpected” way.

Read more of the latest security vulnerability news

YouTube (YT) has an embedded player that allows website developers to embed videos into their own site. This player also has an API, which enables users to control and obtain information about the player.

This allows a user to, for example, play/pause the player, load a new video/playlist, and list the contents of the currently playing playlist.

“This is of course, working as intended,” Schutz told The Daily Swig. “On YT everyone also has a few special private playlists, like (at the time) the playlist with the ID ‘HL’ contained the user’s watch history, the ‘WL’ the user’s watch later, and so on.”

There was also a special uploads playlist which, “when viewed by the channel owner, listed all uploaded videos, including unlisted ones”.

Stolen history

Schutz explained the flaw: “Since the YT embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g. the ‘HL’ playlist (which would start playing the currently visiting user's watch history), and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website.”

He continued: “The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos (which otherwise would require knowing the ID to watch).”

Schutz’s blog post goes on to list other ways to exploit the bug.

“The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” he concludes.

The Daily Swig asked Google to comment on Schutz’s findings but we’re yet to hear back.

Schutz has previously disclosed two other YouTube security flaws, including one enabling the theft of any private YouTube video if you knew its ID.

YOU MIGHT ALSO LIKE Security researchers earn $50k after exposing critical flaw in Apple travel portal