Opening a website with an embedded YouTube video potentially allowed miscreants to access a user’s viewing history, favorites, and playlists.
The security bug – which earned a modest $1,337 bounty from Google – was uncovered by security researcher David Schutz, who went public with his findings earlier this week through a detailed technical blog post.
Schutz explained that he uncovered the vulnerability by connecting two things together in a somewhat “unexpected” way.
YouTube (YT) has an embedded player that allows website developers to embed videos into their own site. This player also has an API, which enables users to control and obtain information about the player.
This allows a user to, for example, play/pause the player, load a new video/playlist, and list the contents of the currently playing playlist.
“This is of course, working as intended,” Schutz told The Daily Swig. “On YT everyone also has a few special private playlists, like (at the time) the playlist with the ID ‘HL’ contained the user’s watch history, the ‘WL’ the user’s watch later, and so on.”
There was also a special uploads playlist which, “when viewed by the channel owner, listed all uploaded videos, including unlisted ones”.
Schutz explained the flaw: “Since the YT embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g. the ‘HL’ playlist (which would start playing the currently visiting user's watch history), and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website.”
He continued: “The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos (which otherwise would require knowing the ID to watch).”
Schutz’s blog post goes on to list other ways to exploit the bug.
“The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” he concludes.
The Daily Swig asked Google to comment on Schutz’s findings but we’re yet to hear back.
Schutz has previously disclosed two other YouTube security flaws, including one enabling the theft of any private YouTube video if you knew its ID.