Security researcher earns $6,000 bug bounty for thinking outside of the box

Smart TV web security flaw allowed miscreants to view private YouTube videos

A security researcher earned a $6,000 bug bounty after uncovering a set of web security flaws that allowed attackers to play supposedly private YouTube videos.

David Schütz (@xdavidhu) reported the privacy weaknesses to YouTube’s parent company Google, which acted promptly to shore up security controls after verifying the problem last July.

This cleared the way for Schütz to offer a detailed technical write-up on the privacy-related issue, which he published on Monday (April 5).

Remote control

Schütz first began exploring the issue some years ago after noticing the YouTube app on his Android phone gave him the option of playing private videos on a friend’s internet-connected smart television.

The researcher wasn’t signed into the TV at the time – a factor that later encouraged Schütz to explore how the technology worked after he had joined Google’s Vulnerability Reward Program.

The YouTube for Android TV App is, as it transpired, is essentially a website rather than a complex Android application. Schütz discovered that the technology loads content in a WebView-like browser, called Cobalt.

RELATED Details of YouTube viewing history exposure bug made public

After changing the User-Agent header on his PC-based browser to Cobalt, Schütz was able to get at the YouTube TV app and begin testing.

At the time, users were able to control a TV via the desktop YouTube site, even if they were on a different network. This feature has subsequently been removed from the user interface, according to Schütz.

After pairing an emulated smart TV with another browser running on a PC, Schütz discovered that he had the option of playing private YouTube videos on the television.

This setup allowed Schütz to examine the pairing process between a mobile device and a smart TV, allowing the researcher to uncover some interesting behavior in the process.

Going to the polls

After starting the pairing process, the TV switches into a ‘polling’ mode, which is quite a common thing at Google.

Instead of WebSockets, Google usually uses these bind requests, which are basically HTTP requests that take very long if there are no new events but return immediately if there are some. And the TV calls this /bind endpoint over and over.

Read more of the latest security research from around the world

Examining how this process worked allowed the researcher to figure out that Google was using an extra video-specific token, called ‘ctt’, in order to permit a user to play private YouTube videos:

When the user requests to play a private video, the event the TV receives from the /bind endpoint includes an extra ctt parameter next to the videoId.

When playing the video, the TV then requests the raw video URL from the /get_video_info endpoint and includes the ctt token as a GET parameter named vtt (for some reason).

Without the ctt token, the TV can’t watch the private video.

This ctt token supposedly only gives permission to watch that specific video rather than any other private video.

After examining the process using Burp Suite, Schütz uncovered a web security flaw in this “remote control” technology involving a POST request to a /bind endpoint.

“Due to a missing CSRF [cross-sire request forgery] protection in the YouTube Lounge API (an API for remote controlling YouTube TVs), a malicious website could control/send commands to YouTube TVs, in the name of the victim who visited the website,” Schütz told The Daily Swig.

Outside the box

Left unaddressed, the flaw a means for an attacker to view and/or videos marked as private on YouTube after only a minimal amount of social engineering trickery.

Schütz explained: “An attacker could have set up an evil TV, and using a malicious website, instruct the victim's browser to play all of the victim’s YouTube videos on the attacker's evil TV, thereby stealing all of the victim’s private and unlisted videos.”

In order to fix the flaw, Google made changes so that the /bind endpoint now requires an Authorization header with an OAuth Bearer token to be authenticated, according to Schütz.

DON’T FORGET TO READ Google awards researcher $133,337 top prize in cloud security competition

Before the flaw was resolved, an attacker could have stolen all private and unlisted videos from a victim (and even the contents of private playlists such as the ‘Watch Later’ list), simply by enticing them to open a malicious website.

All an attacker would need to do would have been to trick a victim into clicking a link while signed into YouTube, according to Schütz.

The Daily Swig invited Google to comment on Schütz’s research. No word as yet, but we’ll update this story as and when more information comes to hand.

READ MORE Bug Bounty Radar // The latest bug bounty programs for April 2021