14 DAY TRIAL // A vulnerability in the approval system for YouTube comments allowed the owner of an account to add comments published for other videos to the clips posted under their channel.
Exploited by ill-intended users, the flaw could have helped them clone opinions posted by celebrity users on other videos, thus enabling them to gain a larger audience.
Since popular YouTube channels can also generate profit from the advertisements displayed on the video content, the potential of the glitch for a crook becomes obvious.
Freely available tool used for the job
Egypt-based researchers Ibrahim El-Sayed and Ahmed Aboul-Ela discovered the weakness when checking how comments are authorized on Google’s video sharing platform.
YouTube channels allow the owner of the account to review the feedback from the viewers before it becomes public. Under this scenario, the owner can intercept the comment approval request and modify it in order to display any comment from any video.
As demonstrated by the researchers in the proof-of-concept clip below, all it takes is to replace the “comment_id” value and re-issue the tampered HTTP request.
Achieving this can be done with tools that are available online free of charge. The two researchers relied on Burp Suite’s Repeater functionality, which is included in the free version of the tool.
Stealing the comments done without leaving a trace
El-Sayed and Aboul-Ela say in a blog post that the original text for the original video was not affected in any way and the author was not alerted by this action, resulting in a completely inconspicuous operation.
The duo informed Google of the bug on March 25, and received confirmation from the company the very next day. The fix was deployed on March 31, when the researchers also received a monetary reward for the finding.
Aboul-Ela said that Google issued a check for $3,133.7 / €2,900, which is the maximum paid for disclosing vulnerabilities in normal Google applications.
