Google YouTube crossdomain security flaw

In doing some crossdomain.xml Flash research I noticed that YouTubes policy file trusted *.google.com. Theyve since removed it after I privately disclosed the following security flaw to Google. My idea was if an attacker could upload an arbitrary Flash movie (SWF) anywhere on the google.com domain they could leverage that trust. So if an authenticated YouTube user visited an attacker-controlled page anywhere on the Web, the attacker could SRC in the google.com hosted SWF, and use it compromise the victims YouTube username, email address, first/last name, viewing history, and even comment or post/delete videos. Billy Rios blogged in the past about being able to upload arbitrary files to google.com, but the only place I could locate that allowed SWFs when I checked was Gmail. Maybe others? Anyway, I emailed a SWF attachment to a Gmail account and located the download URL. Perfect, but the next problem was even with the correct URL the victim is not authorized to view the file unless they are authenticated on THAT particular Gmail account. This is where the login-CSRF / identity misbinding trick the Stanford guys wrote up came in quite handy. Heres the step by step. 1) Attacker emails a special SWF to a Gmail account they control and locates the attachment download URL on google.com. 2) Logged-in YouTube user visits an attacker controlled page 3) Attacker forces their victim to authenticate to the attackers Gmail account (identify misbinding / CSRF). 4) Attacker embeds SWF from the Gmail account into the web page 5) Attacker now has read write access on YouTube.com as the victim's account. Clever eh? :) Im sure the Google/YouTube arent the only places where this scenario is possible.

Category:

Science & Technology

Tags:

• google
• youtube
• flash
• crossdomain
• security
• flaw
• vulnerability
• jeremiah
• grossman
• whitehat

License:

Standard YouTube License