THE CENZIC BLOG
Subscribe to the "YouTube: Real World Hacking Example" web feed.Subscription options
Read more articles in  Web Application Security Insights
.
December 22, 2008

YouTube: Real World Hacking Example

CSRF vulnerabilities discovered in almost every action a user could perform on YouTube

YouTube - Real World Hacking ExampleYouTube is the second big-brand company that we are featuring from Bill Zeller’s recent paper and post that got hacked through a CSRF vulnerability.   

Zeller discovered CSRF vulnerabilities in nearly every action a user could perform on YouTube.  Specific details are described in the paper. 

Here are a few examples of what an attacker could do on YouTube via the CSRF vulnerabilities: 

§ Add videos to a user's "Favorites,"

§ Add himself to a user's "Friend" or "Family" list,

§ Send arbitrary messages on the user's behalf,

§ Flag videos as inappropriate,

§ Automatically share a video with a user's contacts,

§ Subscribe a user to a "channel" (a set of videos published by one person or group) and,

§ Add videos to a user's "QuickList" (a list of videos a user intends to watch at a later point).  

According to the report, YouTube has fixed these vulnerabilities.

by
Erin Swanson
Eswanson@cenzic.com

.
PermalinkPopular Websites Vulnerable to Cross-Site Request Forgery Attacks
.4 real-world example of how hackers attack Websites
.http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
.
PermalinkCross-Site Request Forgeries: Exploitation and Prevention
.Read this 13 page paper on CSRF
.http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
Topic Tags:  ,
by Erin Swanson | ↑top | link to this#
Syndication OptionsRSS (Rich Site Summary) Feed Atom Feed OPML (Outline Processor Language) Feed MYST-ML (MyST Markup Language) Content Feed MS-Office Smart Tag Subscription