221486 Resource 202615 202768 202768 1229980620566 1229997033645 Controlled YouTube: Real World Hacking Example CSRF vulnerabilities discovered in almost every action a user could perform on YouTube <p><a href="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks"><img alt="YouTube - Real World Hacking Example" hspace="10" src="http://www.cenzic.com/images/blog/youtube.jpg" align="right" vspace="10" border="0" /></a>YouTube is the second big-brand company that we are featuring from Bill Zeller&rsquo;s recent <a title="CSRF paper on these popular vulnerabilities" href="http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf" target="_blank"><strong><u>paper</u></strong></a> and <a title="CSRF vulnerabilities found on 4 big Websites" href="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks" target="_blank"><strong><u>post</u></strong></a> that got hacked through a CSRF vulnerability.&nbsp;&nbsp;&nbsp; </p><p>Zeller discovered CSRF vulnerabilities in nearly every action a user could perform on YouTube.&nbsp; Specific details are described in the paper.&nbsp; </p><p>Here are a few examples of what an attacker could do on YouTube via the CSRF vulnerabilities:&nbsp; </p><p style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; LINE-HEIGHT: normal; mso-list: l0 level1 lfo1; tab-stops: list .5in"><font color="#333333"><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font size="3">&sect;</font><span style="FONT-WEIGHT: normal; FONT-SIZE: 7pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal">&nbsp;</span></span></span><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN">Add videos to a user's &quot;Favorites,&quot; </span></font></p><p style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; LINE-HEIGHT: normal; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN"></span><font color="#333333"><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font size="3">&sect;</font><span style="FONT-WEIGHT: normal; FONT-SIZE: 7pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal">&nbsp;</span></span></span><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN">Add himself to a user's &quot;Friend&quot; or &quot;Family&quot; list,</span></font></p><p style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; LINE-HEIGHT: normal; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN"></span><font color="#333333"><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font size="3">&sect;</font><span style="FONT-WEIGHT: normal; FONT-SIZE: 7pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal">&nbsp;</span></span></span><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN">Send arbitrary messages on the user's behalf,</span></font></p><p style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; LINE-HEIGHT: normal; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN"></span><font color="#333333"><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font size="3">&sect;</font><span style="FONT-WEIGHT: normal; FONT-SIZE: 7pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal">&nbsp;</span></span></span><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN">Flag videos as inappropriate,</span></font></p><p style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; LINE-HEIGHT: normal; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN"></span><font color="#333333"><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font size="3">&sect;</font><span style="FONT-WEIGHT: normal; FONT-SIZE: 7pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal">&nbsp;</span></span></span><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN">Automatically share a video with a user's contacts, </span></font></p><p style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; LINE-HEIGHT: normal; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN"></span><font color="#333333"><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font size="3">&sect;</font><span style="FONT-WEIGHT: normal; FONT-SIZE: 7pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal">&nbsp;</span></span></span><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN">Subscribe a user to a &quot;channel&quot; (a set of videos published by one person or group) and, </span></font></p><p style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; LINE-HEIGHT: normal; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN"></span><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font color="#333333"><font size="3"><span lang="EN" style="COLOR: red; FONT-FAMILY: Wingdings; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-ansi-language: EN; mso-bidi-font-weight: bold"><span style="mso-list: Ignore"><font size="3">&sect;</font><span style="FONT-WEIGHT: normal; FONT-SIZE: 7pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal">&nbsp;</span></span></span></font></font></span></span><span lang="EN" style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-ansi-language: EN"><font color="#000000"><font color="#333333">Add videos to a user's &quot;QuickList&quot; (a list of videos a user intends to watch at a later point).</font>&nbsp;</font></span>&nbsp;</p><p /><p>According to the report, YouTube has fixed these vulnerabilities. </p><p>by<br /><strong>Erin Swanson<br /></strong><a href="mailto:Eswanson@cenzic.com"><strong><u>Eswanson@cenzic.com</u></strong></a></p> 9 application/xml false hack YouTube Popular Websites Vulnerable to Cross-Site Request Forgery Attacks 4 real-world example of how hackers attack Websites http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks Cross-Site Request Forgeries: Exploitation and Prevention Read this 13 page paper on CSRF http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 127.0.0.1 127.0.0.1 eswanson 64.60.123.45 false true false false true 204329 false false true false false false true 202615 blog blogsite/Cenzic/web