[Bug Bounty] Youtube content security policy bypass using fake referer

Hey,

So vacations started and iĀ  thought to share one of my finding in google bug bounty program. The vulnerability i discovered was a content security vulnerability which allows to clickjack the whole youtube and its subdomains. Its impact was so high that I was able to comment, subscribe, like, upload, login and everything possible šŸ˜‰ .

Vulnerable domains :

  1. youtube.com
  2. studio.youtube.com
  3. gaming.youtube.com
  4. other subdomains

So you will think how its possible to clickjack youtube while their content security policy was :

spidersec - youtube cps bypass

So after a long research i found a simple concept how youtube’s X-Frame-Options:”SAMEORIGIN” works .

Concept is : If Referer=www.google.com then it will accept your request to <iframe> the website else it will reject the request to <iframe> it.

So i send a fake Referer=www.google.com from a per-clickjacked page using Burp Suite.

spidersec - youtube cps bypass

and the whole youtube is clickjacked with authentic sessions.

[SCREENSHOT – 1]

spidersec - youtube cps bypass

[SCREENSHOT – 2]

spidersec - youtube cps bypass

[SCREENSHOT – 3]

spidersec - youtube cps bypass

[SCREENSHOT – 4]

spidersec - youtube cps bypass

[SCREENSHOT – 5]

spidersec - youtube cps bypass

[SCREENSHOT – 6]

spidersec - youtube cps bypass

[SCREENSHOT – 7]

spidersec - youtube cps bypass

Impacts:

  1. delete videos.
  2. delete comments.
  3. like and dislike videos.
  4. edit video titles .
  5. edit settings.
  6. create brand accounts.

hope you will like it

cheers šŸ™‚

Follow me on twitter : @SpiderSec

Related posts

7 Thoughts to “[Bug Bounty] Youtube content security policy bypass using fake referer”

  1. Manish

    how much bounty?

    1. “0” they gave it duplicate šŸ™‚ but i know they lied xddd google is no more fair

      1. Domeone told me that you reported this bug. Kindly tell me.
        Did YOU found the bug & reported ?

        1. hello yes i (Suvadip Kar) have found it from last year.

  2. Thakur Saini

    How you set Referer in clickjacking code?

  3. Ch Srinivas

    Nice Finding bro šŸ™‚

Leave a Comment

six + ten =