Embedded risk
Opening a website with an embedded YouTube video potentially allowed miscreants to access a user’s viewing history, favorites, and playlists.
The security bug – which earned a modest $1,337 bounty from Google – was uncovered by security researcher David Schutz, who went public with his findings earlier this week through a detailed technical blog post.
Schutz explained that he uncovered the vulnerability by connecting two things together in a somewhat “unexpected” way.
Read more of the latest security vulnerability news
YouTube (YT) has an embedded player that allows website developers to embed videos into their own site. This player also has an API, which enables users to control and obtain information about the player.
This allows a user to, for example, play/pause the player, load a new video/playlist, and list the contents of the currently playing playlist.
“This is of course, working as intended,” Schutz told The Daily Swig. “On YT everyone also has a few special private playlists, like (at the time) the playlist with the ID ‘HL’ contained the user’s watch history, the ‘WL’ the user’s watch later, and so on.”
There was also a special uploads playlist which, “when viewed by the channel owner, listed all uploaded videos, including unlisted ones”.
Stolen history
Schutz explained the flaw: “Since the YT embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to ..
Support the originator by clicking the read the rest link below.
