Thursday, September 18, 2008

I used to know what you watched, on YouTube

In doing some crossdomain.xml Flash research I noticed that YouTube’s policy file trusted * They quickly removed it after I privately disclosed the following security flaw to Google.

My idea was if an attacker could upload an arbitrary Flash movie (SWF) anywhere on the domain they could leverage that trust. So if an authenticated YouTube user visited an attacker-controlled page anywhere on the Web, the attacker could SRC in the hosted SWF, and use it compromise the victims YouTube username, email address, first/last name, viewing history, and even comment or post/delete videos.

Billy Rios blogged in the past about being able to upload arbitrary files to, but the only place I could locate that allowed SWFs when I checked was Gmail. Maybe others?

Anyway, I emailed a SWF attachment to a Gmail account and located the download URL. Perfect, but the next problem was even with the correct URL the victim is not authorized to view the file unless they are authenticated on THAT particular Gmail account. This is where the login-CSRF / identity misbinding trick the Stanford guys wrote up came in quite handy.

Here’s the step by step.

1) Attacker emails a special SWF to a Gmail account they control and locates the attachment download URL on
2) Logged-in YouTube user visits an attacker controlled page
3) Attacker forces their victim to authenticate to the attackers Gmail account (identify misbinding / CSRF).
4) Attacker embeds SWF from the Gmail account into the web page
5) Attacker now has read write access on as the victim's account.


Clever eh? :) I’m sure the Google/YouTube aren’t the only places where this particular scenario is still possible.

Many thanks to Rich Cannings and Chris Evans from the Google Security team who sheparded this along!


Anonymous said...

very nice discovery man.

kuza55 said...

Been there done that, got the tshirt will be presenting lots of gmail 0day at Power of Community :p

Speaking of the login trick, why do I never get any credit for anything: (I even spent a good portion of time explaining it at 24c3)

P.S. Damn Stanford team getting my gadgets 0day patched and not even knowing how to fully exploit it.

kuza55 said...

P.P.S Cool find though :) (Sorry, let my bitterness get in the way of what I meant to say yet again), I honestly hadn't even considered using an essentially logged-out XSF (Stefano's term) to abuse trust policies, thanks for the info :D

Billy (BK) Rios said...

Sweet! I talked about using CSRF to login to someone's gmail acct and pull an attachment at DEFCON 15(Biting the Hand That Feeds You), but I wasn't creative enough to pull off an attack like this! Great job and way to put the peices together!

Anonymous said...

Cool shit man!

Rios and I found some stuff similar to this that we talked about at DEFCON 15 (Biting the Hand That Feeds You), but this is a real interesting vector you leveraged there. It's also fairly similar to other content ownership issues that have been discussed, really it's things like this that led to the ideas for the GIFAR stuff.

I think you and I talked about how PDP and I talked about the GIFAR thing and realized we had went slightly different directions with the same thing. I find it real interesting how often people find their ideas intersecting on this stuff. We didn't get time to have our meeting at Vegas, but we should get a handful of minds together and talk about some of this stuff in the future, see what comes out of it.

That said, since you, Kuza, Rios and I have all found similar flaws with this, I couldn't help but point to a rap song that Rios and I wrote back in 1994 that claims our legtimacy to the pwnership of this research... here it goes:

"Listen close as life turns its pages McNasty here kickin rhymes for the ages

See things is changin
Wise words spoken by sages

From Skytel to Blackberry pagers
Your crew dont phase us

We'll make you busters pay us
Run up in yo spot like CJ from San Andreas

Rios and I wrote this sploit a long time ago
A real long time ago, can ya FEEL ME?
We wrote this sploit a long time ago
It was the dopest sploit that we wrote, back in 94"

Ok, I'm just kidding, we didn't write the sploit back in '94. And I didn't write that rap either. It came from Chappelle show... go watch that shit if you haven't seen it, it's hilarious.

Good stuff JG, peace!

Jeremiah Grossman said...

@kuza55, I think this keeps happening to you. I might have to run my exploit blog posts by you from now off for a sanity check. :)

Jeremiah Grossman said...

@Nate/Billy, thanks guys. So much research around the same areas. Just fitting the pieces together in interesting ways.

Anonymous said...

ohh... your great man. !!!

golabi said...

Very useful blog.
Thanks for sharing Jeremiah.
i create a link in my blog,


Anonymous said...

how did u src the swf object. I copied the download url location of a swf att, used param object embed stuff, but swf ile didn't execute the js code that was inside the flash file

Alida Antonia Cornelius said...

I would like to know what/if Apple's Mobile Me mail has CSRF protection.
I pay about $100 bucks a year for my email account because I figured it was very secure and I could never lose my account as I use it for my business.

So, does this mean Google gmail is more Secure than Apple's Mobile Me mail?

Thanks in advance for any answer to this question.