This bug was very much like the recent holes we`ve written about, in Facebook and YouTube, by means of which a crook could remove someone else`s images or videos.
Except that this time, instead of deleting other people`s data, Ahmed Aboul-Ela and Ibrahim M. El-Sayed figured out how to clone it!
You could `borrow` other people`s approvals and positive reviews so that it looked as though they were promoting your videos, too.
How it worked
Simply put, this is how the phoney-comment workflow starts:
Turn on `Hold comments for review` on your own YouTube channel.
Wait for a comment to arrive, and go in and approve it.
Sniff and record the HTTP data from that approval operation.
At this point, you may be thinking, `But Google insists on HTTPS for security, so how do you sniff the encrypted data out of the approval request?`
The answer is that you`re not trying to eavesdrop someone else`s conversation with YouTube.
You`ve logged in yourself, and you`re carrying out a perfectly normal transaction inside your own browser, on your own computer.
Both your browser and your computer are entirely under your control, so you can easily capture and decrypt your own traffic, or log the data right inside the browser itself before it`s encrypted for transmission.
Now comes the switcheroo:
Change the comment identifier in the approval request to match someone else`s comment on someone else`s channel.
Keep your own video ID in the request, and keep your own authentication token. (That`s the session data that proves you`re already logged in.)
Bingo: the other person`s comment now appears under your video.
The comment doesn`t get moved from the original channel to yours, and the owner of the original comment doesn`t receive a notification.
As far as they`re concerned, nothing has gone wrong: they still have exactly the same `comment love` as they had before.
But if you`ve chosen an upbeat comment – one left by an influential celebrity, for example – that is generic enough to apply to your video
So, by choosing carefully, you could clone any number of influential, positive remarks and thereby greatly enhance the apparent popularity of your own video.
In the Google ecosystem, that could mean a significant, and dishonest, boost in ad revenue.
Additionally, as the bug-finders suggest, you could also use this bug to attack particular users, for example to make them look bad, or to imply they hold opinions they do not.
Imagine that your victims had commented positively on various videos supporting a cause of which they approved, or had argued in favour of an issue they supported.
You could publish a negagive or inflammatory video that took a contrary position, and make it look as though they approved of your video, too.
Read original article
No comments:
Post a Comment