Creating a YouTube TV that could steal your private videos – $6,000 CSRF
https://mailing.bugbountyexplained.com/
? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215
This video is an explanation of a vulnerability found in Google bug bounty program. The bug was a CSRF (cross-site request forgery) that allowed stealing private and unlisted videos from YouTube.
Report:
https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/
Reporter’s twitter:
https://twitter.com/xdavidhu
POC script:
https://gist.github.com/xdavidhu/b264ee21d8586e580adc7f821ddfbfc9
Follow me on twitter:
https://twitter.com/gregxsunday
00:00 Intro
00:35 Pairing YT TV with the browser
03:35 The bug
04:48 Pairing the victim with our TV
05:48 Video ID?
Add comment