The Egyptian colleague Ahmed Aboul-Ela has discovered a vulnerability in YouTube that could be exploited by attackers to move comments from any video to another without any user-interaction.
Now imagine that you move the YouTube comment posted by any celebrity or public figure on some YouTube video to a video posted by you cool. Attackers can spoof, duplicate or copy the comments posted on discussion boards from any YouTube channel and make them appear as the messages left under his video.
In a similar way, an attacker could populate its discussion board by exploiting the flaw, an activity very useful when someone intends to increase its visibility or want to run PSYOPs operation by influencing wide audience manipulating comments from celebrities or public figures.
Ahmed Aboul-Ela was testing the reviewing comments feature, when he discovered that a YouTube comment posted to any video on the platform can be manipulated by the author of that YouTube channel by operating on the settings to “Hold all comments for review” before it gets posted.
Just a few weeks ago we reported about a simple logical vulnerability in YouTube that could have been exploited by anyone to delete any video from YouTube in just one shot.
By enabling this option, all the comments posted by different users on your video will be listed in the page of YouTube comments of your account, waiting for the user’s approval of removal.
At this point, by approving the any listed YouTube comment and intercepting the related HTTP request, an attacker can easily discover the comment_id and a video_id parameters in the POST request. By manipulating the video_id parameter, the expert got an error. Differently, by changing only the comment_id to any other comment_id value on any YouTube video, the HTTP request is successful and the YouTube comment will appear on the YouTube video chosen by Ahmed Aboul-Ela.
The trick is sneaky and goes undetected to the user that originally posted the YouTube comment because it does not remove the original comment from the original video and even the author of the comment does not get notified that his comment has been copied under another video.The researcher Ahmed Aboul-Ela reported the bug to YouTube that rewarded it with $3,133.7 under its bug bounty program, below the video PoC provided by the expert.
(Security Affairs – YouTube comment, Hacking)