Vulnerability Research Grants, a special system of rewards for the vulnerabilities in the software Google, started a few months ago. Kamil Hismatullin , a Russian hacker encouraged by the vision of financial gain awards decided to test the world’s largest video service.
After such a giant one would expect some difficult to detect or use loopholes. However, the Russian found a real bomb. As you can see in the following image in just one minute he was able to remove any video from the site. Even those which he never published, which he could not manage.
Access to this truth was obviously more difficult and it took a few hours. Tested the feasibility of hacker attacks against XSS (Cross-site scripting (XSS) – the way an attack on the website relies on the rear side of the victim in the content of the code (usually JavaScript) that is displayed to other users may lead to undesirable action by them. The script placed in the affected side can overcome some of the mechanisms to control access to user data.) and CSRF Cross-site request forgery (CSRF abbreviated or XSRF) – a method of attack on the website, which often (partly because of the simultaneous use) confused with cross -site scripting (XSS), or is regarded as a subset. CSRF victims become users unknowingly transmitting request to the server crafted by people with hostile intentions. In contrast to XSS attacks are not aimed at the websites and do not necessarily cause changes in their content. The aim is to use the powers of hacker victim to perform the operation would otherwise require its consent. CSRF type error also applies to FTP servers.)
The Russian quickly discovered that simply literally one click to any movie disappeared from the site.
POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1
event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN
The Google responded to this command delete confirmation of the film.
{
“success”: 1
}
“In a few hours I could remove the entire channel Justin Biber. [...] I decided to inform on Google. Service responded very quickly. It’s no wonder – the gap allowed to delete a gigantic amount of footage in a very short time. They fixed it in a few hours, and I picked up five thousand US dollars. No record of Justin Biber not suffered “. – Russian writing on your blog .
It is difficult to assess whether, in this case just a hacker would suffer any consequences. After all, the whole situation dowidzi that security testing is necessary. Google entire floors developers did not notice the error, which could spread on the shoulders of service.
No comments:
Post a Comment