About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

I Built a TV That Plays All of Your Private YouTube Videos- 446

David ShutzPosted 4 Years Ago
  • While sharing a video marked private on Youtube, the author wondered HOW the smart TV could magically play the video. From there, the TV APIs were reversed and exploited.
  • The model for playing a video that is private works as such:
    1. TV checks for a command from polling
    2. YouTube API checks to see if the user sent anything. If the user sent something, then return that command.
    3. Run the command (returned from the YouTube API) that was given from the user.
  • The vulnerability is that the user request does NOT have any CSRF protections. So, by creating a fake website we can force the user to send a request to YouTube to bind a request for us for a TV. The author then had a register a minimalist TV for this to work (lolz).
  • The CSRF request, there was STILL one thing missing though: what private video? It turns out that the request can be used to get a playlist. Because the playlist ID is predictable per user, this allows for ALL private videos to be seen once this vulnerability was found.
  • Although this attack requires user interaction, this was an awesome bug discovery! I appreciate that harder to test functionality was done here; if it's easy to test, then everyone will test it.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed