Please provide an attack scenario. Can you do that?
On Fri, Mar 14, 2014 at 9:23 PM, Nicholas Lemonias. < lem.niko...@googlemail.com> wrote: > Are you sure this json response, or this file, will be there in a month? > Or in a year? Is the fact that this json response exists a threat to > youtube? Can you quantify how of a threat? How much, in dollars, does it > hurt their business? > > This file may be here if the admins don't delete it. Now they may do ;@) > > > So where do you think that information is coming from? The metadata and > tags, and headers are contained in a database. > > The files are stored persistently , since they can be quoted. So the API > works both ways. The main thing here is that the files are there, otherwise > there metadata information would be deleted from the db aswell. > > http://gdata.youtube.com/demo/index.html?utm_source= > twitterfeed&utm_medium=twitter > > Youtube DATA API is unique.. the commands can be send through that > interface... So we do definitely know that that is coming from a database. > > > On Fri, Mar 14, 2014 at 8:22 PM, Nicholas Lemonias. < > lem.niko...@googlemail.com> wrote: > >> You are trying to execute an sh script through a video player. That's an >> exec() command. So its the wrong way about accessing the file. >> >> >> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.secli...@gmail.com> wrote: >> >>> No it's not. As Chris and I are saying, you don't have proof your file >>> is accessible to others, only that is was uploaded. Now, you see, when you >>> upload a video to youtube, you get the adress where it will be viewable in >>> the response. In your case : >>> >>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":" >>> http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000 >>> ","cross_domain_url":" >>> http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status": >>> "ok", *"video_id": "KzKDtijwHFI"* >>> }}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}} >>> And what do we get when we browse to >>> https://youtube.com/watch?v=KzKDtijwHFI ? >>> Nothing. >>> Can you send me a link where I can access the file content of the >>> arbitrary file you uploaded? >>> Are you sure this json response, or this file, will be there in a month? >>> Or in a year? Is the fact that this json response exists a threat to >>> youtube? Can you quantify how of a threat? How much, in dollars, does it >>> hurt their business? >>> >>> --Rob >>> >>> >>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. < >>> lem.niko...@googlemail.com> wrote: >>> >>>> My claim is now verified.... >>>> >>>> Cheers! >>>> >>>> >>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. < >>>> lem.niko...@googlemail.com> wrote: >>>> >>>>> http://upload.youtube.com/?authuser=0&upload_id= >>>>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1-- >>>>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin= >>>>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >>>>> >>>>> That information can be queried from the db, where the metadata are >>>>> saved. The files are being saved persistently , as per the above example. >>>>> >>>>> >>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. < >>>>> lem.niko...@googlemail.com> wrote: >>>>> >>>>>> >>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >>>>>> >>>>>> That information can be queried from the db, where the metadata are >>>>>> saved. The files are being saved persistently , as per the above example. >>>>>> >>>>>> >>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson < >>>>>> christhom7...@gmail.com> wrote: >>>>>> >>>>>>> Hi Nikolas, >>>>>>> >>>>>>> Please do read (and understand) my entire email before responding - >>>>>>> I understand your frustration trying to get your message across but >>>>>>> maybe >>>>>>> this will help. >>>>>>> >>>>>>> Please put aside professional pride for the time being - I know how >>>>>>> it feels to be passionate about something yet have others simply not >>>>>>> understand. >>>>>>> >>>>>>> Let me try and bring some sanity to the discussion and explain to >>>>>>> you why people maybe not agreeing with you. >>>>>>> >>>>>>> You (rightly so) highlighted what you believe to be an issue in a >>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary >>>>>>> file. >>>>>>> If you can indeed do this as you suspect then your points are valid and >>>>>>> you >>>>>>> "may" be able to cause various issues associated with it such as DOS >>>>>>> etc - >>>>>>> especially if the uploaded files cannot or are not tracked. >>>>>>> >>>>>>> However... >>>>>>> >>>>>>> Consider than you are talking to an API and what you are getting >>>>>>> back (the JSON response) in your example is simply a response from the >>>>>>> API >>>>>>> to say the file you uploaded has been received and saved. >>>>>>> >>>>>>> Now, as you no doubt know, when you upload a regular movie to >>>>>>> YouTube, once uploaded it goes away and does some post-processing, >>>>>>> converting it to flash for example. What's to say that there isn't some >>>>>>> verification aspect to this post-processing that checks if the file is >>>>>>> intact a valid movie and if not removes it. >>>>>>> >>>>>>> If you could for example demonstrate that the file was indeed >>>>>>> persistent, by being able to retrieve it for example then again, you >>>>>>> would >>>>>>> have solid ground to claim an issue however your claims at this point >>>>>>> are >>>>>>> based on an assumption.... Let me explain. >>>>>>> >>>>>>> 1. You have demonstrated than you can send "any" file to an API and >>>>>>> the API returned an acknowledgment of receiving (and saving) the file. >>>>>>> >>>>>>> 2. You / we don't know what Google do with files once they have been >>>>>>> received from the API - maybe they process them and validate them - we >>>>>>> simply don't know. >>>>>>> >>>>>>> 3. You have hypothesized that you can retrieve the file by >>>>>>> manipulating tokens etc and you may be right, but you have not >>>>>>> demonstrated >>>>>>> it as such. >>>>>>> >>>>>>> Because of this, you seem to have made a CLAIM that you can upload >>>>>>> arbitrary files to Google however SHOWN that you can simply send files >>>>>>> to >>>>>>> an API and an API responds in a certain way. >>>>>>> >>>>>>> I am NOT saying you haven't found an issue, what I am saying is that >>>>>>> you need to demonstrate that the issue is real and thus can be abused. >>>>>>> If >>>>>>> the Google service simply verifies all uploaded files once they are >>>>>>> uploaded and discards them if invalid, then you haven't really found >>>>>>> anything. >>>>>>> >>>>>>> If you were to prove that you were able to retrieve this uploaded >>>>>>> file then how could anyone dispute your bug. >>>>>>> >>>>>>> Hope this helps.... >>>>>>> >>>>>>> Cheers! >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
